Merge "Filter expired certificates during restore"

2024-11-26 20:23:34 +00:00 · 2024-11-26 20:23:34 +00:00 · 664abccf71
commit 664abccf71
parent df3f89b0a7 f18b3c223f
3 changed files with 88 additions and 3 deletions
--- a/playbookconfig/src/playbooks/roles/backup-restore/restore-postgres/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/backup-restore/restore-postgres/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2022-2023 Wind River Systems, Inc.
+# Copyright (c) 2022-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -40,7 +40,10 @@
        certificate where certtype='ssl_ca') to
        '/tmp/db.csv' with delimiter ';'"
    become_user: postgres
-    when: ssl_ca_certificate_file is defined and ssl_ca_certificate_file is not none
+    when:
+      - ssl_ca_certificate_file is defined
+      - ssl_ca_certificate_file is not none
+      - restore_mode|default(none) != 'optimized'

  - name: Determine which postgresql database files exist
    stat:
@ -61,6 +64,39 @@
    with_items: "{{ pgfiles.results }}"
    when: item.stat.exists

+  - name: Remove expired ssl_ca certs on the system
+    block:
+    - name: Remove expired ssl_ca certs in db
+      block:
+      - name: Read expired ssl_ca certificates from db
+        command: >-
+          psql -d sysinv -c
+          "SELECT signature FROM certificate
+          where certtype='ssl_ca' and expiry_date < NOW();"
+        register: invalid_certs
+
+      - name: Delete expired ssl_ca certificates in db
+        command: >-
+          psql -d sysinv -c
+          "DELETE FROM certificate
+          where certtype='ssl_ca' and expiry_date < NOW();"
+
+      - name: Restore system table row count
+        command: >-
+          psql -d sysinv -c
+          "ALTER SEQUENCE certificate_id_seq
+          RESTART WITH 1;
+          UPDATE certificate SET id=nextval('certificate_id_seq');"
+      become_user: postgres
+
+    - name: Remove ssl_ca certs in config dir
+      file:
+        path: "/opt/platform/config/{{ software_version }}/ssl_ca/{{ item }}"
+        state: absent
+      with_items: "{{ invalid_certs.stdout | regex_findall('ssl_ca_[0-9]+') }}"
+      become: yes
+    when: restore_mode|default(none) == 'optimized'
+
  - name: Update ssl_ca certificates in sysinv database
    block:
    - name: Reset system table id sequence
@ -99,7 +135,10 @@
        path: "/tmp/db.csv"
        state: absent
    become_user: postgres
-    when: ssl_ca_certificate_file is defined and ssl_ca_certificate_file is not none
+    when:
+      - ssl_ca_certificate_file is defined
+      - ssl_ca_certificate_file is not none
+      - restore_mode|default(none) != 'optimized'

  - name: Clear mgmt_ipsec flags from other nodes
    script: roles/common/files/clear-mgmt-ipsec-flag.py -r
--- a/playbookconfig/src/playbooks/roles/optimized-restore/restore-data/tasks/install_ssl_ca.yml
+++ b/playbookconfig/src/playbooks/roles/optimized-restore/restore-data/tasks/install_ssl_ca.yml
@ -0,0 +1,39 @@
+---
+#
+# Copyright (c) 2022-2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# SUB-TASKS DESCRIPTION:
+#   This sub-task is to install ssl_ca certificates during optimized restore
+#   when ssl_ca_certificate_file option is used
+
+- name: Install ssl_ca certificate defined in ssl_ca_certificate
+  shell: >-
+    source /etc/platform/openrc &&
+    system ca-certificate-install "{{ ssl_ca_cert }}"
+  register: install_cert_output
+  until: install_cert_output is not failed
+  retries: 3
+  delay: 15
+
+- name: Register if a new certificate was installed
+  set_fact:
+    cert_installed: "{{ true if (install_cert_output is search('uuid') and
+                                    install_cert_output is search('certtype') and
+                                    install_cert_output is search('signature') and
+                                    install_cert_output is search('start_date') and
+                                    install_cert_output is search('expiry_date') and
+                                    install_cert_output is search('subject'))
+                            else false }}"
+
+- name: Pass if atleast one certificate is installed
+  debug:
+    msg: "{{ install_cert_output.stdout }}"
+  when: cert_installed
+
+- name: Fail if not one certificate is installed
+  fail:
+    msg: "Failed to install ssl_ca_certificate_file.
+          {{ install_cert_output.stdout }}"
+  when: not cert_installed
--- a/playbookconfig/src/playbooks/roles/optimized-restore/restore-data/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/optimized-restore/restore-data/tasks/main.yml
@ -14,6 +14,13 @@
 - name: Restore LDAP
  import_role: name=backup-restore/restore-ldap

+- name: Install ssl_ca from ssl_ca_cerficate_file
+  include_tasks: install_ssl_ca.yml
+  when:
+    - ssl_ca_certificate_file is defined
+    - ssl_ca_certificate_file is not none
+    - restore_mode|default(none) == 'optimized'
+
 - name: Restore docker and docker-registry
  import_tasks: restore-docker.yml