From 50b6adcc6a0d003664276019acf41a75daecd32f Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 8 Apr 2025 17:47:27 -0300 Subject: [PATCH] Deprovision dccertmon from subclouds In [1], the dccertmon service was provisioned in SM for both system controllers and subclouds when it should only run in the former. Therefore, this commit updates SM entries to remove the service provision for subclouds. Test plan: 1. PASS: Build an ISO with the changes and install a DC system with active subclouds successfully. 2. PASS: Verify that dccertmon is provisioned in the system controller but deprovisioned in all subclouds. 3. PASS: Deploy an AIO-SX successfully and verify dccertmon is not provisioned. 4. PASS: Deploy a subcloud, manage it, verify that the dc-cert status is updated to in-sync after a while and the subcloud does not present any alarms. 5. PASS: Delete the secret for the adminep-ca-certificate of a managed subcloud and verify that it is updated both on the system controller and the subcloud. 6. PASS: Rehome a subcloud and verify tests 4 and 5 are successfull. Closes-Bug: 2106823 [1]. https://review.opendev.org/c/starlingx/stx-puppet/+/941208 Change-Id: I2d108948d8df33c23f4e6fc3f7de8d8a52f57e56 Signed-off-by: Raphael --- .../src/modules/platform/manifests/kubernetes.pp | 11 +++-------- puppet-manifests/src/modules/platform/manifests/sm.pp | 9 --------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index 852f6c185..a0329f131 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -1655,11 +1655,6 @@ class platform::kubernetes::master::rootca::trustnewca::runtime inherits ::platform::kubernetes::params { include ::platform::params - $cloud_role = ( - $::platform::params::distributed_cloud_role == 'systemcontroller' or - $::platform::params::distributed_cloud_role == 'subcloud' - ) - # Copy the new root CA cert in place exec { 'put_new_ca_cert_in_place': command => "/bin/cp ${rootca_certfile_new} ${rootca_certfile}", @@ -1687,10 +1682,10 @@ class platform::kubernetes::master::rootca::trustnewca::runtime -> exec { 'restart_cert_mon': command => 'sm-restart-safe service cert-mon', } - # Restart dccert-mon since it uses admin.conf - -> exec { 'restart_dc_cert_mon': + # Restart dccertmon since it uses admin.conf + -> exec { 'restart_dccertmon': command => 'sm-restart-safe service dccertmon', - onlyif => $cloud_role, + onlyif => $::platform::params::distributed_cloud_role == 'systemcontroller', } # Restart kube-apiserver to pick up the new cert -> exec { 'restart_apiserver': diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index ef16e3829..02bcdc9a0 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -733,15 +733,6 @@ class platform::sm -> exec { 'Provision DCAgent-API (service-group-member dcagent-api)': command => 'sm-provision service-group-member distributed-cloud-services dcagent-api', } - -> exec { 'Provision DCCertmon (service-group-member dccertmon)': - command => 'sm-provision service-group-member distributed-cloud-services dccertmon', - } - -> exec { 'Provision DCCertmon in SM (service dccertmon)': - command => 'sm-provision service dccertmon', - } - -> exec { 'Configure OpenStack - DCCertmon': - command => "sm-configure service_instance dccertmon dccertmon \"\"", - } # Deprovision Horizon when running as a subcloud exec { 'Deprovision OpenStack - Horizon (service-group-member)': command => 'sm-deprovision service-group-member web-services horizon',