DC certmon decoupling - clean up puppet modules

Now that DC certificate management and auditing have been moved to dccertmon, remove the obsolete Puppet code from certmon and related files. Additionally, add logic to restart dccertmon when admin.conf is updated. Test plan: - PASS: Build puppet, puppet-mainfiest and puppet-sysinv deb packages. - PASS: Build an ISO, verify full installation and ensure no puppet related errors. - PASS: Deploy a full DC system with system controller and a subcloud. Verify the systems are operational after completion (dccertmon and certmon are active). - PASS: Deploy a standalone AIO-SX and verify the system is operational after completion (certmon active - dccertmon not active) Depends-on: https://review.opendev.org/c/starlingx/distcloud/+/944985 Depends-on: https://review.opendev.org/c/starlingx/config/+/944987 Story: 2011311 Task: 51838 Change-Id: Id1f95b0015c48e75c72610b112593e799e3b1540 Signed-off-by: Salman Rana <salman.rana@windriver.com>
2025-03-19 06:21:28 -04:00 · 2025-03-19 06:21:28 -04:00 · fadab9bcfc
commit fadab9bcfc
parent 052751c3df
2 changed files with 13 additions and 41 deletions
--- a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
@ -1,14 +1,13 @@
 #
 # Files in this package are licensed under Apache; see LICENSE file.
 #
-# Copyright (c) 2020 Wind River Systems, Inc.
+# Copyright (c) 2020, 2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 #
 class sysinv::certmon (
  $local_keystone_password,
-  $dc_keystone_password,
  $local_keystone_auth_uri     = false,
  $local_keystone_identity_uri = false,
  $local_keystone_project_domain = 'Default',
@ -17,13 +16,6 @@ class sysinv::certmon (
  $local_keystone_user_domain  = 'Default',
  $local_region_name           = 'RegionOne',

-  $dc_keystone_auth_uri        = false,
-  $dc_keystone_identity_uri    = false,
-  $dc_keystone_project_domain  = 'Default',
-  $dc_keystone_tenant          = 'services',
-  $dc_keystone_user            = 'dcmanager',
-  $dc_keystone_user_domain     = 'Default',
-
  $use_syslog                 = false,
  $log_facility               = 'LOG_USER',
  $debug                      = false,
@ -81,13 +73,6 @@ class sysinv::certmon (
  certmon_config {
    'certmon/retry_interval': value => 600;
    'certmon/max_retry': value => 14;
-    'certmon/audit_interval': value => 86400;
-    'certmon/startup_audit_all': value => false;
-    'certmon/network_retry_interval': value => 180;
-    'certmon/network_max_retry': value => 30;
-    'certmon/audit_batch_size': value => 40;
-    'certmon/audit_greenpool_size': value => 20;
-    'certmon/certificate_timeout_secs': value => 5;
  }

  if $keystone_enabled {
@ -104,25 +89,6 @@ class sysinv::certmon (
      'keystone_authtoken/interface':  value => $keystone_interface;
      'keystone_authtoken/region_name':  value => $local_region_name;
    }
-
-    if $::platform::params::distributed_cloud_role == 'systemcontroller' {
-        certmon_config {
-          'DEFAULT/transport_url':    value => $::platform::amqp::params::transport_url;
-
-          'endpoint_cache/auth_plugin':    value => $auth_type;
-          'endpoint_cache/username':     value => $dc_keystone_user;
-          'endpoint_cache/password':     value => $dc_keystone_password, secret=> true;
-          'endpoint_cache/project_name': value => $dc_keystone_tenant;
-          'endpoint_cache/user_domain_name':     value => $dc_keystone_user_domain;
-          'endpoint_cache/project_domain_name':  value => $dc_keystone_project_domain;
-          'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout;
-        }
-    }
-
-    if $dc_keystone_identity_uri {
-      certmon_config { 'endpoint_cache/auth_uri': value => "${dc_keystone_identity_uri}/v3"; }
-    }
-
  }
  else
  {
@ -140,11 +106,5 @@ class sysinv::certmon::keystone::password (
    certmon_config {
      'keystone_authtoken/password': value => lookup('sysinv::certmon::local_keystone_password'), secret => true;
    }
-
-    if $::platform::params::distributed_cloud_role == 'systemcontroller' {
-      certmon_config {
-        'endpoint_cache/password': value => lookup('sysinv::certmon::dc_keystone_password'), secret => true;
-      }
-    }
  }
 }
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -1653,6 +1653,13 @@ class platform::kubernetes::worker::rootca::trustbothcas::runtime

 class platform::kubernetes::master::rootca::trustnewca::runtime
  inherits ::platform::kubernetes::params {
+  include ::platform::params
+
+  $cloud_role = (
+    $::platform::params::distributed_cloud_role == 'systemcontroller' or
+    $::platform::params::distributed_cloud_role == 'subcloud'
+  )
+
  # Copy the new root CA cert in place
  exec { 'put_new_ca_cert_in_place':
    command => "/bin/cp ${rootca_certfile_new} ${rootca_certfile}",
@ -1680,6 +1687,11 @@ class platform::kubernetes::master::rootca::trustnewca::runtime
  -> exec { 'restart_cert_mon':
    command => 'sm-restart-safe service cert-mon',
  }
+  # Restart dccert-mon since it uses admin.conf
+  -> exec { 'restart_dc_cert_mon':
+    command => 'sm-restart-safe service dccertmon',
+    onlyif  => $cloud_role,
+  }
  # Restart kube-apiserver to pick up the new cert
  -> exec { 'restart_apiserver':
    command => "/usr/bin/kill -s SIGHUP $(pidof kube-apiserver)",