Move DC certificate management and auditing logic to dccertmon.
This includes:
- DC certificate watchers
- Subcloud auditor
The system controller runs the subcloud auditor and the DC
certificate watchers for:
- AdminEndpointRenew
- DCIntermediateCertRenew
- RootCARenew
While the subclouds runs only the DC certificate
watcher for AdminEndpointRenew.
For background, see:
https://review.opendev.org/c/starlingx/distcloud/+/941210
Note: These changes should be submitted together with:
- https://review.opendev.org/c/starlingx/config/+/944987
- https://review.opendev.org/c/starlingx/stx-puppet/+/944978
Test plan:
- PASS: Build distributedcloud deb package and ISO, then verify
a full installation.
- PASS: Deploy a full DC system with a system controller and
subclouds. Verify the systems are operational (dccertmon is
enabled and active on both).
- PASS: Deploy a standalone AIO-SX and verify the system is
operational (dccertmon is not active).
- PASS: Confirm proper initialization (no startup errors in
/var/log/dccertmon/dccertmon.log, auditor and watcher
threads started).
- PASS: Verify RPC endpoints (triggered by subcloud managed,
online,endpoint update: ensure subcloud enqueued for audit).
- PASS: Validate the periodic audit.
- PASS: Confirm that periodic functions run at expected intervals
(audit_sc_cert_start, retry_monitor_task, audit_sc_cert_task).
- PASS: Ensure subcloud in-sync status is updated.
- PASS: Validate general certificate request succeeds.
- PASS: Confirm DC CertWatcher monitors secrets in 'dc-cert'.
- PASS: Deploy a subcloud, manage it and verify that the dc-cert
status is updated to in-sync after a while.
- PASS: Delete the secret for the adminep-ca-certificate of a managed
subcloud and verify that it is updated both on the system controller
and the subcloud.
Story: 2011311
Task: 51835
Change-Id: Iddca2fd3390eedb1f1a8047fade1ce9900021a83
Signed-off-by: Salman Rana <salman.rana@windriver.com>
702b20ee5a