From f3cc3522b6ef733a62f446f0676d214c56529f75 Mon Sep 17 00:00:00 2001 From: Victor Romano Date: Tue, 9 Jul 2024 00:25:19 -0300 Subject: [PATCH] Add puppet-dcagent module and implementation This commit adds a new module puppet-dcagent and make the necessary changes to implement it. The dcagent ports are: Internal API port: 8325 Admin API port: 8326 Notes: - Since this new service will be used internally by dcmanager and dcorch only, no public port was created. - The sysinv change in [1] is used to enable this puppet code, so testing was done with it applied as well. [1]: https://review.opendev.org/c/starlingx/config/+/923697 Test plan: - PASS: Bootstrap and unlock a subcloud. Verify that the endpoints were correctly configured, the dcagent.conf file has all necessary information and haproxy.conf includes the dcagent entry. - PASS: Launch the service and verify dcmanager can audit the subcloud with dcagent. - PASS: Bootstrap and unlock a system controller. Verify the Keystone user and service for dcagent were created without creating any endpoints. - PASS: Run 'sm-restart service dcagent-api' and verify the dcagent was correctly restarted and service is working as expected. - PASS: Induce a failure in dcagent code. Verify sm correctly restarts the service until the failure is corrected. Depends-On: https://review.opendev.org/c/starlingx/distcloud/+/923752 Depends-On: https://review.opendev.org/c/starlingx/ha/+/923698 Story: 2011106 Task: 50561 Change-Id: Ie851b9926159702d5a72daa0aa015330f8b11664 Signed-off-by: Victor Romano --- modules/puppet-dcagent/PKG_INFO | 2 + .../debian/deb_folder/README.Debian | 8 + .../debian/deb_folder/changelog | 5 + .../puppet-dcagent/debian/deb_folder/control | 18 ++ .../debian/deb_folder/copyright | 42 ++++ .../debian/deb_folder/puppet-dcagent.install | 1 + .../debian/deb_folder/puppet-dcagent.postinst | 12 ++ .../debian/deb_folder/puppet-dcagent.postrm | 12 ++ .../debian/deb_folder/puppet-dcagent.prerm | 12 ++ .../puppet-dcagent/debian/deb_folder/rules | 16 ++ .../debian/deb_folder/source/format | 1 + modules/puppet-dcagent/debian/meta_data.yaml | 9 + modules/puppet-dcagent/src/LICENSE | 201 ++++++++++++++++++ modules/puppet-dcagent/src/Makefile | 11 + .../provider/dcagent_config/ini_setting.rb | 37 ++++ .../dcagent/lib/puppet/type/dcagent_config.rb | 52 +++++ .../src/dcagent/manifests/api.pp | 195 +++++++++++++++++ .../src/dcagent/manifests/init.pp | 71 +++++++ .../src/dcagent/manifests/keystone/auth.pp | 69 ++++++ .../src/dcagent/manifests/params.pp | 23 ++ .../src/dcdbsync/manifests/keystone/auth.pp | 2 +- .../src/hieradata/controller.yaml | 5 + puppet-manifests/src/manifests/aio.pp | 3 + puppet-manifests/src/manifests/controller.pp | 3 + .../modules/openstack/manifests/keystone.pp | 6 + .../templates/keystone-policy.json.erb | 3 +- .../src/modules/platform/manifests/dcagent.pp | 90 ++++++++ .../src/modules/platform/manifests/haproxy.pp | 3 + .../src/modules/platform/manifests/sm.pp | 6 + 29 files changed, 916 insertions(+), 2 deletions(-) create mode 100644 modules/puppet-dcagent/PKG_INFO create mode 100644 modules/puppet-dcagent/debian/deb_folder/README.Debian create mode 100644 modules/puppet-dcagent/debian/deb_folder/changelog create mode 100644 modules/puppet-dcagent/debian/deb_folder/control create mode 100644 modules/puppet-dcagent/debian/deb_folder/copyright create mode 100644 modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.install create mode 100755 modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postinst create mode 100755 modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postrm create mode 100755 modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.prerm create mode 100755 modules/puppet-dcagent/debian/deb_folder/rules create mode 100644 modules/puppet-dcagent/debian/deb_folder/source/format create mode 100644 modules/puppet-dcagent/debian/meta_data.yaml create mode 100644 modules/puppet-dcagent/src/LICENSE create mode 100644 modules/puppet-dcagent/src/Makefile create mode 100644 modules/puppet-dcagent/src/dcagent/lib/puppet/provider/dcagent_config/ini_setting.rb create mode 100644 