Fix invalid admin endpoint cert during subcloud upgrade

cert-mon queues failed cert update tasks and retry them later on. But
the retry periodic function is not started in subcloud so it doesn't
really work. This commit fix it by starting these periodic functions if
the system's DC role is subcloud.

This commit also added unauthorization exception handling for platform
cert update, so that the retry task will reattempt updating the cert
with a new token. The other certs update already have such exception
handling.

Note, commit 862c1746ab is needed to fully
fix Bug 1926788.

Closes-Bug: 1926788
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If7f631ee3e5f97db7a06b184f9e68cf901cc8344

sysinv/sysinv/sysinv/sysinv/cert_mon/certificate_mon_manager.py

@@ -166,6 +166,11 @@ class CertificateMonManager(periodic_task.PeriodicTasks):
         # Failed tasks that need to be reattempted will be taken care here
         max_attempts = CONF.certmon.max_retry
         tasks = self.reattempt_tasks[:]
+
+        num_tasks = len(tasks)
+        if num_tasks > 0:
+            LOG.info('%s failed tasks to reattempt in queue.' % num_tasks)
+
         for task in tasks:
             if task.run():
                 self.reattempt_tasks.remove(task)

sysinv/sysinv/sysinv/sysinv/cert_mon/service.py

@@ -58,12 +58,17 @@ class CertificateMonitorService(service.Service):
 
             self._rpc_server = rpc_messaging.get_rpc_server(self.target, self)
             self._rpc_server.start()
+        elif dc_role == constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD:
+            self.manager.start_audit()
 
     def stop(self):
         dc_role = utils.get_dc_role()
         if dc_role == constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER:
             self._stop_rpc_server()
             self.manager.stop_audit()
+        elif dc_role == constants.DISTRIBUTED_CLOUD_ROLE_SUBCLOUD:
+            self.manager.stop_audit()
+
         self.manager.stop_monitor()
         super(CertificateMonitorService, self).stop()
         rpc_messaging.cleanup()

sysinv/sysinv/sysinv/sysinv/cert_mon/utils.py

@@ -618,23 +618,37 @@ def upload_request_with_data(token, url, **kwargs):
     files = {'file': ("for_upload",
                     kwargs['body'],)}
     data = kwargs.get('data')
-    req = requests.post(url, headers=headers, files=files,
-                        data=data)
+    timeout = kwargs.get('timeout')
+    try:
+        req = requests.post(url, headers=headers, files=files,
+                            data=data, timeout=timeout)
+        req.raise_for_status()
+    except requests.exceptions.HTTPError as e:
+        if 401 == e.response.status_code:
+            if token:
+                token.set_expired()
+        raise
+    except requests.exceptions.InvalidURL:
+        LOG.error("Cannot access %s" % url)
+        raise
+
     LOG.info('response from upload API = %s' % req.json())
     return req.json()
 
 
-def rest_api_upload(token, filepath, url, data=None):
+def rest_api_upload(token, filepath, url, data=None, timeout=30):
     """
     Make a rest-api upload call
     """
-    LOG.info('rest_api_upload called. filepath=%s, url=%s, data=%s' % (filepath, url, data))
+    LOG.info('rest_api_upload called. filepath=%s, url=%s, data=%s, timeout=%s'
+            % (filepath, url, data, timeout))
     try:
         file_to_upload = open(filepath, 'rb')
     except Exception as e:
         LOG.exception(e)
 
-    return upload_request_with_data(token, url, body=file_to_upload, data=data)
+    return upload_request_with_data(token, url, body=file_to_upload, data=data,
+                                    timeout=timeout)
 
 
 def update_pemfile(tls_crt, tls_key):