Allow the IHA OCF and fencing resource to be moved to the nova service user

Currently both nova evacuate and fence compute in the Instance HA setup of tripleo user the keystone admin user in order to query nova, evacuate instances, disable/enable the nova-compute service and call the nova force-down API. With this patch we introduce the keystone_tenant parameter which is needed when moving to the nova service user as it is different than keystone_admin in that case. Tested as follows: 1. Deployed a normal unpatched OSP13 with IHA 2. Run a redeploy with the following addition: parameter_defaults: ExtraConfig: tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}" tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova' tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service' 3. Observe the following: 3.1. Both the fence_compute and nova evacuate resources have updated attributes 3.2. IHA still works correctly Closes-Bug: #1848451 Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949 (cherry picked from commit 066a360ee5) (cherry picked from commit 4e785257bd)
2019-10-11 22:18:43 +02:00 · 2019-10-11 22:18:43 +02:00 · 0f27a41b7b
parent f0c7feed06
commit 0f27a41b7b
1 changed files with 21 additions and 1 deletions
--- a/manifests/profile/base/pacemaker/instance_ha.pp
+++ b/manifests/profile/base/pacemaker/instance_ha.pp
@ -40,6 +40,10 @@
 #   The keystone admin username
 #   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
 #
+# [*keystone_tenant*]
+#   The keystone tenant
+#   Defaults to hiera('keystone::roles::admin::admin_tenant', 'admin')
+#
 # [*keystone_domain*]
 #   The keystone domain
 #   Defaults to hiera('tripleo::clouddomain', 'localdomain')
@ -60,17 +64,30 @@
 #   (Optional) Integer, seconds to wait before starting the nova evacuate
 #   Defaults to hiera('tripleo::instanceha::evacuate_delay', 0)
 #
+# [*deep_compare_fencing*]
+#   (Optional) Boolean, should fence_compute be deep compared in order to
+#   update the existing fencing resource when puppet is being rerun
+#   Defaults to hiera('tripleo::fencing', true)
+#
+# [*deep_compare_ocf*]
+#   (Optional) Boolean, should the IHA ocf resource nova evacuate be deep
+#   compared in order to update the resource when puppet is being rerun
+#   Defaults to hiera('pacemaker::resource::ocf::deep_compare', true)
+#
 class tripleo::profile::base::pacemaker::instance_ha (
  $step                  = Integer(hiera('step')),
  $pcs_tries             = hiera('pcs_tries', 20),
  $keystone_endpoint_url = hiera('keystone::endpoint::public_url'),
  $keystone_password     = hiera('keystone::admin_password'),
  $keystone_admin        = hiera('keystone::roles::admin::admin_tenant', 'admin'),
+  $keystone_tenant       = hiera('keystone::roles::admin::admin_tenant', 'admin'),
  $keystone_domain       = hiera('tripleo::clouddomain', 'localdomain'),
  $user_domain           = hiera('nova::keystone::authtoken::user_domain_name', 'Default'),
  $project_domain        = hiera('nova::keystone::authtoken::project_domain_name', 'Default'),
  $no_shared_storage     = hiera('tripleo::instanceha::no_shared_storage', true),
  $evacuate_delay        = hiera('tripleo::instanceha::evacuate_delay', 0),
+  $deep_compare_fencing  = hiera('tripleo::fencing', true),
+  $deep_compare_ocf      = hiera('pacemaker::resource::ocf::deep_compare', true),
 ) {
  if $step >= 2 {
    class { '::pacemaker::resource_defaults':
@ -97,6 +114,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
      meta_attr      => 'provides=unfencing',
      pcmk_host_list => '',
      tries          => $pcs_tries,
+      deep_compare   => $deep_compare_fencing,
    }

    pacemaker::resource::ocf { 'compute-unfence-trigger':
@ -105,6 +123,7 @@ class tripleo::profile::base::pacemaker::instance_ha (
      clone_params   => true,
      op_params      => 'stop timeout=20 on-fail=block',
      tries          => $pcs_tries,
+      deep_compare   => $deep_compare_ocf,
      location_rule  => {
        resource_discovery => 'never',
        score              => '-INFINITY',
@ -124,9 +143,10 @@ class tripleo::profile::base::pacemaker::instance_ha (
    pacemaker::resource::ocf { 'nova-evacuate':
      ocf_agent_name  => 'openstack:NovaEvacuate',
      # lint:ignore:140chars
-      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_admin} ${iha_no_shared_storage}${evacuate_param}",
+      resource_params => "auth_url=${keystone_endpoint_url} username=${keystone_admin} password=${keystone_password} user_domain=${user_domain} project_domain=${project_domain} tenant_name=${keystone_tenant} ${iha_no_shared_storage}${evacuate_param}",
      # lint:endignore
      tries           => $pcs_tries,
+      deep_compare    => $deep_compare_ocf,
      location_rule   => {
        resource_discovery => 'never',
        score              => '-INFINITY',