modules/puppet-dcagent/src/dcagent/lib/puppet/type/dcagent_config.rb create mode 100644 modules/puppet-dcagent/src/dcagent/manifests/api.pp create mode 100644 modules/puppet-dcagent/src/dcagent/manifests/init.pp create mode 100644 modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp create mode 100644 modules/puppet-dcagent/src/dcagent/manifests/params.pp create mode 100644 puppet-manifests/src/modules/platform/manifests/dcagent.pp diff --git a/modules/puppet-dcagent/PKG_INFO b/modules/puppet-dcagent/PKG_INFO new file mode 100644 index 000000000..ab3e9b2d5 --- /dev/null +++ b/modules/puppet-dcagent/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-dcagent +Version: 1.0.0 diff --git a/modules/puppet-dcagent/debian/deb_folder/README.Debian b/modules/puppet-dcagent/debian/deb_folder/README.Debian new file mode 100644 index 000000000..6e077b69c --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/README.Debian @@ -0,0 +1,8 @@ +This package contains a module for use by puppet. It is +automatically added to the module load path of puppet's default +environment, and should be ready for use. + +You can use "update-alternatives --config puppet-module-starlingx-dcagent"" +to configure which module should appear in the module path of the +default puppet environment, in case multiple modules which provide +the same name are installed. diff --git a/modules/puppet-dcagent/debian/deb_folder/changelog b/modules/puppet-dcagent/debian/deb_folder/changelog new file mode 100644 index 000000000..d7c495602 --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/changelog @@ -0,0 +1,5 @@ +puppet-dcagent (1.0.0-1) unstable; urgency=medium + + * Initial release. + + -- Victor Romano Mon, 08 Jul 2024 14:40:03 -0300 diff --git a/modules/puppet-dcagent/debian/deb_folder/control b/modules/puppet-dcagent/debian/deb_folder/control new file mode 100644 index 000000000..35ee7280e --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/control @@ -0,0 +1,18 @@ +Source: puppet-dcagemt +Section: admin +Priority: optional +Maintainer: StarlingX Developers +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.4.1 +Homepage: https://www.starlingx.io + +Package: puppet-dcagent +Architecture: all +Depends: puppet, ${misc:Depends} +Description: Puppet module for StarlingX dcagent + Puppet lets you centrally manage every important aspect of your system using a + cross-platform specification language that manages all the separate elements + normally aggregated in different files, like users, cron jobs, and hosts, + along with obviously discrete elements like packages, services, and files. + . + This module manages both the installation and configuration of dcagent. diff --git a/modules/puppet-dcagent/debian/deb_folder/copyright b/modules/puppet-dcagent/debian/deb_folder/copyright new file mode 100644 index 000000000..266afbd17 --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/copyright @@ -0,0 +1,42 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: stx-puppet +Source: https://opendev.org/starlingx/stx-puppet + +Files: * +Copyright: (c) 2013-2024 Wind River Systems, Inc + Others (See individual files for more details) +License: Apache-2 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian-based systems the full text of the Apache version 2.0 license + can be found in `/usr/share/common-licenses/Apache-2.0'. + +# If you want to use GPL v2 or later for the /debian/* files use +# the following clauses, or change it to suit. Delete these two lines +Files: debian/* +Copyright: 2024 Wind River Systems, Inc +License: Apache-2 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian-based systems the full text of the Apache version 2.0 license + can be found in `/usr/share/common-licenses/Apache-2.0'. diff --git a/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.install b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.install new file mode 100644 index 000000000..0ac26dacf --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.install @@ -0,0 +1 @@ +usr/share/puppet/modules.available/dcagent diff --git a/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postinst b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postinst