Set enrollment flag and disable cert checks during Keystone update
This commit addresses two issues observed during enrollment: one with OAM reconfiguration and another with management network configuration. 1. OAM Reconfiguration Conflict: With OAM reconfiguration, manifests may be deferred to later stages of enrollment and applied multiple times, ultimately conflicting with the enrollment process. Specifically, updating the OAM network triggers Puppet to apply the class openstack::keystone::endpoint::runtime::post based on stale config, which may reset the updated Keystone user passwords, causing service failures. This commit introduces an enrollment_in_progress flag, preventing the openstack::keystone::endpoint::runtime Puppet class from running during enrollment (see related Puppet changes[1]). 2. Management Network Reconfiguration: When the management network is updated, certs are updated with the new address. However, endpoints are only fully reconfigured after unlock. This leads to a transitional state where endpoints still use the old IP, causing failures as certificates reference the new IP. To address this, we bypass certificate validation during enrollment. The central cloud will not validate the certificates presented by the subcloud during enrollment's transitional state. [1] https://review.opendev.org/c/starlingx/stx-puppet/+/938062 Test plan: Run end-to-end enrollment, ensuring subcloud is fully enrolled (endpoints reconfigured, no alarms reported, etc) and reporting online in system controller Following tests were done in both Virtual and H/W Lab: PASS: No network reconfiguration. Enroll with same network config set during inital install. PASS: OAM network reconfiguration. Enroll with a different OAM IP that's set during inital install. PASS: Mgmt. network reconfiguration. Enroll with a different Mgmt. IPs that's set during inital install. PASS: Run common roles with 'rehome' mode, ensure cert checks are done. PASS: Verify enrollment with retry. Run enrollment with induced failure, revert the failure and retry. Ensure successful end-to-end enrollment. Closes-bug: 2092214 Closes-bug: 2092212 Change-Id: Ie416009dfbc52702c4cb884e474e32da76d4d7eb Signed-off-by: Salman Rana <salman.rana@windriver.com>
This commit is contained in:
Salman Rana
Salman Rana
parent
b6104ad4ba
commit
aeabb62d84
@ -44,3 +44,9 @@
|
||||
file:
|
||||
path: "{{ subcloud_enrollment_completed_flag }}"
|
||||
state: touch
|
||||
|
||||
- name: Clear enrollment_in_progress flag
|
||||
file:
|
||||
path: /var/run/.enrollment_in_progress
|
||||
state: absent
|
||||
become: true
|
||||
|
||||
@ -8,6 +8,13 @@
|
||||
# the next step.
|
||||
#
|
||||
|
||||
- name: Set enrollment_in_progress flag
|
||||
file:
|
||||
path: /var/run/.enrollment_in_progress
|
||||
state: touch
|
||||
become: true
|
||||
when: mode is defined and mode == "enroll"
|
||||
|
||||
- name: Set config path facts
|
||||
set_fact:
|
||||
config_permdir: "{{ platform_path + '/config/' + software_version }}"
|
||||
|
||||
@ -35,10 +35,11 @@ def print_with_timestamp(*args, **kwargs):
|
||||
class OpenStackClient:
|
||||
"""Client to interact with OpenStack Keystone."""
|
||||
|
||||
def __init__(self) -> None:
|
||||
def __init__(self, verify_certs) -> None:
|
||||
self.conf = {}
|
||||
self._session = None
|
||||
self._keystone = None
|
||||
self.verify_certs = verify_certs
|
||||
|
||||
# Loading credentials and configurations from environment variables
|
||||
# typically set in OpenStack
|
||||
@ -74,7 +75,7 @@ class OpenStackClient:
|
||||
except KeyError as e:
|
||||
print_with_timestamp(f"Configuration key missing: {e}")
|
||||
sys.exit(1)
|
||||
return session.Session(auth=auth)
|
||||
return session.Session(auth=auth, verify=self.verify_certs)
|
||||
|
||||
@property
|
||||
def keystone(self):
|
||||
@ -187,9 +188,10 @@ class OpenStackClient:
|
||||
class CgtsClient(object):
|
||||
SYSINV_API_VERSION = 1
|
||||
|
||||
def __init__(self):
|
||||
def __init__(self, verify_certs):
|
||||
self.conf = {}
|
||||
self._sysinv = None
|
||||
self.insecure = False if verify_certs else True
|
||||
|
||||
# Loading credentials and configurations from environment variables
|
||||
# typically set in OpenStack
|
||||
@ -222,7 +224,8 @@ class CgtsClient(object):
|
||||
os_user_domain_name=self.conf['user_domain_name'],
|
||||
os_region_name=self.conf['region_name'],
|
||||
os_service_type='platform',
|
||||
os_endpoint_type='admin')
|
||||
os_endpoint_type='admin',
|
||||
insecure=self.insecure)
|
||||
return self._sysinv
|
||||
|
||||
def wait_until_config_updated(self, old_config, username):
|
||||
@ -260,7 +263,7 @@ def store_password_in_keyring(username, password):
|
||||
def main():
|
||||
"""Main function to execute based on command-line input."""
|
||||
if len(sys.argv) < 3:
|
||||
print_with_timestamp("Usage: update_keystone_passwords.py <sw_ver> <json_file>")
|
||||
print_with_timestamp("Usage: update_keystone_passwords.py <sw_ver> <json_file> [optional: verify_cert False]")
|
||||
sys.exit(1)
|
||||
|
||||
sw_ver = sys.argv[1]
|
||||
@ -272,8 +275,15 @@ def main():
|
||||
with open(json_file, 'r') as file:
|
||||
user_data = json.load(file)
|
||||
|
||||
osclient = OpenStackClient()
|
||||
cgts_client = CgtsClient()
|
||||
verify_certs = True
|
||||
if len(sys.argv) > 3:
|
||||
verify_value = sys.argv[3].lower()
|
||||
if verify_value == 'false':
|
||||
print_with_timestamp("Cert checks will be disabled.")
|
||||
verify_certs = False
|
||||
|
||||
osclient = OpenStackClient(verify_certs)
|
||||
cgts_client = CgtsClient(verify_certs)
|
||||
set_keyring_path(sw_ver)
|
||||
for user in user_data:
|
||||
config_applied = cgts_client.get_host_config_applied("controller-0")
|
||||
|
||||
@ -44,6 +44,9 @@
|
||||
update_keystone_keyring_passwords.py
|
||||
{{ software_version }}
|
||||
{{ temp_keystone_pass_file.path }}
|
||||
{% if mode is defined and mode == "enroll" %}
|
||||
False
|
||||
{% endif %}
|
||||
register: update_keystone_password_result
|
||||
failed_when: false
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user