Setup cert-mon.conf

This change is to create /etc/sysinv/cert-mon.conf for cert-mon. The cert-mon.conf will have auth info for local cloud on a subcloud. The conf file will have both auth info for local and subcloud if it is on a systemcontroller. Story: 2007347 Task: 40373 Change-Id: Ibb217753782ce0dd922d9e5568dd14ea929190ae Signed-off-by: Bin Qian <bin.qian@windriver.com>
2020-07-16 00:30:17 -04:00
parent 0ac74c3d85
commit ff70cdd62a
8 changed files with 227 additions and 0 deletions
--- a/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/certmon_config/ini_setting.rb
+++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/certmon_config/ini_setting.rb
@@ -0,0 +1,35 @@
+#
+# Files in this package are licensed under Apache; see LICENSE file.
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+Puppet::Type.type(:certmon_config).provide(
+  :ini_setting,
+  :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
+) do
+
+  def section
+    resource[:name].split('/', 2).first
+  end
+
+  def setting
+    resource[:name].split('/', 2).last
+  end
+
+  def separator
+    '='
+  end
+
+  def self.file_path
+    '/etc/sysinv/cert-mon.conf'
+  end
+
+  # added for backwards compatibility with older versions of inifile
+  def file_path
+    self.class.file_path
+  end
+
+end
--- a/modules/puppet-sysinv/src/sysinv/lib/puppet/type/certmon_config.rb
+++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/certmon_config.rb
@@ -0,0 +1,50 @@
+#
+# Files in this package are licensed under Apache; see LICENSE file.
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+Puppet::Type.newtype(:certmon_config) do
+
+  ensurable
+
+  newparam(:name, :namevar => true) do
+    desc 'Section/setting name to manage from /etc/sysinv/cert-mon.conf'
+    newvalues(/\S+\/\S+/)
+  end
+
+  newproperty(:value) do
+    desc 'The value of the setting to be defined.'
+    munge do |value|
+      value = value.to_s.strip
+      value.capitalize! if value =~ /^(true|false)$/i
+      value
+    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+end
--- a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
@@ -0,0 +1,125 @@
+#
+# Files in this package are licensed under Apache; see LICENSE file.
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+class sysinv::certmon (
+  $local_keystone_password,
+  $dc_keystone_password,
+  $local_keystone_auth_uri     = false,
+  $local_keystone_identity_uri = false,
+  $local_keystone_project_domain = 'Default',
+  $local_keystone_tenant       = 'services',
+  $local_keystone_user         = 'sysinv',
+  $local_keystone_user_domain  = 'Default',
+  $local_region_name           = 'RegionOne',
+
+  $dc_keystone_auth_uri        = false,
+  $dc_keystone_identity_uri    = false,
+  $dc_keystone_project_domain  = 'Default',
+  $dc_keystone_tenant          = 'services',
+  $dc_keystone_user            = 'dcmanager',
+  $dc_keystone_user_domain     = 'Default',
+
+  $use_syslog                 = false,
+  $log_facility               = 'LOG_USER',
+  $debug                      = false,
+
+  $keystone_auth_protocol     = 'http',
+  $keystone_auth_host         = 'localhost',
+  $keystone_enabled           = true,
+  $keystone_interface         = 'internal',
+  $auth_type                  = 'password',
+  $service_port               = '5000',
+  $keystone_http_connect_timeout = '10',
+  $package_ensure             = 'latest',
+  $bind_host                  = '::',
+  $pxeboot_host               = undef,
+  $enabled                    = true,
+) {
+  include sysinv::params
+
+  if $::sysinv::params::certmon_package {
+    Package['certmon'] -> Certmon_config<||>
+    package { 'certmon':
+      ensure => $package_ensure,
+      name   => $::sysinv::params::certmon_package,
+    }
+  }
+
+  file { $::sysinv::params::certmon_conf:
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    require => Package['sysinv'],
+  }
+
+  if $local_keystone_identity_uri {
+    certmon_config {
+      'keystone_authtoken/auth_url': value => $local_keystone_identity_uri;
+      'keystone_authtoken/auth_uri': value => $local_keystone_identity_uri;
+    }
+  } else {
+    certmon_config {
+      'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/";
+      'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/";
+    }
+  }
+
+  certmon_config {
+    'DEFAULT/syslog_log_facility': value => $log_facility;
+    'DEFAULT/use_syslog': value => $use_syslog;
+    'DEFAULT/debug': value => $debug;
+    'DEFAULT/logging_default_format_string': value => '%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s';
+    'DEFAULT/logging_debug_format_suffix': value => '%(pathname)s:%(lineno)d';
+  }
+
+  certmon_config {
+    'certmon/retry_interval': value => 600;
+    'certmon/max_retry': value => 14;
+    'certmon/audit_interval': value => 86400;
+  }
+
+  if $keystone_enabled {
+    certmon_config {
+      'DEFAULT/auth_strategy':     value => 'keystone' ;
+    }
+    certmon_config {
+      'keystone_authtoken/auth_type':    value => $auth_type;
+      'keystone_authtoken/project_name': value => $local_keystone_tenant;
+      'keystone_authtoken/username':     value => $local_keystone_user;
+      'keystone_authtoken/password':     value => $local_keystone_password, secret=> true;
+      'keystone_authtoken/user_domain_name':  value => $local_keystone_user_domain;
+      'keystone_authtoken/project_domain_name':  value => $local_keystone_project_domain;
+      'keystone_authtoken/interface':  value => $keystone_interface;
+      'keystone_authtoken/region_name':  value => $local_region_name;
+    }
+
+    if $::platform::params::distributed_cloud_role == 'systemcontroller' {
+        certmon_config {
+          'endpoint_cache/auth_plugin':    value => $auth_type;
+          'endpoint_cache/username':     value => $dc_keystone_user;
+          'endpoint_cache/password':     value => $dc_keystone_password, secret=> true;
+          'endpoint_cache/project_name': value => $dc_keystone_tenant;
+          'endpoint_cache/user_domain_name':     value => $dc_keystone_user_domain;
+          'endpoint_cache/project_domain_name':  value => $dc_keystone_project_domain;
+          'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout;
+        }
+    }
+
+    if $dc_keystone_identity_uri {
+      certmon_config { 'endpoint_cache/auth_uri': value => "${dc_keystone_identity_uri}/v3"; }
+    }
+
+  }
+  else
+  {
+    certmon_config {
+      'DEFAULT/auth_strategy':     value => 'noauth' ;
+    }
+  }
+}
--- a/modules/puppet-sysinv/src/sysinv/manifests/init.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/init.pp
@@ -72,6 +72,7 @@ class sysinv (