new file mode 100755 index 000000000..e80e93302 --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postinst @@ -0,0 +1,12 @@ +#1/bin/sh + +set -e + +if [ "${1}" = "configure" ] ; then + update-alternatives --install /usr/share/puppet/modules/dcagent \ + puppet-module-starlingx-dcagent /usr/share/puppet/modules.available/dcagent 500 +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postrm b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postrm new file mode 100755 index 000000000..71965d5bb --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.postrm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "disappear" ]; then + update-alternatives --remove puppet-module-starlingx-dcagent \ + /usr/share/puppet/modules.available/dcagent +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.prerm b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.prerm new file mode 100755 index 000000000..1525f0d1f --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/puppet-dcagent.prerm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "upgrade" ] || [ "${1}" = "deconfigure" ] ; then + update-alternatives --remove puppet-module-starlingx-dcagent \ + /usr/share/puppet/modules.available/dcagent +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-dcagent/debian/deb_folder/rules b/modules/puppet-dcagent/debian/deb_folder/rules new file mode 100755 index 000000000..8e3cfffdc --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/rules @@ -0,0 +1,16 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 + +DEBIAN_DIR := ${CURDIR}/debian/tmp + +%: + dh $@ + +override_dh_auto_build: + echo "Do nothing" + +override_dh_auto_clean: + echo "Do nothing" + +override_dh_auto_install: + $(MAKE) install MODULEDIR=$(DEBIAN_DIR)/usr/share/puppet/modules.available diff --git a/modules/puppet-dcagent/debian/deb_folder/source/format b/modules/puppet-dcagent/debian/deb_folder/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/modules/puppet-dcagent/debian/deb_folder/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/modules/puppet-dcagent/debian/meta_data.yaml b/modules/puppet-dcagent/debian/meta_data.yaml new file mode 100644 index 000000000..055cfa6c3 --- /dev/null +++ b/modules/puppet-dcagent/debian/meta_data.yaml @@ -0,0 +1,9 @@ +--- +debname: puppet-dcagent +debver: 1.0.0-1 +src_path: src +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true + SRC_GITREVCOUNT: + SRC_BASE_SRCREV: 727ad5d6d22a63924d97391697ef337a8ca3f2b2 diff --git a/modules/puppet-dcagent/src/LICENSE b/modules/puppet-dcagent/src/LICENSE new file mode 100644 index 000000000..8d968b6cb --- /dev/null +++ b/modules/puppet-dcagent/src/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-dcagent/src/Makefile b/modules/puppet-dcagent/src/Makefile new file mode 100644 index 000000000..9df903534 --- /dev/null +++ b/modules/puppet-dcagent/src/Makefile @@ -0,0 +1,11 @@ +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +MODULEDIR ?= /usr/share/puppet/modules + +install: + install -d -m 0755 $(MODULEDIR)/dcagent + cp -R dcagent/ $(MODULEDIR)/ diff --git a/modules/puppet-dcagent/src/dcagent/lib/puppet/provider/dcagent_config/ini_setting.rb b/modules/puppet-dcagent/src/dcagent/lib/puppet/provider/dcagent_config/ini_setting.rb new file mode 100644 index 000000000..3d6f0402c --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/lib/puppet/provider/dcagent_config/ini_setting.rb @@ -0,0 +1,37 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Jul 2024 Creation based off puppet-dcdbsync +# + +Puppet::Type.type(:dcagent_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/dcagent/dcagent.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-dcagent/src/dcagent/lib/puppet/type/dcagent_config.rb b/modules/puppet-dcagent/src/dcagent/lib/puppet/type/dcagent_config.rb new file mode 100644 index 000000000..b639a82eb --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/lib/puppet/type/dcagent_config.rb @@ -0,0 +1,52 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Jul 2024 Creation based off puppet-dcdbsync +# + +Puppet::Type.newtype(:dcagent_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/dcagent/dcagent.