Update OIDC upgrade script for 22.12

These scripts perform helm override check, backup of helm overrides, conversion of helm overrides and upgrade of the oidc-auth-apps application. The original scripts are restored from commit 8293b0af, which was originally written for 21.12 to 22.06 upgrade. This cherry-picks commit 8293b0af, but also adjusts the accepted releases. We will support upgrade of 21.12 to 22.12 release. The script is neuter from 22.06 to 22.12 upgrade. The changes from original commit include: - accept TO_RELEASE 22.12 instead - when from_release and to_release do not match the return with a softer warning, and return 0 instead 1 - use /var/opt/oidc-auth-apps instead of /opt/oidc-auth-apps - use yaml.safe_load() Test Plan: PASS: unit test on python3 PASS: unit test of both scripts PASS: unit test health-check, start, activate PASS: unit test yaml.safeload health-check, start, migrate PASS: unit test helm overrides before/after switch to yaml.safeload PASS: conversion of 21.12 configuration PASS: absent helm overrides PASS: AIO-SX provision 22.12 PASS: AIO-DX provision 22.12 PASS: confirm permissions of /var/opt/oidc-auth-apps/, and scripts PASS: simulate 21.12 to 22.12 upgrade env, upgrade oidc application PASS: simulate 22.06 to 22.12 upgrade env, observe neuter scripts N/A: AIO-SX/AIO-DX upgrade 21.12 to 22.12 N/A: AIO-SX/AIO-DX upgrade 22.06 to 22.12 (neuter scripts) Story: 2009303 Task: 46677 Depends-on: https://review.opendev.org/c/starlingx/config/+/863656 Depends-on: https://review.opendev.org/c/starlingx/oidc-auth-armada-app/+/863436 Change-Id: I53ae6fbf1669cd8fbfca6082716333433d32ab80 Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
2022-05-24 12:10:06 -04:00 · 2022-05-24 12:10:06 -04:00 · 2b58eb7ff2
commit 2b58eb7ff2
parent 2fecb99ae4
2 changed files with 18 additions and 13 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/50-validate-oidc-auth-apps.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/50-validate-oidc-auth-apps.py
@ -23,12 +23,12 @@ log.configure()

 # This script is only valid for to/from releases:
 ACCEPTED_FROM = ['21.12']
-ACCEPTED_TO = ['22.06']
+ACCEPTED_TO = ['22.12']
 ACCEPTED_ACTIONS = ['health-check', 'start', 'migrate']

 # this path should have been created by stx-oidc-auth-helm package
 # with ownership assigned to postgres:postgres
-BACKUP_PATH = '/opt/oidc-auth-apps'
+BACKUP_PATH = '/var/opt/oidc-auth-apps'

 # list of charts in oidc-auth-apps; for sanity check only
 oidc_charts = ['dex', 'oidc-client', 'secret-observer']
@ -156,7 +156,7 @@ def backup_overrides(overrides, action='debug'):
        if name not in oidc_charts:
            LOG.warning("oidc-auth-apps: mismatch chart name '%s'", name)
        if chart[field]:
-            document = yaml.load(chart[field])
+            document = yaml.safe_load(chart[field])
            if not document:
                LOG.debug("oidc-auth-apps: %s empty document", name)
                continue
@ -345,7 +345,7 @@ def get_chart_override(overrides, chart):
        # applied, or because it failed to apply without overrides
        return None
    # convert the string to python structures
-    return yaml.load(chart_ov['user_overrides'])
+    return yaml.safe_load(chart_ov['user_overrides'])


 def validate_overrides(overrides):
@ -364,7 +364,7 @@ def validate_overrides(overrides):
    if not document:
        LOG.error("oidc-auth-apps: no dex user_overrides to validate")
        return False
-    validate = yaml.load(validation_yaml)
+    validate = yaml.safe_load(validation_yaml)
    return validate_document(validate, document)


@ -454,13 +454,13 @@ def main():
                  from_release, to_release, action)
        return 0
    elif from_release not in ACCEPTED_FROM:
-        LOG.error("oidc-auth-apps: upgrade script not valid from release %s",
-                  from_release)
-        return 1
+        LOG.warning("oidc-auth-apps: not valid from release %s",
+                    from_release)
+        return 0
    elif to_release not in ACCEPTED_TO:
-        LOG.error("oidc-auth-apps: upgrade script not valid to release %s",
-                  to_release)
-        return 1
+        LOG.warning("oidc-auth-apps: not valid to release %s",
+                    to_release)
+        return 0

    try:
        conn = psycopg2.connect("dbname=sysinv user=postgres")
--- a/controllerconfig/controllerconfig/upgrade-scripts/70-upgrade-oidc-auth-apps.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/70-upgrade-oidc-auth-apps.sh
@ -35,11 +35,16 @@ if [ "$FROM_RELEASE" != "21.12" ]; then
    exit 0
 fi

+# only run if to 22.12 release
+if [ "$TO_RELEASE" != "22.12" ]; then
+    exit 0
+fi
+
 PLATFORM_APPLICATION_PATH='/usr/local/share/applications/helm'
 PATH=$PATH:/usr/local/sbin

 # conversion script; this script will convert the helm overrides
-# reading from postgres and putting overrides into /opt/oidc-auth-apps
+# reading from postgres and putting overrides into /var/opt/oidc-auth-apps
 CONV_SCRIPT='/etc/upgrade.d/50-validate-oidc-auth-apps.py'
 CONV_PARAMS="$FROM_RELEASE $TO_RELEASE migrate"

@ -68,7 +73,7 @@ ORIGINAL_APP_STATUS=$EXISTING_APP_STATUS

 # oidc-auth-apps has user overrides converted and saved for
 # re-apply at this time
-OIDC_OVERRIDES="/opt/oidc-auth-apps/converted"
+OIDC_OVERRIDES="/var/opt/oidc-auth-apps/converted"
 OIDC_CHARTS="dex oidc-client secret-observer"
 function oidc_specific_handling {
    for chart in $OIDC_CHARTS; do