From 066a360ee5d966be027130d85d6ab6296dd0d3e5 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Fri, 11 Oct 2019 22:18:43 +0200
Subject: [PATCH] Allow the IHA OCF and fencing resource to be moved to the
 nova service user

Currently both nova evacuate and fence compute in the Instance HA
setup of tripleo user the keystone admin user in order to query nova,
evacuate instances, disable/enable the nova-compute service and
call the nova force-down API.

With this patch we introduce the keystone_tenant parameter which is
needed when moving to the nova service user as it is different than
keystone_admin in that case.

Tested as follows:
1. Deployed a normal unpatched OSP13 with IHA
2. Run a redeploy with the following addition:
parameter_defaults:
  ExtraConfig:
    tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}"
    tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova'
    tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service'
3. Observe the following:
3.1. Both the fence_compute and nova evacuate resources have updated attributes
3.2. IHA still works correctly

Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949
---
 .../profile/base/pacemaker/instance_ha.pp     | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/manifests/profile/base/pacemaker/instance_ha.pp b/manifests/profile/base/pacemaker/instance_ha.pp
index 2687fb79f..908c0660c 100644
--- a/manifests/profile/base/pacemaker/instance_ha.pp
+++ b/manifests/profile/base/pacemaker/instance_ha.pp
@@ -40,6 +40,10 @@
 #   The keystone admin username
 #   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
 #
+# [*keystone_tenant*]
+#   The keystone tenant
+#   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
+#
 # [*keystone_domain*]
 #   The keystone domain
 #   Defaults to hiera('tripleo::clouddomain', 'localdomain')
@@ -64,18 +68,31 @@
 #   (Optional) Integer, seconds to wait before starting the nova evacuate
 #   Defaults to hiera('tripleo::instanceha::evacuate_delay', 0)
 #
+# [*deep_compare_fencing*]
+#   (Optional) Boolean, should fence_compute be deep compared in order to
+#   update the existing fencing resource when puppet is being rerun
+#   Defaults to hiera('tripleo::fencing', true)
+#
+# [*deep_compare_ocf*]
+#   (Optional) Boolean, should the IHA ocf resource nova evacuate be deep
+#   compared in order to update the resource when puppet is being rerun
+#   Defaults to hiera('pacemaker::resource::ocf::deep_compare', true)
+#
 class tripleo::profile::base::pacemaker::instance_ha (
   $step                  = Integer(hiera('step')),
   $pcs_tries             = hiera('pcs_tries', 20),
   $keystone_endpoint_url = hiera('keystone::endpoint::public_url'),
   $keystone_password     = hiera('keystone::admin_password'),
   $keystone_admin        = hiera('keystone::roles::admin::admin_tenant', 'admin'),
+  $keystone_tenant       = hiera('keystone::roles::admin::admin_tenant', 'admin'),
   $keystone_domain       = hiera('tripleo::clouddomain', 'localdomain'),
   $user_domain           = hiera('nova::keystone::authtoken::user_domain_name', 'Default'),
   $project_domain        = hiera('nova::keystone::authtoken::project_domain_name', 'Default'),
   $region_name           = hiera('nova::keystone::authtoken::region_name', 'regionOne'),
   $no_shared_storage     = hiera('tripleo::instanceha::no_shared_storage', true),
   $evacuate_delay        = hiera('tripleo::instanceha::evacuate_delay', 0),
+  $deep_compare_fencing  = hiera('tripleo::fencing', true),
+  $deep_compare_ocf      = hiera('pacemaker::resource::ocf::deep_compare', true),
 ) {
   if $step >= 2 {
     class { '::pacemaker::resource_defaults':
@@ -103,6 +120,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
       meta_attr      => 'provides=unfencing',
       pcmk_host_list => '',
       tries          => $pcs_tries,
+      deep_compare   => $deep_compare_fencing,
     }
 
     pacemaker::resource::ocf { 'compute-unfence-trigger':
@@ -111,6 +129,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
       clone_params   => true,
       op_params      => 'stop timeout=20 on-fail=block',
       tries          => $pcs_tries,
+      deep_compare   => $deep_compare_ocf,
       location_rule  => {
         resource_discovery => 'never',
         score              => '-INFINITY',
@@ -130,9 +149,10 @@ class tripleo::profile::base::pacemaker::instance_ha (
     pacemaker::resource::ocf { 'nova-evacuate':
       ocf_agent_name  => 'openstack:NovaEvacuate',
       # lint:ignore:140chars
-      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_admin} region_name=${region_name} ${iha_no_shared_storage}${evacuate_param}",
+      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_tenant} region_name=${region_name} ${iha_no_shared_storage}${evacuate_param}",
       # lint:endignore
       tries           => $pcs_tries,
+      deep_compare    => $deep_compare_ocf,
       location_rule   => {
         resource_discovery => 'never',
         score              => '-INFINITY',