Rework platform certificates migration

Renamed the playbook to 'update_platform_certificates.yml', to reflect
the intention behind moving forward (not only to migrate the platform
certificates to cert-manager, but to be a easy way to update the local
issuer (system-local-ca) CA certificates as well as the leaf
certificates data.

Moved the install of the RCA to the beginning of the execution, as
several validations are made in the role and it's useful to have
then fail if a problem is detected before issuing the leaf
certificates.

Updated the conditions for creating the certificates to issue the
Rest API / GUI certificate (default behavior from now onward). Fixed
the condition for having the Local OpenLDAP certificate (host role is
not subcloud).

Test plan:
PASS: Deploy a system with the feature flag enabled in the localhost
      file ('create_platform_certificates'). Apply oidc. Execute the
      playbook using the new name ('update_platform_certificates.yml')
      in 'update' and 'check' modes. Observe that it works as expected.
      Checked:
      - The provided RCA is installed as Trusted CA;
      - The resulting certificates are correct;
      - Login in Local Docker Registry is working;
      - OIDC is working as expected;
      - Horizon is working as expected;
      - OpenLDAP is working as expected.

Story: 2009811
Task: 48908

Change-Id: I9b928b1080a28bebb0362ac8d68be387bd4a67da
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>

examples/update-platform-certificates/update-platform-certificates-inventory-EXAMPLE.yml

@@ -5,22 +5,24 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 # This is an example inventory file to be used for
-# usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml
+# usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
 # playbook.
 #
 # To run the playbook, the user would define an overrides file (as exemplified here)
 # providing the required variable settings and pass it on the ansible command-line as a parameter.
 #
 # Example ansible command:
-# ansible-playbook migrate_platform_certificates_to_certmanager.yml \
+# ansible-playbook update_platform_certificates.yml \
 #     -i @my-inventory-file.yml \
-#     --extra-vars "target_list=subcloud1 mode=update"
+#     --extra-vars "target_list=localhost,subcloud1 mode=update"
 
 # Use target_list to target individual subclouds, or a comma-separated
 # list of subclouds such as 'subcloud1,subcloud2'. To target all online
-# subclouds at once use target_list=all_online_subclouds
+# subclouds at once use 'target_list=all_online_subclouds'.
 #
-# To target the system controller or standalone systems use target_list=localhost
+# To target the system controller or standalone systems use 'target_list=localhost'.
+# It's recomended to have always at least localhost in the target_list, avoiding
+# the loss of consistency of the certificates between the hosts in DC systems.
 #
 # Note on the example parameters below :
 #

playbookconfig/src/playbooks/roles/common/recover-subcloud-certificates/tasks/validate-restapi-and-registry-certificates.yml

@@ -59,7 +59,7 @@
       {% endif %}
       Manual action required! On the subcloud, please update the expired certificates with
       `system certificate-install` or run
-      /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml
+      /usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml
       playbook following the section Migrate Platform Certificates to Use Cert Manager of the
       docs.
   when: restapi_cert_expiration.rc is defined and

playbookconfig/src/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-certificates-to-be-installed.yml

@@ -1,34 +0,0 @@
----
-#
-# Copyright (c) 2021-2023 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Check if https_enabled is enabled and if oidc-auth-apps is applied
-# in order to determine which certificates need to be installed
-#
-- name: Check if system is https_enabled
-  shell: |
-    source /etc/platform/openrc
-    system show | grep https_enabled | awk '{ print $4 }'
-  register: https_enabled
-
-- name: Check if oidc-auth-apps is applied
-  shell: |
-    source /etc/platform/openrc
-    system application-show oidc-auth-apps --column status --format value | \
-    awk  '{ if ($0 == "applied") print "true"; else print "false"; }'
-  register: oidc_applied
-
-- name: Check if openldap certificate exists
-  shell: |
-    source /etc/platform/openrc
-    system certificate-list | grep openldap | \
-    awk '{ if ($0 != "") print "true"; exit}'
-  register: openldap_certificate_exists
-
-- set_fact:
-    install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
-    install_system_open_ldap_certificate: "{{ true if openldap_certificate_exists.stdout | bool else false }}"
-    install_system_registry_local_certificate: true
-    install_system_restapi_gui_certificate: "{{ true if https_enabled.stdout | bool else false }}"

playbookconfig/src/playbooks/roles/update-platform-certificates/files/merge_certificate_mounts.py

@@ -1,6 +1,6 @@
 #!/usr/bin/python
 #
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-certificates-to-be-installed.yml

@@ -0,0 +1,33 @@
+---
+#
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Define variables (flags) that will be used in certificate creation.
+# Depending on the boolean value of the flags, the certificates will be
+# issued by local cluster issuer using 'system-local-ca' secret.
+# The platform certificates are:
+#   - OIDC-Auth-Apps (not required)
+#   - Local OpenLDAP (required for standalone and DC SystemController)
+#   - Docker Registry (required)
+#   - REST API / Web Server GUI (required)
+#
+- name: Check if oidc-auth-apps is applied
+  shell: |
+    source /etc/platform/openrc
+    system application-show oidc-auth-apps --column status --format value | \
+    awk  '{ if ($0 == "applied") print "true"; else print "false"; }'
+  register: oidc_applied
+
+- name: Get distributed_cloud role
+  shell: |
+    source /etc/platform/openrc
+    system show | grep distributed_cloud_role | awk '{ print $4 }'
+  register: dc_role
+
+- set_fact:
+    install_oidc_auth_apps_certificate: "{{ true if oidc_applied.stdout | bool else false }}"
+    install_system_open_ldap_certificate: "{{ true if dc_role.stdout != 'subcloud' else false }}"
+    install_system_registry_local_certificate: true
+    install_system_restapi_gui_certificate: true

playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/check-for-management-alarms.yml

