Remove subcloud admin endpoint data migration

Admin endpoint cert upgrade will be handeled by manifest, so data migration is no longer needed in subcloud. On N+1 side, admin endpoint cert secret (key/cert) will be pulled directly from k8s resource for manifest to generate endpoint cert on first host unlock. Only need to update SAN of admin endpoint cert. Closes-Bug: 1923510 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/786666 Change-Id: I4312abd6c767d6ba54c13ce1e90f2e25df9ed216 Signed-off-by: Bin Qian <bin.qian@windriver.com>
2021-04-30 12:14:31 -04:00 · 2021-04-30 12:14:31 -04:00 · 862c1746ab
parent 0a61602cf3
commit 862c1746ab
2 changed files with 0 additions and 76 deletions
--- a/controllerconfig/controllerconfig/scripts/controller_config
+++ b/controllerconfig/controllerconfig/scripts/controller_config
@ -389,15 +389,6 @@ start()
        fi
    fi
    if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
    then
        cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
        if [ $? -ne 0 ]
        then
            fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
        fi
    fi
    if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
    then
        cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
--- a/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
@ -9,15 +9,9 @@
 # This script can be removed in the release that follows stx.5.0
 #
 import base64
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography import x509
 from shutil import copyfile
 import socket
 import subprocess
 import sys
 import time
 from controllerconfig.common import log
@ -117,67 +111,6 @@ def update_sc_admin_endpoint_cert(to_release):
    else:
        raise Exception('Command failed after retries: %s' % cmd)
    # Extract subcloud admin endpoint certificate.
    # There is an issue with cert-manager where even though the certificate is
    # reported as ready from the previous command, the actual data extracted is
    # still empty. So we retry if no valid certificate data is extracted, and
    # retry for private key data for the same reason.
    cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
           sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.crt}'"
    for attempt in range(3):
        try:
            cert = execute_command(cmd)
            if not cert:
                raise Exception('Certificate extracted is empty.')
            cert = base64.b64decode(cert)
            # Test loading the certificate to ensure it's valid
            x509.load_pem_x509_certificate(cert, default_backend())
        except Exception as e:
            LOG.info('Failed to extract certificate: %s Will retry.' % e)
            time.sleep(5)
            continue
        else:
            break
    else:
        raise Exception('Failed to extract certificate from cert-manager.')
    # Extract subcloud admin endpoint private key,
    # Retry if no valid private key data is extracted.
    cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
           sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.key}'"
    for attempt in range(3):
        try:
            key = execute_command(cmd)
            if not key:
                raise Exception('Private key extracted is empty.')
            key = base64.b64decode(key)
            # Test loading the private key to ensure it's valid
            serialization.load_pem_private_key(key, password=None,
                                               backend=default_backend())
        except Exception as e:
            LOG.info('Failed to extract private key: %s Will retry.' % e)
            time.sleep(5)
            continue
        else:
            break
    else:
        raise Exception('Failed to extract private key from cert-manager.')
    # Create haproxy tls certificate
    cert_file = "/etc/ssl/private/admin-ep-cert.pem"
    with open(cert_file, 'w') as f:
        f.write(key + cert)
    # Copy admin endpoint certficates to the shared filesystem directory
    shared_file = "/opt/platform/config/%s/admin-ep-cert.pem" % to_release
    copyfile(cert_file, shared_file)
    # Restart haproxy to take the new cert
    cmd = "sm-restart service haproxy"
    execute_command(cmd)
    LOG.info('Subcloud admin endpoint certificate updated successfully')