[BZ2038166] Add ShiftStack legacy certs script

installing/installing_openstack/preparing-to-install-on-openstack.adoc

@@ -39,3 +39,6 @@ You can install a cluster on {rh-openstack} infrastructure that you provision, b
 * **xref:../../installing/installing_openstack/installing-openstack-user-kuryr.adoc#installing-openstack-user-kuryr[Installing a cluster on OpenStack with Kuryr on your own infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses Kuryr SDN.
 
 * **xref:../../installing/installing_openstack/installing-openstack-user-sr-iov.adoc#installing-openstack-user-sr-iov[Installing a cluster on OpenStack on your own SR-IOV infrastructure]**: You can install {product-title} on user-provisioned {rh-openstack} infrastructure that uses single-root input/output virtualization (SR-IOV) networks to run compute machines.
+
+include::modules/security-osp-validating-certificates.adoc[leveloffset=+1]
+

modules/security-osp-validating-certificates.adoc

@@ -0,0 +1,116 @@
+// This is included in the following assemblies:
+//
+// * installing/installing_openstack/preparing-to-install-on-openstack.adoc
+
+:_content-type: PROCEDURE
+[id="security-osp-validating-certificates_{context}"]
+= Scanning {rh-openstack} endpoints for legacy HTTPS certificates
+
+Beginning with {product-title} 4.10, HTTPS certificates must contain subject alternative name (SAN) fields. Run the following script to scan each HTTPS endpoint in a {rh-openstack-first} catalog for legacy certificates that only contain the `CommonName` field.
+
+[IMPORTANT]
+{product-title} does not check the underlying {rh-openstack} infrastructure for legacy certificates prior to installation or updates. Use the provided script to check for these certificates yourself. Failing to update legacy certificates prior to installing or updating a cluster will result in cluster dysfunction.
+
+.Prerequisites
+
+* On the machine where you run the script, have the following software:
+** Bash version 4.0 or greater
+** `grep`
+** link:https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/command_line_interface_reference/the_openstack_client[OpenStack client]
+** link:https://stedolan.github.io/jq/[`jq`]
+** link:https://www.openssl.org/[OpenSSL version 1.1.1l or greater]
+* Populate the machine with {rh-openstack} credentials for the target cloud.
+
+
+.Procedure
+
+. Save the following script to your machine: 
++
+[%collapsible%]
+====
+[source,bash]
+----
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+declare catalog san
+catalog="$(mktemp)"
+san="$(mktemp)"
+readonly catalog san
+
+declare invalid=0
+
+openstack catalog list --format json --column Name --column Endpoints \
+	| jq -r '.[] | .Name as $name | .Endpoints[] | [$name, .interface, .url] | join(" ")' \
+	| sort \
+	> "$catalog"
+
+while read -r name interface url; do
+	# Ignore HTTP
+	if [[ ${url#"http://"} != "$url" ]]; then
+		continue
+	fi
+
+	# Remove the schema from the URL
+	noschema=${url#"https://"}
+
+	# If the schema was not HTTPS, error
+	if [[ noschema == "$url" ]]; then
+		echo "ERROR (unknown schema): $name $interface $url"
+		exit 2
+	fi
+
+	# Remove the path and only keep host and port
+	noschema="${noschema%%/*}"
+	host="${noschema%%:*}"
+	port="${noschema##*:}"
+
+	# Add the port if was implicit
+	if [[ "$port" == "$host" ]]; then
+		port='443'
+	fi
+
+	# Get the SAN fields
+	openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
+		| openssl x509 -noout -ext subjectAltName \
+		> "$san"
+
+	# openssl returns the empty string if no SAN is found.
+	# If a SAN is found, openssl is expected to return something like:
+	#
+	#    X509v3 Subject Alternative Name:
+	#        DNS:standalone, DNS:osp1, IP Address:192.168.2.1, IP Address:10.254.1.2
+	if [[ "$(grep -c "Subject Alternative Name" "$san" || true)" -gt 0 ]]; then
+		echo "PASS: $name $interface $url"
+	else
+		invalid=$((invalid+1))
+		echo "INVALID: $name $interface $url"
+	fi
+done < "$catalog"
+
+# clean up temporary files
+rm "$catalog" "$san"
+
+if [[ $invalid -gt 0 ]]; then
+	echo "${invalid} legacy certificates were detected. Update your certificates to include a SAN field."
+	exit 1
+else
+	echo "All HTTPS certificates for this cloud are valid."
+fi
+----
+====
+
+. Run the script.
+
+. Replace any certificates that the script reports as `INVALID` with certificates that contain SAN fields.
+
+[IMPORTANT]
+====
+You must replace all legacy HTTPS certificates before you install {product-title} 4.10 or update a cluster to that version. Legacy certificates will be rejected with the following message:
+
+[source,txt]
+----
+x509: certificate relies on legacy Common Name field, use SANs instead
+----
+====