Comment 2 for bug 2059708

Reviewed: https://review.opendev.org/c/starlingx/config/+/914684
Committed: https://opendev.org/starlingx/config/commit/01a5ea0843bd25a422993ff267567609f67351a5
Submitter: "Zuul (22348)"
Branch: master

commit 01a5ea0843bd25a422993ff267567609f67351a5
Author: Rei Oliveira <email address hidden>
Date: Thu Mar 28 14:28:34 2024 -0300

    First check Root CAs on kube-cert-rotation.sh

    As of now, the script only verifies the validity of leaf certificates
    and, if expired, will regenerate them based on K8s/etcd Root CAs.
    It doesn't account for the possibility of Root CAs being expired.
    It will generate leaf certificates based on Root CAs, even if said
    Root CAs are expired.

    This change fixes that behaviour by first checking validity of
    Root CAs and only allowing leaf certificate renewal if RCAs are
    valid.

    Test plan:

    PASS: Cause Root CAs to expire, run kube-cert-rotation.sh script
          and verify that it fails with an error saying Root CAs are
          expired and leaf certificates are not renewed.
    PASS: Ensure to have valid Root CAs, cause leaf certificates
          to expire, run kube-cert-rotation.sh and verify that the
          script executes normally and is able to renew
          the leaf certificates.

    Closes-Bug: 2059708

    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: I98dfd8d1417754f3c723d8ddd52a856785ffc83b