Disable dcagent user creation on SystemController

It's not necessary to have the dcagent keystone user present on
system controller. Its presence can cause problems during upgrade
as it would be necessary for the dcagent user in the subcloud to
have the same password as system controller upon creation (before
dcdbsync synching upon managing the subcloud).

Test plan:
  - PASS: Build a developer ISO. Deploy a DC system with 2 system
          controllers and 1 subcloud. Verify the dcagent user is
          created only on the subcloud.
  - PASS: Manage the subcloud and verify the dcagent service is
          working as expected.
  - PASS: Perform a network reconfiguration on the subcloud. Verify
          the operation finishes successfully.

Story: 2011106
Task: 50747

Change-Id: I13deb83f2e8b602fd8d733b999cf579d4db05034
Signed-off-by: Victor Romano <victor.gluzromano@windriver.com>
This commit is contained in:
Victor Romano 2024-07-31 11:41:01 -03:00
parent 94dc8854c5
commit 699a149e70
3 changed files with 31 additions and 38 deletions
modules/puppet-dcagent/src/dcagent/manifests/keystone
puppet-manifests/src/modules
openstack/manifests
platform/manifests

@ -22,7 +22,7 @@ class dcagent::keystone::auth (
$service_description = 'DCAgent service',
$service_name = 'dcagent',
$service_type = 'dcagent',
$configure_endpoint = false,
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
$public_url = 'http://127.0.0.1:8325/v1',
@ -33,37 +33,34 @@ class dcagent::keystone::auth (
$real_service_name = pick($service_name, $auth_name)
$should_configure_endpoint = $distributed_cloud_role ? {
'subcloud' => true,
default => $configure_endpoint,
}
if $distributed_cloud_role == 'subcloud' {
keystone::resource::service_identity { 'dcagent':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $configure_endpoint,
service_type => $service_type,
service_description => $service_description,
service_name => $real_service_name,
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
keystone::resource::service_identity { 'dcagent':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
configure_endpoint => $should_configure_endpoint,
service_type => $service_type,
service_description => $service_description,
service_name => $real_service_name,
region => $region,
auth_name => $auth_name,
password => $password,
email => $email,
tenant => $tenant,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
# dcagent is a private service only used by dcmanager-audit and dcorch,
# its API is not exposed for public access.
-> exec { 'Delete dcagent public endpoint':
path => '/usr/bin',
command => @("CMD"/L),
/bin/sh -c 'source /etc/platform/openrc && \
openstack endpoint list --service dcagent --interface public --format value -c ID | \
xargs --no-run-if-empty openstack endpoint delete'
| CMD
logoutput => true,
# dcagent is a private service only used by dcmanager-audit and dcorch,
# its API is not exposed for public access.
-> exec { 'Delete dcagent public endpoint':
path => '/usr/bin',
command => @("CMD"/L),
/bin/sh -c 'source /etc/platform/openrc && \
openstack endpoint list --service dcagent --interface public --format value -c ID | \
xargs --no-run-if-empty openstack endpoint delete'
| CMD
logoutput => true,
}
}
}

@ -315,7 +315,6 @@ class openstack::keystone::endpoint::runtime {
include ::dcorch::keystone::auth
include ::dcmanager::keystone::auth
include ::dcdbsync::keystone::auth
include ::dcagent::keystone::auth
}
if $::platform::params::distributed_cloud_role == 'subcloud' {
@ -403,16 +402,14 @@ class openstack::keystone::endpoint::reconfig
if $::platform::params::distributed_cloud_role =='systemcontroller' {
Keystone_endpoint["${region}/dcmanager::dcmanager"] -> Keystone_endpoint["${region}/sysinv::platform"]
Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"]
Keystone_endpoint["${region}/dcagent::dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
include ::dcorch::keystone::auth
include ::dcmanager::keystone::auth
include ::dcdbsync::keystone::auth
include ::dcagent::keystone::auth
}
if $::platform::params::distributed_cloud_role == 'subcloud' {
Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"]
Keystone_endpoint["${region}/dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
Keystone_endpoint["${region}/dcagent::dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
include ::dcdbsync::keystone::auth
include ::dcagent::keystone::auth
}

@ -10,8 +10,7 @@ class platform::dcagent::params (
class platform::dcagent
inherits ::platform::dcagent::params {
if ($::platform::params::distributed_cloud_role == 'subcloud' or
$::platform::params::distributed_cloud_role == 'systemcontroller') {
if ($::platform::params::distributed_cloud_role == 'subcloud') {
if $service_create {
if $::platform::params::init_keystone {
include ::dcagent::keystone::auth