Allow the IHA OCF and fencing resource to be moved to the nova service user

Currently both nova evacuate and fence compute in the Instance HA setup of tripleo user the keystone admin user in order to query nova, evacuate instances, disable/enable the nova-compute service and call the nova force-down API. With this patch we introduce the keystone_tenant parameter which is needed when moving to the nova service user as it is different than keystone_admin in that case. Tested as follows: 1. Deployed a normal unpatched OSP13 with IHA 2. Run a redeploy with the following addition: parameter_defaults: ExtraConfig: tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}" tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova' tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service' 3. Observe the following: 3.1. Both the fence_compute and nova evacuate resources have updated attributes 3.2. IHA still works correctly Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949
2019-10-11 22:18:43 +02:00 · 2019-10-11 22:18:43 +02:00 · 066a360ee5
parent 06e901c215
commit 066a360ee5
1 changed files with 21 additions and 1 deletions
--- a/manifests/profile/base/pacemaker/instance_ha.pp
+++ b/manifests/profile/base/pacemaker/instance_ha.pp
@ -40,6 +40,10 @@
 #   The keystone admin username
 #   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
 #
+# [*keystone_tenant*]
+#   The keystone tenant
+#   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
+#
 # [*keystone_domain*]
 #   The keystone domain
 #   Defaults to hiera('tripleo::clouddomain', 'localdomain')
@ -64,18 +68,31 @@
 #   (Optional) Integer, seconds to wait before starting the nova evacuate
 #   Defaults to hiera('tripleo::instanceha::evacuate_delay', 0)
 #
+# [*deep_compare_fencing*]
+#   (Optional) Boolean, should fence_compute be deep compared in order to
+#   update the existing fencing resource when puppet is being rerun
+#   Defaults to hiera('tripleo::fencing', true)
+#
+# [*deep_compare_ocf*]
+#   (Optional) Boolean, should the IHA ocf resource nova evacuate be deep
+#   compared in order to update the resource when puppet is being rerun
+#   Defaults to hiera('pacemaker::resource::ocf::deep_compare', true)
+#
 class tripleo::profile::base::pacemaker::instance_ha (
  $step                  = Integer(hiera('step')),
  $pcs_tries             = hiera('pcs_tries', 20),
  $keystone_endpoint_url = hiera('keystone::endpoint::public_url'),
  $keystone_password     = hiera('keystone::admin_password'),
  $keystone_admin        = hiera('keystone::roles::admin::admin_tenant', 'admin'),
+  $keystone_tenant       = hiera('keystone::roles::admin::admin_tenant', 'admin'),
  $keystone_domain       = hiera('tripleo::clouddomain', 'localdomain'),
  $user_domain           = hiera('nova::keystone::authtoken::user_domain_name', 'Default'),
  $project_domain        = hiera('nova::keystone::authtoken::project_domain_name', 'Default'),
  $region_name           = hiera('nova::keystone::authtoken::region_name', 'regionOne'),
  $no_shared_storage     = hiera('tripleo::instanceha::no_shared_storage', true),
  $evacuate_delay        = hiera('tripleo::instanceha::evacuate_delay', 0),
+  $deep_compare_fencing  = hiera('tripleo::fencing', true),
+  $deep_compare_ocf      = hiera('pacemaker::resource::ocf::deep_compare', true),
 ) {
  if $step >= 2 {
    class { '::pacemaker::resource_defaults':
@ -103,6 +120,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
      meta_attr      => 'provides=unfencing',
      pcmk_host_list => '',
      tries          => $pcs_tries,
+      deep_compare   => $deep_compare_fencing,
    }

    pacemaker::resource::ocf { 'compute-unfence-trigger':
@ -111,6 +129,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
      clone_params   => true,
      op_params      => 'stop timeout=20 on-fail=block',
      tries          => $pcs_tries,
+      deep_compare   => $deep_compare_ocf,
      location_rule  => {
        resource_discovery => 'never',
        score              => '-INFINITY',
@ -130,9 +149,10 @@ class tripleo::profile::base::pacemaker::instance_ha (
    pacemaker::resource::ocf { 'nova-evacuate':
      ocf_agent_name  => 'openstack:NovaEvacuate',
      # lint:ignore:140chars
-      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_admin} region_name=${region_name} ${iha_no_shared_storage}${evacuate_param}",
+      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_tenant} region_name=${region_name} ${iha_no_shared_storage}${evacuate_param}",
      # lint:endignore
      tries           => $pcs_tries,
+      deep_compare    => $deep_compare_ocf,
      location_rule   => {
        resource_discovery => 'never',
        score              => '-INFINITY',