From 862c1746abb8d8901d2acb4bcb43569210e55f3e Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Fri, 30 Apr 2021 12:14:31 -0400
Subject: [PATCH] Remove subcloud admin endpoint data migration

Admin endpoint cert upgrade will be handeled by manifest, so data
migration is no longer needed in subcloud.
On N+1 side, admin endpoint cert secret (key/cert) will be pulled
directly from k8s resource for manifest to generate endpoint cert
on first host unlock.

Only need to update SAN of admin endpoint cert.

Closes-Bug: 1923510
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/786666
Change-Id: I4312abd6c767d6ba54c13ce1e90f2e25df9ed216
Signed-off-by: Bin Qian <bin.qian@windriver.com>
---
 .../scripts/controller_config                 |  9 ---
 .../85-update-sc-admin-endpoint-cert.py       | 67 -------------------
 2 files changed, 76 deletions(-)

diff --git a/controllerconfig/controllerconfig/scripts/controller_config b/controllerconfig/controllerconfig/scripts/controller_config
index 6a97611ea1..6fda6a6c53 100755
--- a/controllerconfig/controllerconfig/scripts/controller_config
+++ b/controllerconfig/controllerconfig/scripts/controller_config
@@ -389,15 +389,6 @@ start()
         fi
     fi
 
-    if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
-    then
-        cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
-        if [ $? -ne 0 ]
-        then
-            fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
-        fi
-    fi
-
     if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
     then
         cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
diff --git a/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py b/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
index ba67e739e7..91e4089444 100644
--- a/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
@@ -9,15 +9,9 @@
 # This script can be removed in the release that follows stx.5.0
 #
 
-import base64
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-from cryptography import x509
-from shutil import copyfile
 import socket
 import subprocess
 import sys
-import time
 
 from controllerconfig.common import log
 
@@ -117,67 +111,6 @@ def update_sc_admin_endpoint_cert(to_release):
     else:
         raise Exception('Command failed after retries: %s' % cmd)
 
-    # Extract subcloud admin endpoint certificate.
-    # There is an issue with cert-manager where even though the certificate is
-    # reported as ready from the previous command, the actual data extracted is
-    # still empty. So we retry if no valid certificate data is extracted, and
-    # retry for private key data for the same reason.
-    cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
-           sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.crt}'"
-    for attempt in range(3):
-        try:
-            cert = execute_command(cmd)
-            if not cert:
-                raise Exception('Certificate extracted is empty.')
-            cert = base64.b64decode(cert)
-
-            # Test loading the certificate to ensure it's valid
-            x509.load_pem_x509_certificate(cert, default_backend())
-        except Exception as e:
-            LOG.info('Failed to extract certificate: %s Will retry.' % e)
-            time.sleep(5)
-            continue
-        else:
-            break
-    else:
-        raise Exception('Failed to extract certificate from cert-manager.')
-
-    # Extract subcloud admin endpoint private key,
-    # Retry if no valid private key data is extracted.
-    cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
-           sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.key}'"
-    for attempt in range(3):
-        try:
-            key = execute_command(cmd)
-            if not key:
-                raise Exception('Private key extracted is empty.')
-            key = base64.b64decode(key)
-
-            # Test loading the private key to ensure it's valid
-            serialization.load_pem_private_key(key, password=None,
-                                               backend=default_backend())
-        except Exception as e:
-            LOG.info('Failed to extract private key: %s Will retry.' % e)
-            time.sleep(5)
-            continue
-        else:
-            break
-    else:
-        raise Exception('Failed to extract private key from cert-manager.')
-
-    # Create haproxy tls certificate
-    cert_file = "/etc/ssl/private/admin-ep-cert.pem"
-    with open(cert_file, 'w') as f:
-        f.write(key + cert)
-
-    # Copy admin endpoint certficates to the shared filesystem directory
-    shared_file = "/opt/platform/config/%s/admin-ep-cert.pem" % to_release
-    copyfile(cert_file, shared_file)
-
-    # Restart haproxy to take the new cert
-    cmd = "sm-restart service haproxy"
-    execute_command(cmd)
-
     LOG.info('Subcloud admin endpoint certificate updated successfully')