update list of root certificates that Chef client trusts

[sureshc]

https://codedotorg.atlassian.net/browse/INF-492

Testing story

Provisioning a new adhoc works:
bundle exec rake adhoc:start RAILS_ENV=adhoc

excerpt from /var/log/chef-bootstrap-debug.log:

  * remote_file[/etc/chef/local-mode-cache/cache/pdftk-java_3.1.1-1_all.deb] action create
    - create new file /etc/chef/local-mode-cache/cache/pdftk-java_3.1.1-1_all.deb
    - update content in file /etc/chef/local-mode-cache/cache/pdftk-java_3.1.1-1_all.deb from none to 8a28ba
    (new content is binary, diff output suppressed)
  * apt_package[default-jre-headless, libbcprov-java, libcommons-lang3-java] action install
    - install version 2:1.11-68ubuntu1~18.04.1 of package default-jre-headless
    - install version 1.59-1 of package libbcprov-java
    - install version 3.8-1~18.04.2 of package libcommons-lang3-java
  * dpkg_package[pdftk-java] action install
    - install version 3.1.1-1 of package pdftk-java

An existing adhoc (that runs local mode chef):

1. Created feature branch test-update-chef-certs-on-existing-instance With a commit to comment out installation of pdftk-java package
2. Successfully provisioned an adhoc and verified it has the old root certificate file embedded in the Chef client
3. Added a commit that replaces the Chef embedded root certificate on an existing “local mode” system with a newer one from our repository each time /aws/ci_build runs. Also merged in update-chef-trusted-root-certificates And a commit that re-enabled installation of pdftk-java package and pushed to origin
4. Existing adhoc picked up the new commits and rebuilt it self and correctly replaced the root certificate embedded in the Chef client.
5. However dpkg -s pdftk-java showed that the the package was not installed. It appears that for an existing local mode EC2 Instance, we do not re-run Chef client with each build to apply new commits.
6. Manually ran chef client to apply cookbook updates (sudo /opt/chef/bin/chef-client --chef-license accept-silent) and verified with dpkg -s pdftk-java that the package was installed.

Deployment strategy

Follow-up work

Should we modify our build process to run Chef client for existing local mode environments each time a build runs?

Privacy

Security

Caching

PR Checklist:

• Tests provide adequate coverage
• Privacy and Security impacts have been assessed
• Code is well-commented
• New features are translatable or updates will not break translations
• Relevant documentation has been added or updated
• User impact is well-understood and desirable
• Pull Request is labeled appropriately
• Follow-up work items (including potential tech debt) are tracked and linked

[Hamms]

This change looks good to me, and your validation process seems thorough!

I think it would make sense to do a full chef run on each build. That's the way chef expects to be used, after all. But I also expect that we'll have to do some work to make that a practical solution.