From aeabb62d84c5bada6cf946bd5b971582b6eff757 Mon Sep 17 00:00:00 2001 From: Salman Rana Date: Thu, 19 Dec 2024 10:40:22 -0500 Subject: [PATCH] Set enrollment flag and disable cert checks during Keystone update This commit addresses two issues observed during enrollment: one with OAM reconfiguration and another with management network configuration. 1. OAM Reconfiguration Conflict: With OAM reconfiguration, manifests may be deferred to later stages of enrollment and applied multiple times, ultimately conflicting with the enrollment process. Specifically, updating the OAM network triggers Puppet to apply the class openstack::keystone::endpoint::runtime::post based on stale config, which may reset the updated Keystone user passwords, causing service failures. This commit introduces an enrollment_in_progress flag, preventing the openstack::keystone::endpoint::runtime Puppet class from running during enrollment (see related Puppet changes[1]). 2. Management Network Reconfiguration: When the management network is updated, certs are updated with the new address. However, endpoints are only fully reconfigured after unlock. This leads to a transitional state where endpoints still use the old IP, causing failures as certificates reference the new IP. To address this, we bypass certificate validation during enrollment. The central cloud will not validate the certificates presented by the subcloud during enrollment's transitional state. [1] https://review.opendev.org/c/starlingx/stx-puppet/+/938062 Test plan: Run end-to-end enrollment, ensuring subcloud is fully enrolled (endpoints reconfigured, no alarms reported, etc) and reporting online in system controller Following tests were done in both Virtual and H/W Lab: PASS: No network reconfiguration. Enroll with same network config set during inital install. PASS: OAM network reconfiguration. Enroll with a different OAM IP that's set during inital install. PASS: Mgmt. network reconfiguration. Enroll with a different Mgmt. IPs that's set during inital install. PASS: Run common roles with 'rehome' mode, ensure cert checks are done. PASS: Verify enrollment with retry. Run enrollment with induced failure, revert the failure and retry. Ensure successful end-to-end enrollment. Closes-bug: 2092214 Closes-bug: 2092212 Change-Id: Ie416009dfbc52702c4cb884e474e32da76d4d7eb Signed-off-by: Salman Rana --- .../complete-enrollment/tasks/main.yml | 6 +++++ .../prepare-env/tasks/main.yml | 7 ++++++ .../update_keystone_keyring_passwords.py | 24 +++++++++++++------ .../tasks/migrate_keystone_passwords.yml | 3 +++ 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml b/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml index fd5c2654e..64f514b6d 100644 --- a/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml @@ -44,3 +44,9 @@ file: path: "{{ subcloud_enrollment_completed_flag }}" state: touch + +- name: Clear enrollment_in_progress flag + file: + path: /var/run/.enrollment_in_progress + state: absent + become: true diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml b/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml index 33087e989..63beac6b1 100644 --- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml @@ -8,6 +8,13 @@ # the next step. # +- name: Set enrollment_in_progress flag + file: + path: /var/run/.enrollment_in_progress + state: touch + become: true + when: mode is defined and mode == "enroll" + - name: Set config path facts set_fact: config_permdir: "{{ platform_path + '/config/' + software_version }}" diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py index 13c67c8df..79550addc 100644 --- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py +++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py @@ -35,10 +35,11 @@ def print_with_timestamp(*args, **kwargs): class OpenStackClient: """Client to interact with OpenStack Keystone.""" - def __init__(self) -> None: + def __init__(self, verify_certs) -> None: self.conf = {} self._session = None self._keystone = None + self.verify_certs = verify_certs # Loading credentials and configurations from environment variables # typically set in OpenStack @@ -74,7 +75,7 @@ class OpenStackClient: except KeyError as e: print_with_timestamp(f"Configuration key missing: {e}") sys.exit(1) - return session.Session(auth=auth) + return session.Session(auth=auth, verify=self.verify_certs) @property def keystone(self): @@ -187,9 +188,10 @@ class OpenStackClient: class CgtsClient(object): SYSINV_API_VERSION = 1 - def __init__(self): + def __init__(self, verify_certs): self.conf = {} self._sysinv = None + self.insecure = False if verify_certs else True # Loading credentials and configurations from environment variables # typically set in OpenStack @@ -222,7 +224,8 @@ class CgtsClient(object): os_user_domain_name=self.conf['user_domain_name'], os_region_name=self.conf['region_name'], os_service_type='platform', - os_endpoint_type='admin') + os_endpoint_type='admin', + insecure=self.insecure) return self._sysinv def wait_until_config_updated(self, old_config, username): @@ -260,7 +263,7 @@ def store_password_in_keyring(username, password): def main(): """Main function to execute based on command-line input.""" if len(sys.argv) < 3: - print_with_timestamp("Usage: update_keystone_passwords.py ") + print_with_timestamp("Usage: update_keystone_passwords.py [optional: verify_cert False]") sys.exit(1) sw_ver = sys.argv[1] @@ -272,8 +275,15 @@ def main(): with open(json_file, 'r') as file: user_data = json.load(file) - osclient = OpenStackClient() - cgts_client = CgtsClient() + verify_certs = True + if len(sys.argv) > 3: + verify_value = sys.argv[3].lower() + if verify_value == 'false': + print_with_timestamp("Cert checks will be disabled.") + verify_certs = False + + osclient = OpenStackClient(verify_certs) + cgts_client = CgtsClient(verify_certs) set_keyring_path(sw_ver) for user in user_data: config_applied = cgts_client.get_host_config_applied("controller-0") diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml index 1e96d4f56..73e2466b9 100644 --- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml +++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml @@ -44,6 +44,9 @@ update_keystone_keyring_passwords.py {{ software_version }} {{ temp_keystone_pass_file.path }} + {% if mode is defined and mode == "enroll" %} + False + {% endif %} register: update_keystone_password_result failed_when: false