  Package['sysinv'] -> Sysinv_config<||>
  Package['sysinv'] -> Sysinv_api_paste_ini<||>
+  Package['sysinv'] -> Certmon_config<||>

  # this anchor is used to simplify the graph between sysinv components by
  # allowing a resource to serve as a point where the configuration of sysinv begins
--- a/modules/puppet-sysinv/src/sysinv/manifests/params.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/params.pp
@@ -18,6 +18,7 @@ class sysinv::params {

  $sysinv_dir = '/etc/sysinv'
  $sysinv_conf = '/etc/sysinv/sysinv.conf'
+  $certmon_conf = '/etc/sysinv/cert-mon.conf'
  $sysinv_paste_api_ini = '/etc/sysinv/api-paste.ini'

  if $::osfamily == 'Debian' {
@@ -29,6 +30,7 @@ class sysinv::params {
    $conductor_service  = 'sysinv-conductor'
    $agent_package      = 'sysinv'
    $agent_service      = 'sysinv-agent'
+    $certmon_package    = 'cert-mon'
    $db_sync_command    = 'sysinv-dbsync'

  } elsif($::osfamily == 'RedHat') {
@@ -41,6 +43,7 @@ class sysinv::params {
    $conductor_service  = 'sysinv-conductor'
    $agent_package      = false
    $agent_service      = 'sysinv-agent'
+    $certmon_package    = false
    $db_sync_command    = 'sysinv-dbsync'

  } elsif($::osfamily == 'WRLinux') {
@@ -53,6 +56,7 @@ class sysinv::params {
    $conductor_service  = 'sysinv-conductor'
    $agent_package      = false
    $agent_service      = 'sysinv-agent'
+    $certmon_package    = false
    $db_sync_command    = 'sysinv-dbsync'

  } else {
--- a/puppet-manifests/src/hieradata/controller.yaml
+++ b/puppet-manifests/src/hieradata/controller.yaml
@@ -159,6 +159,11 @@ sysinv::api::keystone_project_domain: 'Default'

 sysinv::conductor::enabled: false

+# cert-mon
+sysinv::certmon::use_syslog: true
+sysinv::certmon::log_facility: 'local6'
+sysinv::certmon::debug: false
+

 # nfvi
 nfv::nfvi::infrastructure_rest_api_data_port_fault_handling_enabled: false
--- a/puppet-manifests/src/manifests/controller.pp
+++ b/puppet-manifests/src/manifests/controller.pp
@@ -89,6 +89,7 @@ include ::platform::dcorch
 include ::platform::dcorch::engine
 include ::platform::dcorch::api_proxy
 include ::platform::dcmanager::api
+include ::platform::certmon

 include ::platform::dcdbsync
 include ::platform::dcdbsync::api
--- a/puppet-manifests/src/modules/platform/manifests/certmon.pp
+++ b/puppet-manifests/src/modules/platform/manifests/certmon.pp
@@ -0,0 +1,6 @@
+class platform::certmon {
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+      include ::sysinv::certmon
+  }
+}