From a94a6f045de732d99e752a3f669445a558f00410 Mon Sep 17 00:00:00 2001
From: Hao Liu <haoli@redhat.com>
Date: Tue, 27 Sep 2022 21:37:57 -0400
Subject: [PATCH 1/2] change receptor ca secret to tls secret

change the type of secret use for receptor ca to tls secret, to be more "proper"

Signed-off-by: Hao Liu <haoli@redhat.com>
---
 .../templates/deployments/deployment.yaml.j2     | 16 +++++++++++++---
 .../templates/secrets/receptor_ca_secret.yaml.j2 |  5 +++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/roles/installer/templates/deployments/deployment.yaml.j2 b/roles/installer/templates/deployments/deployment.yaml.j2
index 988a9663..54ea5c62 100644
--- a/roles/installer/templates/deployments/deployment.yaml.j2
+++ b/roles/installer/templates/deployments/deployment.yaml.j2
@@ -67,7 +67,12 @@ spec:
                   fieldPath: metadata.name
           volumeMounts:
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-tls"
               mountPath: "/etc/receptor/tls/"
@@ -179,7 +184,12 @@ spec:
               subPath: "work-public-key.pem"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
               readOnly: true
 {% if development_mode | bool %}
             - name: awx-devel
@@ -324,7 +334,7 @@ spec:
               mountPath: "/etc/receptor/"
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
               mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
-              subPath: "receptor-ca.crt"
+              subPath: "tls.crt"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
               mountPath: "/etc/receptor/signing/work-private-key.pem"
diff --git a/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2 b/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2
index 6a6d0c05..84ef1602 100644
--- a/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2
+++ b/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2
@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: kubernetes.io/tls
 data:
-  receptor-ca.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
-  receptor-ca.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'
+  tls.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
+  tls.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'

From 0611f3efaa56e3c1ce01ea4191ccf10aa9f4eaa3 Mon Sep 17 00:00:00 2001
From: Hao Liu <haoli@redhat.com>
Date: Tue, 27 Sep 2022 22:09:23 -0400
Subject: [PATCH 2/2] add migration code for receptor ca secret

Signed-off-by: Hao Liu <haoli@redhat.com>
---
 .../tasks/resources_configuration.yml         | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/roles/installer/tasks/resources_configuration.yml b/roles/installer/tasks/resources_configuration.yml
index 7ce87217..ab202266 100644
--- a/roles/installer/tasks/resources_configuration.yml
+++ b/roles/installer/tasks/resources_configuration.yml
@@ -35,6 +35,50 @@
   register: _receptor_ca
   no_log: "{{ no_log }}"
 
+- name: Migrate Receptor CA Secret
+  when:
+    - _receptor_ca['resources'] | default([]) | length
+    - _receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
+  block:
+    - name: Delete old Receptor CA Secret
+      k8s:
+        state: absent
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: '{{ ansible_operator_meta.name }}-receptor-ca'
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Copy Receptor CA key from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
+        dest: "{{ _receptor_ca_key_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Copy Receptor CA cert from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
+        dest: "{{ _receptor_ca_crt_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create New Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+
 - name: Create Receptor Mesh CA
   block:
     - name: Create tempfile for receptor-ca.key