Configure dcmanager user for endpoint_cache

The following changes are made, in order to remove the
dependencies to 'admin' user and use 'dcmanager' user to
authenticate with services in the subclouds:
. Add endpoint_cache section to both dcorch and dcmanager
. Configure dcmanager user in the endpoint_cache section
. Add dcmanager bootstrap class to configure the dcmanager
  user on subclouds

Partial-Bug: 1883758

Change-Id: I790592f44d371051c157443836f71e3f00640ab5
Signed-off-by: Tao Liu <tao.liu@windriver.com>

modules/puppet-dcmanager/src/dcmanager/manifests/api.pp

@@ -124,6 +124,7 @@ class dcmanager::api (
   if $keystone_identity_uri {
     dcmanager_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; }
     dcmanager_config { 'cache/auth_uri': value => "${keystone_identity_uri}/v3"; }
+    dcmanager_config { 'endpoint_cache/auth_uri': value => "${keystone_identity_uri}/v3"; }
   } else {
     dcmanager_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/v3"; }
   }
@@ -161,6 +162,15 @@ class dcmanager::api (
       'cache/admin_username':     value => $keystone_admin_user;
       'cache/admin_password':     value => $keystone_admin_password, secret=> true;
     }
+    dcmanager_config {
+      'endpoint_cache/auth_plugin':    value => $auth_type;
+      'endpoint_cache/username':     value => $keystone_user;
+      'endpoint_cache/password':     value => $keystone_password, secret=> true;
+      'endpoint_cache/project_name': value => $keystone_tenant;
+      'endpoint_cache/user_domain_name':     value => $keystone_user_domain;
+      'endpoint_cache/project_domain_name':  value => $keystone_project_domain;
+      'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout;
+    }
 
     if $keystone_auth_admin_prefix {
       validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$')

modules/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp

@@ -14,9 +14,9 @@
 #
 class dcmanager::keystone::auth (
   $password,
-  $auth_domain,
-  $admin_project_name,
-  $admin_project_domain,
+  $auth_domain          = 'Default',
+  $admin_project_name   = 'services',
+  $admin_project_domain = 'Default',
   $auth_name            = 'dcmanager',
   $email                = 'dcmanager@localhost',
   $tenant               = 'admin',

modules/puppet-dcorch/src/dcorch/manifests/api_proxy.pp

@@ -81,6 +81,7 @@
 class dcorch::api_proxy (
   $keystone_password,
   $keystone_admin_password,
+  $dcmanager_keystone_password,
   $keystone_admin_user        = 'admin',
   $keystone_admin_tenant      = 'admin',
   $keystone_enabled           = true,
@@ -95,6 +96,8 @@ class dcorch::api_proxy (
   $keystone_identity_uri      = false,
   $keystone_user_domain       = 'Default',
   $keystone_project_domain    = 'Default',
+  $keystone_http_connect_timeout = '10',
+  $dcmanager_keystone_user    = 'dcmanager',
   $auth_type                  = 'password',
   $service_port               = '5000',
   $package_ensure             = 'latest',
@@ -122,6 +125,7 @@ class dcorch::api_proxy (
   if $keystone_identity_uri {
     dcorch_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; }
     dcorch_config { 'cache/auth_uri': value => "${keystone_identity_uri}/v3"; }
+    dcorch_config { 'endpoint_cache/auth_uri': value => "${keystone_identity_uri}/v3"; }
   } else {
     dcorch_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; }
   }
@@ -157,6 +161,15 @@ class dcorch::api_proxy (
       'cache/admin_username':     value => $keystone_admin_user;
       'cache/admin_password':     value => $keystone_admin_password, secret=> true;
     }
+    dcorch_config {
+      'endpoint_cache/auth_plugin':  value => $auth_type;
+      'endpoint_cache/username':     value => $dcmanager_keystone_user;
+      'endpoint_cache/password':     value => $dcmanager_keystone_password, secret=> true;
+      'endpoint_cache/project_name': value => $keystone_tenant;
+      'endpoint_cache/user_domain_name':     value => $keystone_user_domain;
+      'endpoint_cache/project_domain_name':  value => $keystone_project_domain;
+      'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout;
+    }
 
     if $keystone_auth_admin_prefix {
       validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$')

puppet-manifests/src/manifests/ansible_bootstrap.pp

@@ -32,3 +32,6 @@ include ::platform::filesystem::backup
 include ::platform::filesystem::kubelet
 include ::platform::mtce::bootstrap
 include ::platform::fm::bootstrap
+
+# Puppet class to config the dcmanager user on subclouds
+include ::platform::dcmanager::bootstrap

puppet-manifests/src/modules/openstack/manifests/keystone.pp

@@ -293,7 +293,8 @@ class openstack::keystone::bootstrap(
                     Class['::openstack::barbican::bootstrap'],
                     Class['::platform::sysinv::bootstrap'],
                     Class['::platform::mtce::bootstrap'],
-                    Class['::platform::fm::bootstrap'] ],
+                    Class['::platform::fm::bootstrap'],
+                    Class['::platform::dcmanager::bootstrap']],
       }
       -> exec { 'update keystone services project id to match system controller':
         command => "psql -d keystone -c \"update public.project set id='${dc_services_project_id}' where name='services'\"",

puppet-manifests/src/modules/platform/manifests/dcmanager.pp

@@ -137,3 +137,28 @@ class platform::dcmanager::runtime {
     }
   }
 }
+
+class platform::dcmanager::bootstrap (
+  $dc_dcmanager_user_id = undef,
+) {
+
+  # dc_dcmanager_user_id is only defined on subclouds
+  if $dc_dcmanager_user_id {
+
+    class { '::dcmanager::keystone::auth':
+      configure_endpoint => false,
+    }
+
+    exec { 'update keystone dcmanager assignment actor_id to match system controller':
+      command => "psql -d keystone -c \"update public.assignment set actor_id='${dc_dcmanager_user_id}' from public.local_user where\
+                  public.assignment.actor_id=public.local_user.user_id and public.local_user.name='dcmanager'\"",
+      user    => 'postgres',
+      require => Class['::dcmanager::keystone::auth'],
+    }
+    -> exec { 'update keystone dcmanager user id to match system controller':
+      command => "psql -d keystone -c \"update public.user set id='${dc_dcmanager_user_id}' from public.local_user where\
+                  public.user.id=public.local_user.user_id and public.local_user.name='dcmanager'\"",
+      user    => 'postgres',
+    }
+  }
+}