From 9f1a562da7359b38bc68326c3552355dd77c77ad Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Thu, 28 Sep 2023 16:48:47 +0200
Subject: [PATCH] Introduce kolla_copy_cacerts

This adds a script to run at container start via kolla_start to
update the container environment for trusted CAs (TLS-E).

Also adds the cloud-admin user to the kolla group to be allowed
to run kolla* commands as root. This is required to get the
openstackclient CA trust updated for tls endpoints.

Jira: OSP-26299
Jira: OSP-26849
---
 container-images/kolla/base/copy_cacerts.sh   | 14 ++++++++++++++
 container-images/kolla/base/start.sh          |  3 +++
 container-images/kolla/base/uid_gid_manage.sh |  2 +-
 container-images/tcib/base/base.yaml          |  2 ++
 4 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 container-images/kolla/base/copy_cacerts.sh

diff --git a/container-images/kolla/base/copy_cacerts.sh b/container-images/kolla/base/copy_cacerts.sh
new file mode 100644
index 00000000..f79d0b87
--- /dev/null
+++ b/container-images/kolla/base/copy_cacerts.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Copy custom CA certificates to system trusted CA certificates folder
+# and run CA update utility
+
+if [[ -d /var/lib/config-data/ca-certificates ]] && \
+        [[ ! -z "$(ls -A /var/lib/config-data/ca-certificates/)" ]]; then
+    # CentOS
+    for cert in /var/lib/config-data/ca-certificates/*; do
+        file=$(basename "$cert")
+        cp $cert "/etc/pki/ca-trust/source/anchors/ospk8s-customca-$file"
+    done
+    update-ca-trust
+fi
diff --git a/container-images/kolla/base/start.sh b/container-images/kolla/base/start.sh
index 8c31dc02..e0c0ea76 100644
--- a/container-images/kolla/base/start.sh
+++ b/container-images/kolla/base/start.sh
@@ -9,6 +9,9 @@ sudo -E kolla_set_configs
 CMD=$(cat /run_command)
 ARGS=""
 
+# Install custom CA certificates
+sudo kolla_copy_cacerts
+
 if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
     # Run additional commands if present
     . kolla_extend_start
diff --git a/container-images/kolla/base/uid_gid_manage.sh b/container-images/kolla/base/uid_gid_manage.sh
index 3ecc0c2b..6739c901 100755
--- a/container-images/kolla/base/uid_gid_manage.sh
+++ b/container-images/kolla/base/uid_gid_manage.sh
@@ -37,7 +37,7 @@ _SUPPORTED_USERS['aodh']='aodh 42402 42402 /var/lib/aodh kolla'
 _SUPPORTED_USERS['barbican']='barbican 42403 42403 /var/lib/barbican kolla,nfast'
 _SUPPORTED_USERS['ceilometer']='ceilometer 42405 42405 /var/lib/ceilometer kolla'
 _SUPPORTED_USERS['cinder']='cinder 42407 42407 /var/lib/cinder kolla'
-_SUPPORTED_USERS['cloud-admin']='cloud-admin 42401 42401 /home/cloud-admin'
+_SUPPORTED_USERS['cloud-admin']='cloud-admin 42401 42401 /home/cloud-admin kolla'
 _SUPPORTED_USERS['designate']='designate 42411 42411 /var/lib/designate kolla'
 _SUPPORTED_USERS['etcd']='etcd 42413 42413 /var/lib/etcd kolla'
 _SUPPORTED_USERS['frrvty']='frrvty 42483 42483'
diff --git a/container-images/tcib/base/base.yaml b/container-images/tcib/base/base.yaml
index d6613594..91a6a62e 100644
--- a/container-images/tcib/base/base.yaml
+++ b/container-images/tcib/base/base.yaml
@@ -25,6 +25,8 @@ tcib_actions:
 - run: chmod 755 /usr/local/bin/kolla_start
 - run: cp /usr/share/tcib/container-images/kolla/base/httpd_setup.sh /usr/local/bin/kolla_httpd_setup
 - run: chmod 755 /usr/local/bin/kolla_httpd_setup
+- run: cp /usr/share/tcib/container-images/kolla/base/copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
+- run: chmod 755 /usr/local/bin/kolla_copy_cacerts
 - run: cp /usr/share/tcib/container-images/kolla/base/sudoers /etc/sudoers
 - run: chmod 440 /etc/sudoers
 - run: sed -ri '/^(passwd:|group:)/ s/systemd//g' /etc/nsswitch.conf