Improve robustness of root CA cert update polling

cert-manager's way of creating new secrets is:
1. create a k8s secret resource with missing data
2. populate the missing data after its creation

Thus, just checking that secret exists isn't enough when its data is
then consumed.

In order to improve this behavior, this work is:
- Updating `get_cert_secret` method to check for the secret content and
  specifically look for the TLS certificate as well
- Reducing the secret polling interval and increasing its timeout
- Handling the secret certificates unpacking in a try-catch block

Test Plan:

PASS: Verify kube-rootca-update-generate-cert command properly waits for
the secret to be populated in a:
  - normal condition
  - throttling condition
  - condition without polling interval
PASS: Verify that if the secret fails to create within the timeout
range, the proper error will be shown and the user is able to retry

Closes-Bug: 1945331
Signed-off-by: Joao Soubihe <JoaoPaulo.Soubihe@windriver.com>
Change-Id: I06438d5824cc2383953a23fc31d95c399d86fc1a

sysinv/sysinv/sysinv/sysinv/common/kubernetes.py

@@ -1000,11 +1000,11 @@ class KubeOperator(object):
                        label_selector, field_selector, e)
             raise
 
-    def get_cert_secret(self, name, namespace, max_retries=4):
-        for i in range(0, max_retries):
+    def get_cert_secret(self, name, namespace, max_retries=60):
+        for _ in range(max_retries):
             secret = self.kube_get_secret(name, NAMESPACE_DEPLOYMENT)
-            if secret is not None and secret.data is not None:
+            if secret is not None and secret.data.get("tls.crt"):
                 LOG.debug("secret = %s" % secret)
                 return secret
-            time.sleep(5)
+            time.sleep(1)
         return None

sysinv/sysinv/sysinv/sysinv/conductor/manager.py

@@ -14834,11 +14834,11 @@ class ConductorManager(service.PeriodicService):
 
         data = secret.data
         tls_crt = base64.decode_as_bytes(data['tls.crt'])
-        cert = cutils.extract_certs_from_pem(tls_crt)[0]
+        certs = cutils.extract_certs_from_pem(tls_crt)
 
         # extract information regarding the new rootca
         try:
-            new_cert = cutils.build_cert_identifier(cert)
+            new_cert = cutils.build_cert_identifier(certs[0])
         except Exception:
             msg = "Failed to extract issuer and serial number from new root CA"
             LOG.error(msg)
@@ -14909,7 +14909,7 @@ class ConductorManager(service.PeriodicService):
         :param secret_name: the name of the secret to wait
         """
         kube_operator = kubernetes.KubeOperator()
-        secret = kube_operator.get_cert_secret(secret_name, kubernetes.NAMESPACE_DEPLOYMENT, max_retries=2)
+        secret = kube_operator.get_cert_secret(secret_name, kubernetes.NAMESPACE_DEPLOYMENT)
         if secret is None:
             msg = "Secret %s creation timeout" % secret_name
             LOG.error(msg)