Create openldap certificate on upgrade

This commit: Adds an upgrade script to call the ansible playbook upgrade-openldap-certificate.yml and create the openldap certificate during the upgrade activate stage. Changes the puppet plugin code for ldap to read the openldap certificate only in activate statuses during an upgrade. Fixes an issue with certificate_shell where it may call len() for a certificate that does not have the subject information, resulting a NoneType error. Test Plan: PASS: Upgrade from stx 22.06 to 22.12 and verify that the openldap certificate is successfully created in kubernetes in upgrade activate stage PASS: After certificate is created in kubernetes, verify that the certificate and key is read by puppet and saved to files in /etc/ldap/certs PASS: After certificate is created in kubernetes, verify that the certificate is picked up by cert-mon and saved to database and show in 'system certificate-list' Story: 2009834 Task: 45933 Change-Id: Ia4b9d1921b1e7afdc29f398f902faf2a8bf1e25b Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com> Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856556
2022-09-08 15:33:14 -03:00 · 2022-09-08 15:33:14 -03:00 · f8b31e52ab
parent b6eb8b9c1e
commit f8b31e52ab
3 changed files with 78 additions and 8 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/66-create-open-ldap-certificate.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/66-create-open-ldap-certificate.py
@ -0,0 +1,55 @@
+#!/usr/bin/python
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script creates the openldap certificate on kubernetes
+#
+import subprocess
+import sys
+from controllerconfig.common import log
+LOG = log.get_logger(__name__)
+
+
+def main():
+    action = None
+    from_release = None
+    to_release = None
+    arg = 1
+    while arg < len(sys.argv):
+        if arg == 1:
+            from_release = sys.argv[arg]
+        elif arg == 2:
+            to_release = sys.argv[arg]
+        elif arg == 3:
+            action = sys.argv[arg]
+        else:
+            print("Invalid option %s." % sys.argv[arg])
+            return 1
+        arg += 1
+    log.configure()
+
+    if action == 'activate' and to_release == '22.12':
+        LOG.info("%s invoked with from_release = %s to_release = %s "
+                 "action = %s"
+                 % (sys.argv[0], from_release, to_release, action))
+        create_openldap_certificate()
+
+
+def create_openldap_certificate():
+    """Run openldap certificate ansible playbook
+    """
+    playbooks_root = '/usr/share/ansible/stx-ansible/playbooks'
+    upgrade_script = 'create-openldap-certificate-for-upgrade.yml'
+    cmd = 'ansible-playbook {}/{}'.format(playbooks_root, upgrade_script)
+    sub = subprocess.Popen(cmd, shell=True,
+                           stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = sub.communicate()
+    if sub.returncode != 0:
+        LOG.error('Command failed:\n %s\n. %s\n%s' % (cmd, stdout, stderr))
+        raise Exception('Cannot create openldap certificate')
+    LOG.info('Successfully created openldap certificate')
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
@ -51,7 +51,7 @@ def do_certificate_list(cc, args):
    fields = ['uuid', 'certtype', 'expiry_date', 'subject']
    field_labels = fields
    for certificate in certificates:
-        if len(certificate.subject) > 20:
+        if certificate.subject and len(certificate.subject) > 20:
            certificate.subject = certificate.subject[:20] + "..."
    utils.print_list(certificates, fields, field_labels, sortby=0)

--- a/sysinv/sysinv/sysinv/sysinv/puppet/ldap.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/ldap.py
@ -42,17 +42,32 @@ class LdapPuppet(base.BasePuppet):
            'platform::ldap::params::bind_anonymous': bind_anonymous,
        }

-    def get_secure_system_config(self):
-        config = {}
+    def _is_openldap_certificate_created(self):
+        """ Returns True when it's safe to read the openldap certificate.
+        """
        bootstrap_completed = \
            os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG)
+
+        is_upgrading, upgrade = utils.is_upgrade_in_progress(self.dbapi)
+
+        activating_statuses = [
+            constants.UPGRADE_ACTIVATING,
+            constants.UPGRADE_ACTIVATING_HOSTS,
+            constants.UPGRADE_ACTIVATION_COMPLETE,
+        ]
+        # During upgrade the openldap certificate is created in stage
+        # activate. In fresh installs it's created during bootstrap
+        if is_upgrading:
+            return upgrade.state in activating_statuses
+        else:
+            return bootstrap_completed
+
+    def get_secure_system_config(self):
+        config = {}
        is_subcloud = \
            self._distributed_cloud_role() == constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD
-        is_upgrading, _ = utils.is_upgrade_in_progress(self.dbapi)
-        # Checking for upgrade is a temporary fix to allow the upgrade to run.
-        # A subsequent code change is needed to create the openldap certificate
-        # during the upgrade and then remove this check.
-        if bootstrap_completed and not is_subcloud and not is_upgrading:
+
+        if self._is_openldap_certificate_created() and not is_subcloud:
            ldap_cert, ldap_key = utils.get_certificate_from_secret(
                constants.OPENLDAP_CERT_SECRET_NAME,
                constants.CERT_NAMESPACE_PLATFORM_CERTS)