StarlingX Ansible Playbooks
Go to file
Salman Rana aeabb62d84 Set enrollment flag and disable cert checks during Keystone update
This commit addresses two issues observed during enrollment: one with
OAM reconfiguration and another with management network configuration.

1. OAM Reconfiguration Conflict:
   With OAM reconfiguration, manifests may be deferred to later stages
   of enrollment and applied multiple times, ultimately conflicting
   with the enrollment process. Specifically, updating the OAM network
   triggers Puppet to apply the class
   openstack::keystone::endpoint::runtime::post based on stale config,
   which may reset the updated Keystone user passwords, causing
   service failures.

   This commit introduces an enrollment_in_progress flag,
   preventing the openstack::keystone::endpoint::runtime Puppet class
   from running during enrollment (see related Puppet changes[1]).

2. Management Network Reconfiguration:
   When the management network is updated, certs are
   updated with the new address. However, endpoints are only fully
   reconfigured after unlock. This leads to a transitional state where
   endpoints still use the old IP, causing failures as certificates
   reference the new IP.

   To address this, we bypass certificate validation during enrollment.
   The central cloud will not validate the certificates presented by
   the subcloud during enrollment's transitional state.

[1] https://review.opendev.org/c/starlingx/stx-puppet/+/938062

Test plan:
Run end-to-end enrollment, ensuring subcloud is fully enrolled
(endpoints reconfigured, no alarms reported, etc) and
reporting online in system controller  Following tests were
done in both Virtual and H/W Lab:

PASS: No network reconfiguration. Enroll
      with same network config set during
      inital install.

PASS: OAM network reconfiguration. Enroll
      with a different OAM IP that's set during
      inital install.

PASS: Mgmt. network reconfiguration. Enroll
      with a different Mgmt. IPs that's set during
      inital install.

PASS: Run common roles with 'rehome' mode,
      ensure cert checks are done.

PASS: Verify enrollment with retry.
      Run enrollment with induced failure, revert the
      failure and retry. Ensure successful
      end-to-end enrollment.

Closes-bug: 2092214
Closes-bug: 2092212

Change-Id: Ie416009dfbc52702c4cb884e474e32da76d4d7eb
Signed-off-by: Salman Rana <salman.rana@windriver.com>
2024-12-20 20:00:10 +00:00
examples Update SX to DX migration playbook to support IPsec 2024-08-08 14:09:52 -04:00
playbookconfig Set enrollment flag and disable cert checks during Keystone update 2024-12-20 20:00:10 +00:00
.ansible-lint Fix zuul failures from new release of ansible-lint 2020-08-18 10:49:30 -05:00
.gitignore Fixing up tox -e cover for stx-config 2018-12-20 08:53:15 -06:00
.gitreview Added .gitreview 2019-06-15 14:03:07 -05:00
.yamllint Enable yamllint for ansible playbook .yml files 2019-06-24 13:27:26 -05:00
.zuul.yaml Zuul: Set all nodesets to debian-bullseye 2024-12-02 22:19:26 +00:00
CONTRIBUTORS.wrs Clean up repo import 2019-06-15 14:21:19 -05:00
debian_build_layer.cfg Add debian_build_layer.cfg file 2021-10-05 14:04:06 -04:00
debian_iso_image.inc Add debian_iso_image.inc file 2021-10-27 01:56:02 -04:00
debian_pkg_dirs Add debian package for playbookconfig 2021-09-29 18:32:15 +03:00
LICENSE Clean up repo import 2019-06-15 14:21:19 -05:00
README.rst starlingx/ansible-playbooks README improvement 2023-07-19 12:13:55 -03:00
requirements.txt Fix remote play for backup and restore 2022-08-17 14:51:35 -03:00
test-requirements.txt Fix tox ansible lint failure due to a new module 2022-01-10 11:04:20 -06:00
tox.ini Prestaging support for --for-sw-deploy/--for-install 2024-06-19 00:38:00 +00:00

stx-ansible-playbooks

StarlingX Bootstrap and Deployment Ansible1 Playbooks

Execution environment

  • Unix like OS (recent Linux based distributions, MacOS, Cygwin)
  • Python 3.8 and later

Additional Required Packages

In addition to the pakages listed in requirements.txt and test-requirements.txt, the following packages are required to run the playbooks remotely:

  • python3-pexpect
  • python3-ptyprocess
  • sshpass

Supported StarlingX Releases

The playbooks are compatible with StarlingX R8.0 and later.

Executing StarlingX Playbooks

Bootstrap Playbook

For instructions on how to set up and execute the bootstrap playbook from another host, please refer to the StarlingX Documentation2, at Installation Guides, section Configure controller-0 of the respective system deployment type.

Developer Notes

This repository is not intended to be developed standalone, but rather as part of the StarlingX Source System, which is defined by the StarlingX manifest3.

References


  1. https://docs.ansible.com/ansible/latest/installation_guide↩︎

  2. https://docs.starlingx.io↩︎

  3. https://opendev.org/starlingx/manifest.git↩︎