From a52b3b27631718c1014c2c0a1a76950290065332 Mon Sep 17 00:00:00 2001
From: David Parker <parkerda@uk.ibm.com>
Date: Thu, 7 Dec 2023 12:43:06 +0000
Subject: [PATCH] [patch] Ensure cluster_ingress_tls_crt_remove_it is defined

---
 ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml b/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml
index 35760a356..e17478fb8 100644
--- a/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml
+++ b/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml
@@ -98,10 +98,14 @@
     cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}"
   no_log: true
 
-# Filter DST Root CA X3 issuer certificate if present
+# Filter out of date DST Root CA X3 issuer certificate if present
+# This is a known problem in IBMCloud ROKS clusters, where an expired
+# root certificate is included in the chain, the inclusion of this
+# certificate in our truststore prevents MAS being able to connect
+# to IBM User Data Services because it's an invalid certificate.
 - name: "Check if DST Root CA X3 issuer certificate is present"
   vars:
-    dst_root_x3: "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5" # if DST Root CA X3 issuer certificate is present, we'll filter from the MAS config
+    dst_root_x3: "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5"
   no_log: true
   set_fact:
     cluster_ingress_tls_crt_remove_it: "{{ cluster_ingress_tls_crt_remove_it|default([]) + [item] }}"
@@ -115,6 +119,7 @@
   set_fact:
     cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | difference(cluster_ingress_tls_crt_remove_it) | list }}"
   when:
+    - cluster_ingress_tls_crt_remove_it is defined
     - cluster_ingress_tls_crt is defined
     - cluster_ingress_tls_crt | length > 0