Set dc adminep cert and root ca cert to secure system config

Extract admin endpoint cert and key pair from cert-manager to secure
system config, for puppet to pick up and install.
The cert and key are used to by haproxy to provide ssl termination
on admin endpoints.

Performed tests:
Install DC, unlocked system controller 0 and 1
Unlocked SX subcloud controller 0.

Story: 2007347
Task: 39429

Depends-on: https://review.opendev.org/#/c/720270
Depends-on: https://review.opendev.org/#/c/720224

Change-Id: Idb302fffe2b4c4ae36a901377d5089a91d26a3ba
Signed-off-by: Bin Qian <bin.qian@windriver.com>

sysinv/sysinv/sysinv/sysinv/common/exception.py

@@ -1,6 +1,6 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
-# Copyright (c) 2013-2019 Wind River Systems, Inc.
+# Copyright (c) 2013-2020 Wind River Systems, Inc.
 # Copyright 2010 United States Government as represented by the
 # Administrator of the National Aeronautics and Space Administration.
 # All Rights Reserved.
@@ -1443,3 +1443,8 @@ class KubeUpgradeNotFound(NotFound):
 
 class KubeVersionNotFound(NotFound):
     message = _("Kubernetes version %(version)s not found")
+
+
+class KubeNotConfigured(SysinvException):
+    message = _("Kubernetes is not configured. API operations "
+                "will not be available.")

sysinv/sysinv/sysinv/sysinv/common/kubernetes.py

@@ -133,9 +133,7 @@ class KubeOperator(object):
 
     def _load_kube_config(self):
         if not is_k8s_configured():
-            raise exception.SysinvException(
-                "Kubernetes is not configured. API operations will not be "
-                "available.")
+            raise exception.KubeNotConfigured()
 
         config.load_kube_config(KUBERNETES_ADMIN_CONF)
 

sysinv/sysinv/sysinv/sysinv/puppet/platform.py

@@ -3,11 +3,13 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+import base64
 import keyring
 import os
 
 from sysinv.common import constants
 from sysinv.common import exception
+from sysinv.common import kubernetes
 from sysinv.common import utils
 
 from tsconfig import tsconfig
@@ -50,6 +52,7 @@ class PlatformPuppet(base.BasePuppet):
     def get_secure_system_config(self):
         config = {}
         config.update(self._get_user_config())
+        config.update(self._get_dc_root_ca_config())
         return config
 
     def get_host_config(self, host):
@@ -878,6 +881,44 @@ class PlatformPuppet(base.BasePuppet):
 
         return config
 
+    def _get_dc_root_ca_config(self):
+        config = {}
+        system = self._get_system()
+        if system.distributed_cloud_role == \
+                constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER and \
+                os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG):
+
+            kube = kubernetes.KubeOperator()
+            try:
+                secret = kube.kube_get_secret('dc-adminep-root-ca-certificate', 'dc-cert')
+            except exception.KubeNotConfigured:
+                # kubernetes admin config file does not exist, skip
+                return config
+
+            if not hasattr(secret, 'data'):
+                raise Exception('Invalid secret dc-adminep-root-ca-certificate')
+
+            data = secret.data
+            if 'ca.crt' not in data or \
+                    'tls.crt' not in data or 'tls.key' not in data:
+
+                raise Exception("Invalid admin endpoint certificate data.")
+
+            try:
+                ca_crt = base64.b64decode(data['ca.crt'])
+                tls_crt = base64.b64decode(data['tls.crt'])
+                tls_key = base64.b64decode(data['tls.key'])
+            except TypeError:
+                raise Exception('admin endpoint root ca certification is invalid')
+
+            config.update({
+                'platform::config::dccert::params::dc_root_ca_crt': ca_crt,
+                'platform::config::dccert::params::dc_adminep_crt':
+                    "%s%s" % (tls_key, tls_crt)
+            })
+
+        return config
+
     def _get_platform_cpu_count(self, host):
         cpus = self._get_host_cpu_list(host, constants.PLATFORM_FUNCTION, True)
         return len(cpus)

sysinv/sysinv/sysinv/sysinv/tests/common/test_kubernetes.py

@@ -80,7 +80,12 @@ def mock_load_kube_config(path):
     return
 
 
+def mock_os_path_isfile(path):
+    return True
+
+
 @mock.patch('kubernetes.config.load_kube_config', mock_load_kube_config)
+@mock.patch('os.path.isfile', mock_os_path_isfile)
 @mock.patch('sysinv.common.kubernetes.get_kube_versions',
             mock_get_kube_versions)
 class TestKubeOperator(base.TestCase):