Fix system-local-ca ca.crt during upgrade

Included code to avoid repeating the system_local_ca_cert in case the ca.crt cannot be retrieved. Filling this field with a cert that it's not a RCA can cause problems when renewing certificates signed by 'system-local-ca' issuer, while having the field as an empty string doesn't pose a problem for renewal. Test plan: PASS: Bootstrap AIO-SX (fresh install). PASS: Bootstrap DC + SX subcloud (fresh install). PASS: Perform upgrade from stx 9.0 (AIO-SX). Story: 2009811 Task: 50018 Change-Id: I1757b5c0438aba9ca8a782b3f05c160cdabec134 Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2024-04-29 09:50:38 -04:00 · 2024-04-29 09:50:38 -04:00 · d76bdfa929
parent 9c4a5ef225
commit d76bdfa929
2 changed files with 2 additions and 2 deletions
--- a/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2
+++ b/playbookconfig/src/playbooks/roles/common/generate-platform-certificates-template/templates/platform_certificates.yml.j2
@ -3,7 +3,7 @@
 ---
 apiVersion: v1
 data:
-  ca.crt: "{{ system_root_ca_cert | default(system_local_ca_cert) }}"
+  ca.crt: "{{ system_root_ca_cert | default('', true) }}"
  tls.crt: "{{ system_local_ca_cert }}"
  tls.key: "{{ system_local_ca_key }}"
 kind: Secret
--- a/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/retrieve-system-local-ca-data.yml
+++ b/playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/retrieve-system-local-ca-data.yml
@ -58,7 +58,7 @@

    - name: Set system-local-ca data
      set_fact:
-        system_root_ca_cert: "{{ ca_cert_result.stdout | default(cert_result.stdout, true) }}"
+        system_root_ca_cert: "{{ ca_cert_result.stdout | default('', true) }}"
        system_local_ca_cert: "{{ cert_result.stdout }}"
        system_local_ca_key: "{{ key_result.stdout }}"
        system_local_ca_data_obtained: true