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-dcagent/src/dcagent/manifests/api.pp b/modules/puppet-dcagent/src/dcagent/manifests/api.pp new file mode 100644 index 000000000..3dcfd6593 --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/manifests/api.pp @@ -0,0 +1,195 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# == Class: dcagent::api +# +# Setup and configure the dcagent API endpoint +# +# === Parameters +# +# [*keystone_password*] +# The password to use for authentication (keystone) +# +# [*keystone_enabled*] +# (optional) Use keystone for authentification +# Defaults to true +# +# [*keystone_tenant*] +# (optional) The tenant of the auth user +# Defaults to services +# +# [*keystone_user*] +# (optional) The name of the auth user +# Defaults to dcagent +# +# [*keystone_auth_host*] +# (optional) The keystone host +# Defaults to localhost +# +# [*keystone_auth_port*] +# (optional) The keystone auth port +# Defaults to 5000 +# +# [*keystone_auth_protocol*] +# (optional) The protocol used to access the auth host +# Defaults to http. +# +# [*keystone_auth_admin_prefix*] +# (optional) The admin_prefix used to admin endpoint of the auth host +# This allow admin auth URIs like http://auth_host:5000/keystone. +# (where '/keystone' is the admin prefix) +# Defaults to false for empty. If defined, should be a string with a +# leading '/' and no trailing '/'. +# +# [*keystone_user_domain*] +# (Optional) domain name for auth user. +# Defaults to 'Default'. +# +# [*keystone_project_domain*] +# (Optional) domain name for auth project. +# Defaults to 'Default'. +# +# [*auth_type*] +# (Optional) Authentication type to load. +# Defaults to 'password'. +# +# [*bind_port*] +# (optional) The dcagent api port +# Defaults to 8325 +# +# [*package_ensure*] +# (optional) The state of the package +# Defaults to present +# +# [*bind_host*] +# (optional) The dcagent api bind address +# Defaults to 0.0.0.0 +# +# [*enabled*] +# (optional) The state of the service +# Defaults to true +# +class dcagent::api ( + $keystone_password, + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'dcagent', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $keystone_http_connect_timeout = '15', + $auth_type = 'password', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $bind_port = 8325, + $enabled = false +) { + + include dcagent::params + + Dcagent_config<||> ~> Service['dcagent-audit'] + + if $::dcagent::params::api_package { + Package['dcagent-audit'] -> Dcagent_config<||> + Package['dcagent-audit'] -> Service['dcagent-audit'] + package { 'dcagent-audit': + ensure => $package_ensure, + name => $::dcagent::params::api_package, + } + } + + dcagent_config { + 'DEFAULT/bind_host': value => $bind_host; + 'DEFAULT/bind_port': value => $bind_port; + } + + if $keystone_identity_uri { + dcagent_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + dcagent_config { 'cache/auth_uri': value => "${keystone_identity_uri}/v3"; } + dcagent_config { 'endpoint_cache/auth_uri': value => "${keystone_identity_uri}/v3"; } + } else { + dcagent_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/v3"; } + } + + if $keystone_auth_uri { + dcagent_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + dcagent_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/v3"; + } + } + + if $keystone_auth_version { + dcagent_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + } else { + dcagent_config { 'keystone_authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + dcagent_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + dcagent_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/password': value => $keystone_password, secret=> true; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + } + + dcagent_config { + 'endpoint_cache/auth_plugin': value => $auth_type; + 'endpoint_cache/username': value => $keystone_user; + 'endpoint_cache/password': value => $keystone_password, secret=> true; + 'endpoint_cache/project_name': value => $keystone_tenant; + 'endpoint_cache/user_domain_name': value => $keystone_user_domain; + 'endpoint_cache/project_domain_name': value => $keystone_project_domain; + 'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + dcagent_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + dcagent_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + dcagent_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } + + if $enabled { + $ensure = 'running' + } else { + $ensure = 'stopped' + } + + service { 'dcagent-audit': + ensure => $ensure, + name => $::dcagent::params::api_service, + enable => $enabled, + hasstatus => true, + hasrestart => true, + tag => 'dcagent-audit', + } + Keystone_endpoint<||> -> Service['dcagent-audit'] +} diff --git a/modules/puppet-dcagent/src/dcagent/manifests/init.pp b/modules/puppet-dcagent/src/dcagent/manifests/init.pp new file mode 100644 index 000000000..e9fa83a49 --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/manifests/init.pp @@ -0,0 +1,71 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Jul 2024 Creation based off puppet-dcdbsync +# + +# +# == Parameters +# +# [use_syslog] +# Use syslog for logging. +# (Optional) Defaults to false. +# +# [log_facility] +# Syslog facility to receive log lines. +# (Optional) Defaults to LOG_USER. + +class dcagent ( + $package_ensure = 'present', + $use_stderr = false, + $log_file = 'dcagent.log', + $log_dir = '/var/log/dcagent', + $use_syslog = false, + $log_facility = 'LOG_USER', + $verbose = false, + $debug = false, + $region_name = 'RegionOne', +) { + + include dcagent::params + + Package['dcagent'] -> Dcagent_config<||> + + package { 'dcagent': + ensure => $package_ensure, + name => $::dcagent::params::package_name, + } + + file { $::dcagent::params::conf_file: + ensure => present, + mode => '0600', + require => Package['dcagent'], + } + + dcagent_config { + 'DEFAULT/verbose': value => $verbose; + 'DEFAULT/debug': value => $debug; + } + + if $use_syslog { + dcagent_config { + 'DEFAULT/use_syslog': value => true; + 'DEFAULT/syslog_log_facility': value => $log_facility; + } + } else { + dcagent_config { + 'DEFAULT/use_syslog': value => false; + 'DEFAULT/use_stderr': value => false; + 'DEFAULT/log_file' : value => $log_file; + 'DEFAULT/log_dir' : value => $log_dir; + } + } + + dcagent_config { + 'keystone_authtoken/region_name': value => $region_name; + } +} diff --git a/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp b/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp new file mode 100644 index 000000000..a84a9aec3 --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp @@ -0,0 +1,69 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# Jul 2024: creation +# + +# == Class: dcagent::keystone::auth +# +# Configures dcagent user, service and endpoint in Keystone. +# +class dcagent::keystone::auth ( + $password, + $auth_domain, + $auth_name = 'dcagent', + $email = 'dcagent@localhost', + $tenant = 'services', + $region = 'RegionOne', + $service_description = 'DCAgent service', + $service_name = 'dcagent', + $service_type = 'dcagent', + $configure_endpoint = false, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:8325/v1', + $admin_url = 'http://127.0.0.1:8325/v1', + $internal_url = 'http://127.0.0.1:8325/v1', + $distributed_cloud_role = 'none', +) { + + $real_service_name = pick($service_name, $auth_name) + + $should_configure_endpoint = $distributed_cloud_role ? { + 'subcloud' => true, + default => $configure_endpoint, + } + + keystone::resource::service_identity { 'dcagent': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $should_configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + + # dcagent is a private service only used by dcmanager-audit and dcorch, + # its API is not exposed for public access. + -> exec { 'Delete dcagent public endpoint': + path => '/usr/bin', + command => @("CMD"/L), + /bin/sh -c 'source /etc/platform/openrc && \ + openstack endpoint list --service dcagent --interface public --format value -c ID | \ + xargs --no-run-if-empty openstack endpoint delete' + | CMD + logoutput => true, + } +} diff --git a/modules/puppet-dcagent/src/dcagent/manifests/params.pp b/modules/puppet-dcagent/src/dcagent/manifests/params.pp new file mode 100644 index 000000000..95ea1bc55 --- /dev/null +++ b/modules/puppet-dcagent/src/dcagent/manifests/params.pp @@ -0,0 +1,23 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# + +class dcagent::params { + + $conf_dir = '/etc/dcagent' + $conf_file = '/etc/dcagent/dcagent.conf' + + if $::osfamily == 'Debian' { + $package_name = 'distributedcloud-dcagent' + $api_package = false + $api_service = 'dcagent-api' + + } else { + fail("Unsupported osfamily ${::osfamily}") + } +} diff --git a/modules/puppet-dcdbsync/src/dcdbsync/manifests/keystone/auth.pp b/modules/puppet-dcdbsync/src/dcdbsync/manifests/keystone/auth.pp index d41c4bfa7..61b2b4c0a 100644 --- a/modules/puppet-dcdbsync/src/dcdbsync/manifests/keystone/auth.pp +++ b/modules/puppet-dcdbsync/src/dcdbsync/manifests/keystone/auth.pp @@ -51,7 +51,7 @@ class dcdbsync::keystone::auth ( # dcdbsync is a private service only used by dcorch, # its API is not exposed for public access. - -> exec { 'Delete public endpoint': + -> exec { 'Delete dcdbsync public endpoint': path => '/usr/bin', command => @("CMD"/L), /bin/sh -c 'source /etc/platform/openrc && \ diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml index b008ec945..d5cb0f128 100644 --- a/puppet-manifests/src/hieradata/controller.yaml +++ b/puppet-manifests/src/hieradata/controller.yaml @@ -207,6 +207,11 @@ dcmanager::use_syslog: true dcmanager::log_facility: 'local4' dcmanager::debug: false +# Dcagent +dcagent::use_syslog: true +dcagent::log_facility: 'local4' +dcagent::debug: false + # Dcdbsync instance for platform services dcdbsync::use_syslog: true dcdbsync::log_facility: 'local4' diff --git a/puppet-manifests/src/manifests/aio.pp b/puppet-manifests/src/manifests/aio.pp index ae83a22e8..99d8b0a79 100644 --- a/puppet-manifests/src/manifests/aio.pp +++ b/puppet-manifests/src/manifests/aio.pp @@ -97,6 +97,9 @@ include ::platform::certalarm include ::platform::dcdbsync include ::platform::dcdbsync::api +include ::platform::dcagent +include ::platform::dcagent::api + include ::platform::smapi include ::openstack::barbican diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index 336f43fce..3b5c0cf84 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -108,6 +108,9 @@ include ::platform::certalarm include ::platform::dcdbsync include ::platform::dcdbsync::api +include ::platform::dcagent +include ::platform::dcagent::api + include ::platform::smapi include ::openstack::barbican diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index 82a92816d..48adbc5e2 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -315,10 +315,12 @@ class openstack::keystone::endpoint::runtime { include ::dcorch::keystone::auth include ::dcmanager::keystone::auth include ::dcdbsync::keystone::auth + include ::dcagent::keystone::auth } if $::platform::params::distributed_cloud_role == 'subcloud' { include ::dcdbsync::keystone::auth + include ::dcagent::keystone::auth } include ::smapi::keystone::auth @@ -401,14 +403,18 @@ class openstack::keystone::endpoint::reconfig if $::platform::params::distributed_cloud_role =='systemcontroller' { Keystone_endpoint["${region}/dcmanager::dcmanager"] -> Keystone_endpoint["${region}/sysinv::platform"] Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"] + Keystone_endpoint["${region}/dcagent::dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"] include ::dcorch::keystone::auth include ::dcmanager::keystone::auth include ::dcdbsync::keystone::auth + include ::dcagent::keystone::auth } if $::platform::params::distributed_cloud_role == 'subcloud' { Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"] + Keystone_endpoint["${region}/dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"] include ::dcdbsync::keystone::auth + include ::dcagent::keystone::auth } include ::smapi::keystone::auth include ::sysinv::keystone::auth diff --git a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb index 3b9b24580..4038382c9 100644 --- a/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb +++ b/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb @@ -17,7 +17,8 @@ ["'sysinv':%(target.user.name)s"], ["'mtce':%(target.user.name)s"], ["'fm':%(target.user.name)s"], - ["'dcdbsync':%(target.user.name)s"]], + ["'dcdbsync':%(target.user.name)s"], + ["'dcagent':%(target.user.name)s"]], "identity:delete_service": "rule:admin_required