Merge "Preventing unlock and swact while k8s rootca update"

2021-10-12 16:42:21 +00:00 · 2021-10-12 16:42:21 +00:00 · 52e78df5b1
parent f74f0bb495 6f74b61518
commit 52e78df5b1
2 changed files with 172 additions and 0 deletions
--- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/host.py
+++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/host.py
@ -3513,6 +3513,46 @@ class HostController(rest.RestController):
                    "Wait for kubelet upgrade to complete." % ihost['hostname'])
            raise wsme.exc.ClientSideError(msg)

+    def _semantic_check_unlock_kube_rootca_update(self, ihost, force_unlock=False):
+        """
+        Perform semantic checks related to kubernetes rootca update
+        prior to unlocking host.
+        """
+
+        if force_unlock:
+            LOG.warning("Host %s force unlock while kubernetes "
+                        "rootca update in progress." % ihost['hostname'])
+            return
+
+        try:
+            kube_rootca_update = \
+                pecan.request.dbapi.kube_rootca_update_get_one()
+
+            if kube_rootca_update.state in [kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS,
+                                            kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA]:
+                msg = _("Can not unlock %s while kubernetes root ca "
+                        "update phase in progress. Wait for update "
+                        "phase to complete." % ihost['hostname'])
+                raise wsme.exc.ClientSideError(msg)
+        except exception.NotFound:
+            LOG.debug("No kubernetes rootca update was found")
+            return
+
+        try:
+            kube_host_rootca_update = \
+                pecan.request.dbapi.kube_rootca_host_update_get_by_host(ihost['uuid'])
+            if kube_host_rootca_update.state in [kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS,
+                                                 kubernetes.KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS,
+                                                 kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA]:
+                msg = _("Can not unlock %s while kubernetes root ca "
+                        "update phase in progress. Wait for update "
+                        "phase to complete on host." % ihost['hostname'])
+                raise wsme.exc.ClientSideError(msg)
+        except exception.NotFound:
+            LOG.debug("No kubernetes rootca update on host %s "
+                      "was found" % ihost['hostname'])
+            return
+
    def _semantic_check_unlock_upgrade(self, ihost, force_unlock=False):
        """
        Perform semantic checks related to upgrades prior to unlocking host.
@ -5376,6 +5416,10 @@ class HostController(rest.RestController):
        # the unlock.
        self.check_unlock_application(hostupdate, force_unlock)

+        # Ensure there is no k8s rootca update phase in progress
+        self._semantic_check_unlock_kube_rootca_update(hostupdate.ihost_orig,
+                                                       force_unlock)
+
        personality = hostupdate.ihost_patch.get('personality')
        if personality == constants.CONTROLLER:
            self.check_unlock_controller(hostupdate, force_unlock)
@ -6037,6 +6081,47 @@ class HostController(rest.RestController):
        # Check for new hardware since upgrade-start
        self._semantic_check_upgrade_refresh(upgrade, to_host, force_swact)

+    def _semantic_check_swact_kube_rootca_update(self, ihost, force_swact=False):
+        """
+        Perform semantic checks related to kubernetes rootca update
+        prior to swacting host.
+        """
+
+        if force_swact:
+            LOG.warning("Host %s force swact while kubernetes "
+                        "rootca update in progress on host."
+                        % ihost['hostname'])
+            return
+
+        try:
+            kube_rootca_update = \
+                pecan.request.dbapi.kube_rootca_update_get_one()
+
+            if kube_rootca_update.state in [kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS,
+                                            kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA]:
+                msg = _("Can not swact %s while kubernetes root ca "
+                        "update phase in progress. Wait for update "
+                        "phase to complete." % ihost['hostname'])
+                raise wsme.exc.ClientSideError(msg)
+        except exception.NotFound:
+            LOG.debug("No kubernetes rootca update was found")
+            return
+
+        try:
+            kube_host_rootca_update = \
+                pecan.request.dbapi.kube_rootca_host_update_get_by_host(ihost['uuid'])
+            if kube_host_rootca_update.state in [kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS,
+                                                 kubernetes.KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS,
+                                                 kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA]:
+                msg = _("Can not swact %s while kubernetes root ca "
+                        "update phase is in progress. Wait for update "
+                        "phase to complete on host." % ihost['hostname'])
+                raise wsme.exc.ClientSideError(msg)
+        except exception.NotFound:
+            LOG.debug("No kubernetes rootca update on host %s "
+                      "was found" % ihost['hostname'])
+            return
+
    def _check_swact_device_image_update(self, from_host, to_host, force=False):
        if force:
            LOG.info("device image update swact check bypassed with force option")
@ -6114,6 +6199,10 @@ class HostController(rest.RestController):
                             ihost_ctr.subfunction_oper,
                             ihost_ctr.subfunctions))

