Change copy-cacerts behaviour

So far, the certificates were not part of config.json
files for containers. With future patches that will remove
container restarts based on triggers from config and
service-copy-cert, it is important that all files that change
during config are specified in config.json so that
kolla-set-configs --check can detect those changes and based
on that restart the container. This patch provides prerequisite
for future patch in kolla-ansible.

Comments from kevko:

The script also takes into account whether review [1] is
merged or not, ensuring that it will function correctly in
both cases thanks to review [2], because using the state
file, we can effectively verify whether the config.json that
copies CA certs to /var/lib/kolla/share is being used or not.

If we didn’t handle it this way, we would have to rely on
checking whether the directory /var/lib/kolla/share exists or
some another magic, which is insufficient because various
states and combinations of Kolla image and Kolla-Ansible
versions could result in certificates always being copied.
This method provides a clear and definitive distinction.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/924651
[2] https://review.opendev.org/c/openstack/kolla/+/915440

Change-Id: I5120f1874f25a9ca8326e6db8b12dee4c81feb56
Signed-off-by: Roman Krček <[email protected]>
Co-Authored-By: Michal Arbet <[email protected]>
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/924651

Author: r-krcek

docker/base/copy_cacerts.sh

@@ -3,25 +3,46 @@
 # Copy custom CA certificates to system trusted CA certificates folder
 # and run CA update utility
 
+if [[ -e "/etc/debian_version" ]]; then
+    ca_dst_path="/usr/local/share/ca-certificates"
+    update_command="update-ca-certificates"
+elif [[ -e "/etc/redhat-release" ]]; then
+    ca_dst_path="/etc/pki/ca-trust/source/anchors"
+    update_command="update-ca-trust"
+else
+    echo "Unsupported OS"
+    exit 1
+fi
+
+# Initialize update_needed variable
+update_needed="false"
+
 # Remove old certificates
-rm -f /usr/local/share/ca-certificates/kolla-customca-* \
-        /etc/pki/ca-trust/source/anchors/kolla-customca-*
+if find /etc/ssl/certs/ \
+        /usr/local/share/ca-certificates/ \
+        /etc/pki/ca-trust/source/anchors/ \
+        -name 'kolla*' -exec rm -f {} + 2>/dev/null; then
+    update_needed="true"
+fi
+
+# Determine source path for CA certificates
+if grep -q '"source": "/var/lib/kolla/share/ca-certificates"' /etc/kolla/defaults/state; then
+    ca_src_path="/var/lib/kolla/share/ca-certificates"
+else
+    ca_src_path="/var/lib/kolla/config_files/ca-certificates"
+fi
+
+# Check if the source path exists and is not empty
+if [[ -d ${ca_src_path} && $(ls -A "${ca_src_path}" 2>/dev/null) ]]; then
+    # Copy certificates and update CA
+    for cert in "${ca_src_path}"/*; do
+        file=$(basename "${cert}")
+        cp ${cert} ${ca_dst_path}/kolla-customca-${file}
+        update_needed="true"
+    done
+fi
 
-if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
-        [[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
-    if [[ -e /etc/debian_version ]]; then
-        # Debian, Ubuntu
-        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
-            file=$(basename "$cert")
-            cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
-        done
-        update-ca-certificates
-    elif [[ -e /etc/redhat-release ]]; then
-        # CentOS
-        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
-            file=$(basename "$cert")
-            cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
-        done
-        update-ca-trust
-    fi
+# Run the update command if needed
+if [[ "${update_needed}" == "true" ]]; then
+    ${update_command}
 fi