and not rule:protected_services", diff --git a/puppet-manifests/src/modules/platform/manifests/dcagent.pp b/puppet-manifests/src/modules/platform/manifests/dcagent.pp new file mode 100644 index 000000000..b88b1a8d7 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/dcagent.pp @@ -0,0 +1,90 @@ +class platform::dcagent::params ( + $api_port = 8325, + $region_name = undef, + $service_create = false, + $service_enabled = false, + $default_endpoint_type = 'internalURL', +) { + include ::platform::params +} + +class platform::dcagent + inherits ::platform::dcagent::params { + if ($::platform::params::distributed_cloud_role == 'subcloud' or + $::platform::params::distributed_cloud_role == 'systemcontroller') { + if $service_create { + if $::platform::params::init_keystone { + include ::dcagent::keystone::auth + } + + class { '::dcagent': } + } + } +} + +class platform::dcagent::api + inherits ::platform::dcagent::params { + if ($::platform::params::distributed_cloud_role == 'subcloud') { + if $service_create { + include ::platform::network::mgmt::params + + include ::platform::params + + $system_mode = $::platform::params::system_mode + + # FQDN can be used after: + # - after the bootstrap for any installation + # - mate controller uses FQDN if mgmt::params::fqdn_ready is present + # mate controller can use FQDN before the bootstrap flag + # - just AIO-SX can use FQDN during the an upgrade. For other installs + # the active controller in older release can resolve the .internal FQDN + # when the mate controller is updated to N+1 version + if (!str2bool($::is_upgrade_do_not_use_fqdn) or $system_mode == 'simplex') { + if (str2bool($::is_bootstrap_completed)) { + $fqdn_ready = true + } else { + if ($::platform::network::mgmt::params::fqdn_ready != undef) { + $fqdn_ready = $::platform::network::mgmt::params::fqdn_ready + } + else { + $fqdn_ready = false + } + } + } + else { + $fqdn_ready = false + } + + if ($fqdn_ready) { + $api_host = $::platform::params::controller_fqdn + } else { + $api_host = $::platform::network::mgmt::params::controller_address + } + + class { '::dcagent::api': + bind_host => $api_host, + bind_port => $api_port, + enabled => $service_enabled, + } + } + } + + include ::platform::dcagent::haproxy +} + +class platform::dcagent::haproxy + inherits ::platform::dcagent::params { + include ::platform::params + include ::platform::haproxy::params + + # Configure rules for https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'dcagent-restapi-admin': + https_ep_type => 'admin', + server_name => 's-dcagent', + public_ip_address => $::platform::haproxy::params::private_dc_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp index 04c9c047a..332803a1d 100644 --- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -228,6 +228,9 @@ class platform::haproxy::runtime { include ::platform::nfv::haproxy include ::platform::ceph::haproxy include ::platform::fm::haproxy + if ($::platform::params::distributed_cloud_role == 'subcloud') { + include ::platform::dcagent::haproxy + } if ($::platform::params::distributed_cloud_role == 'systemcontroller' or $::platform::params::distributed_cloud_role == 'subcloud') { include ::platform::dcdbsync::haproxy diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index b788e696a..d0740e566 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -731,6 +731,12 @@ class platform::sm -> exec { 'Configure OpenStack - DCDBsync-openstack-API': command => "sm-configure service_instance dcdbsync-openstack-api dcdbsync-openstack-api \"config=/etc/dcdbsync/dcdbsync_openstack.conf\"", } + -> exec { 'Configure OpenStack - DCAgent-API': + command => "sm-configure service_instance dcagent-api dcagent-api \"\"", + } + -> exec { 'Provision DCAgent-API (service-group-member dcagent-api)': + command => 'sm-provision service-group-member distributed-cloud-services dcagent-api', + } # Deprovision Horizon when running as a subcloud exec { 'Deprovision OpenStack - Horizon (service-group-member)': command => 'sm-deprovision service-group-member web-services horizon',