Filter out ocp certs from the external ones

When using RHACM to deploy disconnected IBU seed SNO clusters, the
trusted-ca-bundle, which should only contain external to OCP CA
certificates, can contain also OCP internal CA certificates. E.g.:

- internal-loadbalancer-serving
- service-network-serving-cert
- localhost-serving-cert
- external-loadbalancer-serving

This change filters out all certs found in there with their subject
containing openshift as the organisation unit (i.e. OU=openshift), as
they are not external certs and should not be ignored by recert when
regenerating and re-signing OCP certificates.

Signed-off-by: Michail Resvanis <mresvani@redhat.com>

Author: Michail Resvanis

src/cluster_crypto/scanning/external_certs.rs

@@ -46,6 +46,11 @@ pub(crate) async fn discover_external_certs(in_memory_etcd_client: Arc<InMemoryK
             }),
             _ => bail!("unexpected tag"),
         })
+        .filter_map(|result| match result {
+            Ok(subject) if !subject.contains("OU=openshift") => Some(Ok(subject)),
+            Ok(_) => None,
+            Err(e) => Some(Err(e)),
+        })
         .collect::<Result<HashSet<_>>>()
 }