Merge pull request openstack-k8s-operators#1462 from danpawlik/retry-getting-issuer

Add retry on getting ISSUER name

Author: openshift-merge-bot[bot]

tests/kuttl/common/osp_check_cert_issuer.sh

@@ -40,6 +40,16 @@ function check_keystone_endpoint {
     fi
 }
 
+get_issuer_cn() {
+    local host_port="$1"
+    local output
+
+    output=$(openssl s_client -connect "$host_port" </dev/null 2>/dev/null |
+        openssl x509 -noout -issuer 2>/dev/null)
+
+    echo "$output" | sed -n 's/^.*CN[[:space:]]*=[[:space:]]*\([^,]*\).*$/\1/p'
+}
+
 keystone_url=$(openstack endpoint list -c URL -f value | grep 'keystone-public')
 keystone_host_port=$(extract_host_port "$keystone_url")
 
@@ -60,11 +70,14 @@ for url in $(openstack endpoint list -c URL -f value | grep "$endpoint_filter");
     host_port=$(extract_host_port "$url")
 
     echo "Checking $host_port ..."
-    if [[ "$ENDPOINT_TYPE" == "public" ]]; then
-        ISSUER=$(echo | openssl s_client -connect "$host_port" 2>/dev/null | openssl x509 -noout -issuer | sed -n 's/^.*CN=\([^,]*\).*$/\1/p' | sed 's/ //g')
-    else
-        ISSUER=$(openssl s_client -connect $host_port </dev/null 2>/dev/null | openssl x509 -issuer -noout -in /dev/stdin | sed 's/ //g')
-    fi
+    for retry in {1..5}; do
+        echo "Retrying $retry on getting issuer $host_port..."
+        ISSUER=$(get_issuer_cn "$host_port")
+        if [[ -n "$ISSUER" ]]; then
+            break
+        fi
+        sleep 20
+    done
 
     if [[ "$ISSUER" != "$EXPECTED_ISSUER" ]]; then
         ISSUER_MISMATCHES+="$host_port issued by $ISSUER, expected $EXPECTED_ISSUER\n"

tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml

@@ -8,7 +8,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal-custom" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml

@@ -12,7 +12,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml

@@ -8,7 +8,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."

tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml

@@ -12,7 +12,7 @@ commands:
 
   - script: |
       echo "Checking issuer of internal certificates..."
-      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal-custom" "internal"
 
   - script: |
       echo "Checking issuer of ingress certificates..."