Update helm overrides for new dex chart

This commit updates the certificate overrides for the new version of the
dex helm chart.

It also contains minor refactorings and improvements.

Test Cases:

PASS: Migrate certificates in debian and verify registry.local, https /
      rest api and oidc-auth-apps certificates
PASS: Migrate certificates in centos and verify registry.local, https /
      rest api and oidc-auth-apps certificates

Story: 2009838
Task: 45599

Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: Ief1b1684e8ec38898f0ac4d6160b10ce4f27ebb7

playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/files/merge_certificate_mounts.py

@@ -0,0 +1,77 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+import psycopg2
+from psycopg2.extras import RealDictCursor
+import yaml
+import sys
+
+# sql to fetch the user_overrides from DB for oidc-auth-apps
+sql_overrides = ("SELECT helm_overrides.name, user_overrides"
+                 " FROM helm_overrides"
+                 " LEFT OUTER JOIN kube_app"
+                 " ON helm_overrides.app_id = kube_app.id"
+                 " WHERE kube_app.name = 'oidc-auth-apps'"
+                 " AND helm_overrides.name = 'dex'")
+
+
+def get_overrides(conn):
+    """Fetch helm overrides from DB"""
+    with conn.cursor(cursor_factory=RealDictCursor) as cur:
+        cur.execute(sql_overrides)
+        return cur.fetchall()
+
+
+def get_chart_user_override(overrides, chart):
+    """Get a specific set of user overrides from the db value"""
+    chart_overrides = None
+    for chart_overrides in overrides:
+        if 'name' in chart_overrides and chart_overrides['name'] == chart:
+            break
+    else:
+        chart_overrides = None
+
+    if chart_overrides and chart_overrides.get('user_overrides', None):
+        return yaml.safe_load(chart_overrides['user_overrides'])
+    else:
+        return None
+
+
+def update_or_create_item(overrides, key, new_item):
+    """Look for existing tls https mounts and updates then"""
+    existing_https_tls = False
+    for index, item in enumerate(overrides[key]):
+        if 'https-tls' == item['name']:
+            overrides[key][index] = new_item
+            existing_https_tls = True
+
+    if not existing_https_tls:
+        overrides[key].append(new_item)
+
+
+if __name__ == '__main__':
+    if len(sys.argv) < 2:
+        raise Exception("Invalid Input!")
+
+    conn = psycopg2.connect("dbname=sysinv user=postgres")
+    overrides = get_overrides(conn)
+    current_dex_overrides = get_chart_user_override(overrides, 'dex')
+
+    new_override_str = sys.argv[1]
+    new_overrides = yaml.safe_load(new_override_str)
+
+    overrides = dict()
+    overrides['volumeMounts'] = current_dex_overrides.get('volumeMounts', [])
+    overrides['volumes'] = current_dex_overrides.get('volumes', [])
+
+    new_https_tls_volume = new_overrides['volumes'][0]
+    new_https_tls_volume_mount = new_overrides['volumeMounts'][0]
+
+    update_or_create_item(overrides, 'volumes', new_https_tls_volume)
+    update_or_create_item(overrides, 'volumeMounts', new_https_tls_volume_mount)
+
+    print(yaml.safe_dump(overrides))

playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/main.yml

@@ -37,6 +37,21 @@
         echo "{{ address_table.stdout }}" | awk  '$4 == "oam" { print $14 }'
       register: oam_ip
 
+    - name: Get floating kubernetes cluster ip
+      shell: |
+        echo "{{ address_table.stdout }}" | awk  '$4 == "cluster-host-subnet" { print $14 }'
+      register: kubernetes_cluster_floating_ip
+
+    - name: Get controller0 kubernetes cluster ip
+      shell: |
+        echo "{{ address_table.stdout }}" | awk  '$4 == "cluster-host-subnet" { print $16 }'
+      register: kubernetes_cluster_c0_ip
+
+    - name: Get controller1 kubernetes cluster ip
+      shell: |
+        echo "{{ address_table.stdout }}" | awk  '$4 == "cluster-host-subnet" { print $18 }'
+      register: kubernetes_cluster_c1_ip
+
     - name: Get region name
       shell: |
         source /etc/platform/openrc
@@ -129,6 +144,10 @@
 
