Merge "Provision cert-alarm service and setup cert-alarm.conf"

This commit is contained in:
Zuul 2021-07-27 23:20:18 +00:00 committed by Gerrit Code Review
commit 2ca5846f7c
10 changed files with 206 additions and 2 deletions

View File

@ -0,0 +1,35 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
Puppet::Type.type(:certalarm_config).provide(
:ini_setting,
:parent => Puppet::Type.type(:ini_setting).provider(:ruby)
) do
def section
resource[:name].split('/', 2).first
end
def setting
resource[:name].split('/', 2).last
end
def separator
'='
end
def self.file_path
'/etc/sysinv/cert-alarm.conf'
end
# added for backwards compatibility with older versions of inifile
def file_path
self.class.file_path
end
end

View File

@ -0,0 +1,50 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
Puppet::Type.newtype(:certalarm_config) do
ensurable
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from /etc/sysinv/cert-alarm.conf'
newvalues(/\S+\/\S+/)
end
newproperty(:value) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
end

View File

@ -0,0 +1,102 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
#
class sysinv::certalarm (
$local_keystone_password,
$dc_keystone_password,
$local_keystone_auth_uri = false,
$local_keystone_identity_uri = false,
$local_keystone_project_domain = 'Default',
$local_keystone_tenant = 'services',
$local_keystone_user = 'sysinv',
$local_keystone_user_domain = 'Default',
$local_region_name = 'RegionOne',
$use_syslog = false,
$log_facility = 'LOG_USER',
$debug = false,
$keystone_auth_protocol = 'http',
$keystone_auth_host = 'localhost',
$keystone_enabled = true,
$keystone_interface = 'internal',
$auth_type = 'password',
$service_port = '5000',
$keystone_http_connect_timeout = '10',
$package_ensure = 'latest',
$bind_host = '::',
$pxeboot_host = undef,
$enabled = true,
) {
include sysinv::params
if $::sysinv::params::certalarm_package {
Package['certalarm'] -> Certalarm_config<||>
package { 'certalarm':
ensure => $package_ensure,
name => $::sysinv::params::certalarm_package,
}
}
file { $::sysinv::params::certalarm_conf:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
require => Package['sysinv'],
}
if $local_keystone_identity_uri {
certalarm_config {
'keystone_authtoken/auth_url': value => $local_keystone_identity_uri;
'keystone_authtoken/auth_uri': value => $local_keystone_identity_uri;
}
} else {
certalarm_config {
'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:${service_port}/";
'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:${service_port}/";
}
}
certalarm_config {
'DEFAULT/syslog_log_facility': value => $log_facility;
'DEFAULT/use_syslog': value => $use_syslog;
'DEFAULT/debug': value => $debug;
'DEFAULT/logging_default_format_string': value => '%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s';
'DEFAULT/logging_debug_format_suffix': value => '%(pathname)s:%(lineno)d';
}
certalarm_config {
'certalarm/retry_interval': value => 600;
'certalarm/max_retry': value => 14;
'certalarm/audit_interval': value => 86400;
}
if $keystone_enabled {
certalarm_config {
'DEFAULT/auth_strategy': value => 'keystone' ;
}
certalarm_config {
'keystone_authtoken/auth_type': value => $auth_type;
'keystone_authtoken/project_name': value => $local_keystone_tenant;
'keystone_authtoken/username': value => $local_keystone_user;
'keystone_authtoken/password': value => $local_keystone_password, secret=> true;
'keystone_authtoken/user_domain_name': value => $local_keystone_user_domain;
'keystone_authtoken/project_domain_name': value => $local_keystone_project_domain;
'keystone_authtoken/interface': value => $keystone_interface;
'keystone_authtoken/region_name': value => $local_region_name;
}
}
else
{
certalarm_config {
'DEFAULT/auth_strategy': value => 'noauth' ;
}
}
}

View File

@ -1,7 +1,7 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
# Copyright (c) 2013-2019 Wind River Systems, Inc.
# Copyright (c) 2013-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -73,6 +73,7 @@ class sysinv (
Package['sysinv'] -> Sysinv_config<||>
Package['sysinv'] -> Sysinv_api_paste_ini<||>
Package['sysinv'] -> Certmon_config<||>
Package['sysinv'] -> Certalarm_config<||>
# this anchor is used to simplify the graph between sysinv components by
# allowing a resource to serve as a point where the configuration of sysinv begins

View File

@ -1,7 +1,7 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
# Copyright (c) 2013-2016 Wind River Systems, Inc.
# Copyright (c) 2013-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -19,6 +19,7 @@ class sysinv::params {
$sysinv_dir = '/etc/sysinv'
$sysinv_conf = '/etc/sysinv/sysinv.conf'
$certmon_conf = '/etc/sysinv/cert-mon.conf'
$certalarm_conf = '/etc/sysinv/cert-alarm.conf'
$sysinv_paste_api_ini = '/etc/sysinv/api-paste.ini'
if $::osfamily == 'Debian' {
@ -31,6 +32,7 @@ class sysinv::params {
$agent_package = 'sysinv'
$agent_service = 'sysinv-agent'
$certmon_package = 'cert-mon'
$certalarm_package = 'cert-alarm'
$db_sync_command = 'sysinv-dbsync'
} elsif($::osfamily == 'RedHat') {
@ -44,6 +46,7 @@ class sysinv::params {
$agent_package = false
$agent_service = 'sysinv-agent'
$certmon_package = false
$certalarm_package = false
$db_sync_command = 'sysinv-dbsync'
} elsif($::osfamily == 'WRLinux') {
@ -57,6 +60,7 @@ class sysinv::params {
$agent_package = false
$agent_service = 'sysinv-agent'
$certmon_package = false
$certalarm_package = false
$db_sync_command = 'sysinv-dbsync'
} else {

View File

@ -148,6 +148,10 @@ sysinv::certmon::use_syslog: true
sysinv::certmon::log_facility: 'local6'
sysinv::certmon::debug: false
# cert-alarm
sysinv::certalarm::use_syslog: true
sysinv::certalarm::log_facility: 'local6'
sysinv::certalarm::debug: false
# nfvi
nfv::nfvi::infrastructure_rest_api_data_port_fault_handling_enabled: false

View File

@ -82,6 +82,7 @@ include ::platform::dcorch::engine
include ::platform::dcorch::api_proxy
include ::platform::dcmanager::api
include ::platform::certmon
include ::platform::certalarm
include ::platform::dcdbsync
include ::platform::dcdbsync::api

View File

@ -93,6 +93,7 @@ include ::platform::dcorch::engine
include ::platform::dcorch::api_proxy
include ::platform::dcmanager::api
include ::platform::certmon
include ::platform::certalarm
include ::platform::dcdbsync
include ::platform::dcdbsync::api

View File

@ -0,0 +1,3 @@
class platform::certalarm {
include ::sysinv::certalarm
}

View File

@ -776,6 +776,9 @@ class platform::sm
-> exec { 'Provision cert-mon service in controller-services group':
command => 'sm-provision service-group-member controller-services cert-mon'
}
-> exec { 'Provision cert-alarm service in controller-services group':
command => 'sm-provision service-group-member controller-services cert-alarm'
}
# On an AIO-DX system, cephmon DRBD must always be configured, even