+                # deny swact if a kube rootca update phase is in progress
+                self._semantic_check_swact_kube_rootca_update(hostupdate.ihost_orig,
+                                                              force_swact)
+
                # deny swact if storage backend not ready
                self._semantic_check_storage_backend(ihost_ctr)

--- a/sysinv/sysinv/sysinv/sysinv/tests/api/test_host.py
+++ b/sysinv/sysinv/sysinv/sysinv/tests/api/test_host.py
@ -1995,6 +1995,27 @@ class TestPatch(TestHost):
        self.assertEqual(http_client.BAD_REQUEST, response.status_int)
        self.assertTrue(response.json['error_message'])

+    def test_unlock_action_controller_during_k8s_rootca_pods_update(self):
+        # Create controller-0 without inv_state initial inventory complete
+        c0_host = self._create_controller_0(
+            invprovision=constants.PROVISIONED,
+            administrative=constants.ADMIN_LOCKED,
+            operational=constants.OPERATIONAL_ENABLED,
+            availability=constants.AVAILABILITY_ONLINE,
+            inv_state=None, clock_synchronization=constants.NTP)
+
+        # Create kube rootca update updating pods on phase trust-both-cas
+        dbutils.create_test_kube_rootca_update(state=kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS)
+
+        # Unlock host
+        response = self._patch_host_action(c0_host['hostname'],
+                                           constants.UNLOCK_ACTION,
+                                           'sysinv-test',
+                                           expect_errors=True)
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(http_client.BAD_REQUEST, response.status_int)
+        self.assertTrue(response.json['error_message'])
+
    def _test_lock_action_controller(self):
        # Create controller-0
        self._create_controller_0(
@ -2790,6 +2811,68 @@ class TestPatchStdDuplexControllerAction(TestHost):
                      "images." % (c0_host['hostname'], c1_host['hostname']),
                      response.json['error_message'])

+    def test_swact_action_controller_while_kube_rootca_pods_update(self):
+        # Create controller-0
+        c0_host = self._create_controller_0(
+            invprovision=constants.PROVISIONED,
+            administrative=constants.ADMIN_UNLOCKED,
+            operational=constants.OPERATIONAL_ENABLED,
+            availability=constants.AVAILABILITY_ONLINE)
+
+        self._create_controller_1(
+            invprovision=constants.PROVISIONED,
+            administrative=constants.ADMIN_UNLOCKED,
+            operational=constants.OPERATIONAL_ENABLED,
+            availability=constants.AVAILABILITY_ONLINE)
+
+        # Create kube rootca update updating pods on phase trust-both-cas
+        dbutils.create_test_kube_rootca_update(state=kubernetes.KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS)
+
+        # Swact controller host
+        response = self._patch_host_action(c0_host['hostname'],
+                                           constants.SWACT_ACTION,
+                                           'sysinv-test',
+                                           expect_errors=True)
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(http_client.BAD_REQUEST, response.status_int)
+        self.assertTrue(response.json['error_message'])
+        self.assertIn("Can not swact %s while kubernetes root ca "
+                      "update phase in progress. Wait for update "
+                      "phase to complete." % c0_host['hostname'],
+                      response.json['error_message'])
+
+    def test_swact_action_controller_while_kube_rootca_host_update(self):
+        # Create controller-0
+        c0_host = self._create_controller_0(
+            invprovision=constants.PROVISIONED,
+            administrative=constants.ADMIN_UNLOCKED,
+            operational=constants.OPERATIONAL_ENABLED,
+            availability=constants.AVAILABILITY_ONLINE)
+
+        self._create_controller_1(
+            invprovision=constants.PROVISIONED,
+            administrative=constants.ADMIN_UNLOCKED,
+            operational=constants.OPERATIONAL_ENABLED,
+            availability=constants.AVAILABILITY_ONLINE)
+
+        # Create kubernetes rootca update for the host and set it with phase in progress
+        dbutils.create_test_kube_rootca_update(state=kubernetes.KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS)
+        dbutils.create_test_kube_rootca_host_update(host_id=c0_host['id'],
+                                                    state=kubernetes.KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS)
+
+        # Swact controller host
+        response = self._patch_host_action(c0_host['hostname'],
+                                           constants.SWACT_ACTION,
+                                           'sysinv-test',
+                                           expect_errors=True)
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(http_client.BAD_REQUEST, response.status_int)
+        self.assertTrue(response.json['error_message'])
+        self.assertIn("Can not swact %s while kubernetes root ca "
+                      "update phase is in progress. Wait for update "
+                      "phase to complete on host." % c0_host['hostname'],
+                      response.json['error_message'])
+

 class TestPatchStdDuplexControllerVIM(TestHost):