       - debug:
           msg: "{{ certs_output.stdout_lines }}"
+
+      - fail:
+          msg: "Error occurred. Please check failed steps."
+
       when: backup_directory is defined
 
   when: mode == 'update'

playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/reapply-oidc-auth-app.yml

@@ -26,33 +26,37 @@
   environment:
     KUBECONFIG: /etc/kubernetes/admin.conf
 
-- name: Create override file for dex-client-secret
+- name: Create override file for oidc-client helm chart
   copy:
-    dest: "/tmp/dex-client-secret.yaml"
+    dest: "/tmp/oidc-client-override.yaml"
     content: |
       tlsName: oidc-auth-apps-certificate
       config:
         issuer_root_ca: /home/dex-ca.pem
         issuer_root_ca_secret: system-local-ca-oidc-secret
 
-- name: Create override file for oidc-auth-apps-certificate
-  copy:
-    dest: "/tmp/oidc-auth-apps-certificate-override.yaml"
-    content: |
-      certs:
-        web:
-          secret:
-            tlsName: oidc-auth-apps-certificate
-            caName: oidc-auth-apps-certificate
-        grpc:
-          secret:
-            serverTlsName: oidc-auth-apps-certificate
-            clientTlsName: oidc-auth-apps-certificate
-            caName: oidc-auth-apps-certificate
+- name: Merge new volume and volumeMounts overrides with existing ones
+  vars:
+    new_overrides: |
+      volumes:
+      - name: https-tls
+        secret:
+          defaultMode: 420
+          secretName: oidc-auth-apps-certificate
+      volumeMounts:
+      - mountPath: /etc/dex/tls/
+        name: https-tls
+  script: merge_certificate_mounts.py "{{ new_overrides }}"
+  become_user: postgres
+  become: yes
+  register: yaml_merge_out
+
+- name: Create override file for dex helm chart
+  shell: echo "{{ yaml_merge_out.stdout }}" > /tmp/dex-override.yaml
 
 - name: Create override file for secret-observer helm chart
   copy:
-    dest: "/tmp/secret-observer.yaml"
+    dest: "/tmp/secret-observer-override.yaml"
     content: |
       observedSecrets:
         - secretName: "system-local-ca-oidc-secret"
@@ -75,9 +79,9 @@
   retries: 10
   delay: 30
   with_items:
-    - { chart: oidc-client, overrides_file: /tmp/dex-client-secret.yaml }
-    - { chart: dex, overrides_file: /tmp/oidc-auth-apps-certificate-override.yaml }
-    - { chart: secret-observer, overrides_file: /tmp/secret-observer.yaml }
+    - { chart: oidc-client, overrides_file: /tmp/oidc-client-override.yaml }
+    - { chart: dex, overrides_file: /tmp/dex-override.yaml }
+    - { chart: secret-observer, overrides_file: /tmp/secret-observer-override.yaml }
 
 - name: Apply oidc-auth-apps so that it picks up new certificates
   shell: |
@@ -102,8 +106,9 @@
   delay: 60
 
 - name: Wait for oidc-auth-apps pods to become active
-  command: >-
-    kubectl wait -n kube-system --for=condition=Ready pods --selector app=dex --timeout=90s
+  shell: >-
+    kubectl wait -n kube-system --for=condition=Ready pods --selector app.kubernetes.io/name=dex --timeout=90s \
+    && kubectl wait -n kube-system --for=condition=Ready pods --selector app=stx-oidc-client --timeout=90s
   environment:
     KUBECONFIG: /etc/kubernetes/admin.conf
   register: wait_oidc_ep

playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/templates/platform_certificates.yml.j2

@@ -105,6 +105,11 @@ items:
     duration: "{{ duration }}"
     ipAddresses:
     - "{{ oam_ip.stdout }}"
+    # Add kubernetes cluster ip to make sure certificate has issuer ip in san list
+    # https://bugs.launchpad.net/starlingx/+bug/1971500
+    - "{{ kubernetes_cluster_floating_ip.stdout }}"
+    - "{{ kubernetes_cluster_c0_ip.stdout }}"
+    - "{{ kubernetes_cluster_c1_ip.stdout }}"
     issuerRef:
       kind: ClusterIssuer
       name: system-local-ca