[patch] Filter DST X3 Root certificate part from the cluster's ingres…

…s chain (#1130)
ibm-mas · Dec 6, 2023 · 9c9342e · 9c9342e
1 parent a080005
commit 9c9342e
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 5 deletions.
diff --git a/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml b/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml
@@ -59,7 +59,6 @@
     cluster_ingress_secret_name: "{{ cluster_subdomain.resources[0].spec.domain | regex_search('[^.]*')  }}"
     cluster_ingress_tls_crt: "{{ cluster_ingress_secret.resources[0].data['tls.crt'] | b64decode }}"
 
-
 # 3. Lookup for secret based on the cluster name
 # -----------------------------------------------------------------------------
 # ROSA, TechZone, and some IPI Installs use this convention
@@ -93,6 +92,31 @@
   loop_control:
     label: "{{ item.metadata.name }}"
 
+# Break up the certificate into an array
+- name: "Extract certificate chain into a variable"
+  set_fact:
+    cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
+  no_log: true
+
+# Filter DST Root CA X3 issuer certificate if present
+- name: "Check if DST Root CA X3 issuer certificate is present"
+  vars:
+    dst_root_x3: "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5" # if DST Root CA X3 issuer certificate is present, we'll filter from the MAS config
+  no_log: true
+  set_fact:
+    cluster_ingress_tls_crt_remove_it: "{{ cluster_ingress_tls_crt_remove_it|default([]) + [item] }}"
+  when:
+    - (dst_root_x3 in item)
+  with_items:
+    - "{{ cluster_ingress_tls_crt }}"
+
+- name: "Filter DST Root CA X3 issuer certificate if present"
+  no_log: true
+  set_fact:
+    cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | difference(cluster_ingress_tls_crt_remove_it) | list }}"
+  when:
+    - cluster_ingress_tls_crt is defined
+    - cluster_ingress_tls_crt | length > 0
 
 # 4. Log which (if any) secret was found
 # -----------------------------------------------------------------------------

diff --git a/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml b/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml
@@ -94,7 +94,7 @@
 # is necessary :)
 - name: "ocs/objectstorage : Set COS cert variable"
   set_fact:
-    ocscos_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
+    ocscos_tls_crt: "{{ cluster_ingress_tls_crt }}"
 
 # Load uds_certs template to dynamically set as many uds certificates as identified
 - set_fact:

diff --git a/ibm/mas_devops/roles/dro/defaults/main.yml b/ibm/mas_devops/roles/dro/defaults/main.yml
@@ -6,7 +6,6 @@ dro_version: "{{ lookup('env', 'DRO_VERSION') | default('', true) }}"
 # -----------------------------------------------------------------------------
 dro_storage_class: "{{ lookup('env', 'DRO_STORAGE_CLASS') }}"
 
-
 # BASCfg generation for DRO
 # -----------------------------------------------------------------------------
 dro_contact:

diff --git a/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml b/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml
@@ -73,7 +73,7 @@
 # Break up the certificate into an array
 - name: "udscfg : Set UDS cert variable"
   set_fact:
-    dro_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
+    dro_tls_crt: "{{ cluster_ingress_tls_crt }}"
   no_log: true
 
 # Load uds_certs template to dynamically set as many uds certificates as identified

diff --git a/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml b/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml
@@ -56,7 +56,7 @@
 # Break up the certificate into an array
 - name: "udscfg : Set UDS cert variable"
   set_fact:
-    uds_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
+    uds_tls_crt: "{{ cluster_ingress_tls_crt }}"
 
 # 5. Debug
 # -----------------------------------------------------------------------------