@@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2021-2022 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/get-certificates-summary.yml

@@ -1,6 +1,6 @@
 ---
 #
-# Copyright (c) 2021-2022 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

playbookconfig/src/playbooks/roles/update-platform-certificates/tasks/main.yml

@@ -10,8 +10,8 @@
 # Before installing new certificates, a backup of old ones is saved to
 # /home/sysadmin/certificates_backup/ in case they are needed
 #
-# The ICA used as issuer of the certificates created, is also installed
-# to the platform as a Trusted CA
+# The RCA that signs the ICA that is used to issue the certificates created
+# is also installed to the platform as a Trusted CA
 #
 # For oidc-auth-app certificate an application-apply is also performed
 # in order to restart the application with the new certificate
@@ -22,6 +22,16 @@
       include_tasks: check-for-management-alarms.yml
       when: ignore_alarms is undefined or ignore_alarms | bool == False
 
+    - name: Install Root CA certificate as trusted by the platform
+      include_role:
+        name: common/verify-and-install-system-local-ca-certs
+      vars:
+        - install_rca: true
+
+    - name: Restart kube-apiserver to pick the new certificate
+      include_role:
+        name: common/restart-kube-apiserver
+
     - name: Check certificates to be installed
       include_tasks: check-certificates-to-be-installed.yml
 
@@ -140,16 +150,6 @@
         name: common/delete-kubernetes-resources
       loop: "{{ certs_to_renew.stdout_lines | map('from_yaml') | unique | list }}"
 
-    - name: Install certificates as system Trusted CA certificates
-      include_role:
-        name: common/verify-and-install-system-local-ca-certs
-      vars:
-        - install_rca: true
-
-    - name: Restart kube-apiserver to pick the new certificates
-      include_role:
-        name: common/restart-kube-apiserver
-
     - name: Update oidc-auth-apps in order to use new certificate
       include_tasks: reapply-oidc-auth-app.yml
       when: oidc_applied.stdout | bool
@@ -227,22 +227,22 @@
         - {
           secret: system-registry-local-certificate,
           namespace: deployment,
-          should_run: 'true'
+          should_run: "{{ install_system_registry_local_certificate }}"
         }
         - {
           secret: system-restapi-gui-certificate,
           namespace: deployment,
-          should_run: "{{https_enabled.stdout}}"
+          should_run: "{{ install_system_restapi_gui_certificate }}"
         }
         - {
           secret: oidc-auth-apps-certificate,
           namespace: kube-system,
-          should_run: "{{oidc_applied.stdout}}"
+          should_run: "{{ install_oidc_auth_apps_certificate }}"
         }
         - {
           secret: system-openldap-local-certificate,
           namespace: deployment,
-          should_run: "{{ true if openldap_certificate_exists.stdout | int == 0 else false }}"
+          should_run: "{{ install_system_open_ldap_certificate }}"
         }
 
   when: mode == 'check'

playbookconfig/src/playbooks/update_platform_certificates.yml

@@ -13,18 +13,20 @@
 # To run the playbook, the user would define an overrides file that
 # provides the required variable settings, passing this on the ansible
 # command-line as a parameter.
-# (see migrate-platform-certificates-to-certmanager-inventory-EXAMPLE.yml)
+# (see update-platform-certificates-inventory-EXAMPLE.yml)
 #
 # Example command:
-# ansible-playbook migrate_platform_certificates_to_certmanager.yml \
-#     -i @migrate-platform-certificates-to-certmanager-inventory.yml \
+# ansible-playbook update_platform_certificates.yml \
+#     -i @update-platform-certificates-inventory.yml \
 #     --extra-vars "target_list=subcloud1 mode=update"
 #
 # Use target_list to target individual subclouds, or a comma-separated
 # list of subclouds such as 'subcloud1,subcloud2'. To target all online
 # subclouds at once use target_list=all_online_subclouds
 #
-# To target the system controller or standalone systems use target_list=localhost
+# To target the system controller or standalone systems use target_list=localhost.
+# It's recomended to have always at least localhost in the target_list, avoiding
+# the loss of consistency of the certificates between the hosts in DC systems.
 #
 
 - hosts: localhost
@@ -65,12 +67,12 @@
 - hosts: target_group
   gather_facts: no
   vars_files:
-  - host_vars/migrate_platform_certificates_to_certmanager/default.yml
+  - host_vars/update_platform_certificates/default.yml
 
   # for mode=check the output is too messy with free strategy
   strategy: "{{ 'linear' if mode == 'check' else 'free' }}"
   roles:
-    - migrate-platform-certificates-to-certmanager/migrate-certificates
+    - update-platform-certificates
 
 # Ensures ICA is also installed in system controller
 # even when target_list contains only subclouds
@@ -81,7 +83,7 @@
   gather_facts: no
   tasks:
     - block:
-      - name: Install certificates as system Trusted CA certificates
+      - name: Install Root CA certificate as trusted by the platform
         include_role:
           name: common/verify-and-install-system-local-ca-certs
         vars: