Merge "K8s external requests with client certs (admin)"

sysinv/sysinv/sysinv/scripts/kube-cert-rotation.sh

@@ -255,6 +255,7 @@ RESTART_SYSINV=0
 RESTART_CERT_MON=0
 RESTART_DC_CERT_MON=0
 RESTART_ETCD=0
+RESTART_HAPROXY=0
 
 # Fist check the validity of the Root CAs in /etc/kubernetes/pki/ca.crt and /etc/etcd/ca.crt
 # If they are expired the process should not continue
@@ -302,11 +303,13 @@ if [ ${ERR} -eq 0 ]; then
 fi
 # Renew certs in admin.conf
 if [ ${ERR} -eq 0 ]; then
-    renew_cert 'admin.conf'
+    renew_cert 'admin.conf' &&
+    python /usr/share/puppet/modules/platform/files/parse_k8s_admin_client_credentials.py --output_file /etc/kubernetes/pki/haproxy_client.pem
     result=$?
     if [ ${result} -eq 0 ]; then
         RESTART_SYSINV=1
         RESTART_CERT_MON=1
+        RESTART_HAPROXY=1
         # dccertmon is only provisioned in DC systems, so there
         # won't be any impacts if it is restarted in AIO as well.
         RESTART_DC_CERT_MON=1
@@ -516,6 +519,14 @@ if [ ${RESTART_ETCD} -eq 1 ]; then
         ERR=2
     fi
 fi
+# Restart haproxy
+if [ ${RESTART_HAPROXY} -eq 1 ]; then
+    sm-restart-safe service haproxy
+    if [ $? -ne 0 ]; then
+        ERR_REASON="Failed to restart haproxy service."
+        ERR=2
+    fi
+fi
 
 if [ ${ERR} -eq 2 ]; then
     # Notify admin to lock and unlock this master node if restart k8s components failed

sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_cluster.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021-2024 Wind River Systems, Inc.
+# Copyright (c) 2021-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -104,7 +104,18 @@ class KubeClusterController(rest.RestController):
         # Build public endpoint from private endpoint
         endpoint_parsed = urlparse(cluster_config.host)
         endpoint_host = utils.format_url_address(self._get_oam_address())
-        endpoint_netloc = "{}:{}".format(endpoint_host, endpoint_parsed.port)
+
+        # TODO(mdecastr): support for upgrade to stx11. After stx11 branchs out
+        # of master, we can remove the verfication for the port update
+        if utils.is_kube_apiserver_port_updated():
+            # External requests go through haproxy, which uses REST API/GUI cert.
+            # cluster_ca_cert then needs to be the RCA certificate that anchors it.
+            _, _, cluster_ca_cert = utils.\
+                get_certificate_from_secret(constants.RESTAPI_CERT_SECRET_NAME,
+                                            constants.CERT_NAMESPACE_PLATFORM_CERTS)
+
+        endpoint_netloc = "{}:{}".format(endpoint_host,
+                                         constants.KUBE_APISERVER_EXTERNAL_PORT)
         cluster_api_endpoint = endpoint_parsed._replace(
             netloc=endpoint_netloc).geturl()
 

sysinv/sysinv/sysinv/sysinv/tests/api/test_kube_cluster.py

@@ -176,6 +176,13 @@ class TestKubeCluster(base.FunctionalTest):
             mock_kube_get_service_account_token)
         self.mocked_kube_get_service_account_token.start()
 
+        def mock_utils_get_certificate_from_secret(name, namespace):
+            return '', '', FAKE_CA_CERT
+        self.mocked_utils_get_certificate_from_secret = mock.patch(
+            'sysinv.common.utils.get_certificate_from_secret',
+            mock_utils_get_certificate_from_secret)
+        self.mocked_utils_get_certificate_from_secret.start()
+
     def tearDown(self):
         super(TestKubeCluster, self).tearDown()
         self.ssl_ca_file.close()
@@ -184,6 +191,7 @@ class TestKubeCluster(base.FunctionalTest):
         self.mocked_kube_get_kubernetes_version.stop()
         self.mocked_kube_get_kubernetes_config.stop()
         self.mocked_kube_get_service_account_token.stop()
+        self.mocked_utils_get_certificate_from_secret.stop()
 
     def _get_cluster_api_endpoint(self):
         endpoint_host = utils.format_url_address(self.oam_subnet[2])