Add retry on getting ISSUER name

It happens on some infras that the issuer is empty. Probably
it does not have enough time to apply changes.
This commit adds retry for getting the ISSUER name.

Signed-off-by: Daniel Pawlik <[email protected]>

Author: danpawlik

tests/kuttl/common/osp_check_cert_issuer.sh

@@ -40,6 +40,16 @@ function check_keystone_endpoint {
     fi
 }
 
+get_issuer_cn() {
+    local host_port="$1"
+    local output
+
+    output=$(openssl s_client -connect "$host_port" </dev/null 2>/dev/null |
+        openssl x509 -noout -issuer 2>/dev/null)
+
+    echo "$output" | sed -n 's/^.*CN[[:space:]]*=[[:space:]]*\([^,]*\).*$/\1/p'
+}
+
 keystone_url=$(openstack endpoint list -c URL -f value | grep 'keystone-public')
 keystone_host_port=$(extract_host_port "$keystone_url")
 
@@ -60,11 +70,14 @@ for url in $(openstack endpoint list -c URL -f value | grep "$endpoint_filter");
     host_port=$(extract_host_port "$url")
 
     echo "Checking $host_port ..."
-    if [[ "$ENDPOINT_TYPE" == "public" ]]; then
-        ISSUER=$(echo | openssl s_client -connect "$host_port" 2>/dev/null | openssl x509 -noout -issuer | sed -n 's/^.*CN=\([^,]*\).*$/\1/p' | sed 's/ //g')
-    else
-        ISSUER=$(openssl s_client -connect $host_port </dev/null 2>/dev/null | openssl x509 -issuer -noout -in /dev/stdin | sed 's/ //g')
-    fi
+    for retry in {1..5}; do
+        echo "Retrying $retry on getting issuer $host_port..."
+        ISSUER=$(get_issuer_cn "$host_port")
+        if [[ -n "$ISSUER" ]]; then
+            break
+        fi
+        sleep 20
+    done
 
     if [[ "$ISSUER" != "$EXPECTED_ISSUER" ]]; then
         ISSUER_MISMATCHES+="$host_port issued by $ISSUER, expected $EXPECTED_ISSUER\n"

tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml

@@ -8,7 +8,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal-custom" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml

@@ -12,7 +12,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml

@@ -8,7 +8,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml

@@ -12,7 +12,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal-custom" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."