From fadab9bcfc834b92efdeac518559dd295cbc59b1 Mon Sep 17 00:00:00 2001
From: Salman Rana <Salman.rana@windriver.com>
Date: Wed, 19 Mar 2025 06:21:28 -0400
Subject: [PATCH] DC certmon decoupling - clean up puppet modules
Now that DC certificate management and auditing have been moved
to dccertmon, remove the obsolete Puppet code from certmon and
related files. Additionally, add logic to restart dccertmon
when admin.conf is updated.
Test plan:
- PASS: Build puppet, puppet-mainfiest and puppet-sysinv deb packages.
- PASS: Build an ISO, verify full installation and ensure no puppet
related errors.
- PASS: Deploy a full DC system with system controller and a subcloud.
Verify the systems are operational after completion
(dccertmon and certmon are active).
- PASS: Deploy a standalone AIO-SX and verify the system is
operational after completion
(certmon active - dccertmon not active)
Depends-on: https://review.opendev.org/c/starlingx/distcloud/+/944985
Depends-on: https://review.opendev.org/c/starlingx/config/+/944987
Story: 2011311
Task: 51838
Change-Id: Id1f95b0015c48e75c72610b112593e799e3b1540
Signed-off-by: Salman Rana <salman.rana@windriver.com>
---
.../src/sysinv/manifests/certmon.pp | 42 +------------------
.../modules/platform/manifests/kubernetes.pp | 12 ++++++
2 files changed, 13 insertions(+), 41 deletions(-)
diff --git a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
index c7b4c597f..a248a6a65 100644
--- a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
@@ -1,14 +1,13 @@
#
# Files in this package are licensed under Apache; see LICENSE file.
#
-# Copyright (c) 2020 Wind River Systems, Inc.
+# Copyright (c) 2020, 2025 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
#
class sysinv::certmon (
$local_keystone_password,
- $dc_keystone_password,
$local_keystone_auth_uri = false,
$local_keystone_identity_uri = false,
$local_keystone_project_domain = 'Default',
@@ -17,13 +16,6 @@ class sysinv::certmon (
$local_keystone_user_domain = 'Default',
$local_region_name = 'RegionOne',
- $dc_keystone_auth_uri = false,
- $dc_keystone_identity_uri = false,
- $dc_keystone_project_domain = 'Default',
- $dc_keystone_tenant = 'services',
- $dc_keystone_user = 'dcmanager',
- $dc_keystone_user_domain = 'Default',
-
$use_syslog = false,
$log_facility = 'LOG_USER',
$debug = false,
@@ -81,13 +73,6 @@ class sysinv::certmon (
certmon_config {
'certmon/retry_interval': value => 600;
'certmon/max_retry': value => 14;
- 'certmon/audit_interval': value => 86400;
- 'certmon/startup_audit_all': value => false;
- 'certmon/network_retry_interval': value => 180;
- 'certmon/network_max_retry': value => 30;
- 'certmon/audit_batch_size': value => 40;
- 'certmon/audit_greenpool_size': value => 20;
- 'certmon/certificate_timeout_secs': value => 5;
}
if $keystone_enabled {
@@ -104,25 +89,6 @@ class sysinv::certmon (
'keystone_authtoken/interface': value => $keystone_interface;
'keystone_authtoken/region_name': value => $local_region_name;
}
-
- if $::platform::params::distributed_cloud_role == 'systemcontroller' {
- certmon_config {
- 'DEFAULT/transport_url': value => $::platform::amqp::params::transport_url;
-
- 'endpoint_cache/auth_plugin': value => $auth_type;
- 'endpoint_cache/username': value => $dc_keystone_user;
- 'endpoint_cache/password': value => $dc_keystone_password, secret=> true;
- 'endpoint_cache/project_name': value => $dc_keystone_tenant;
- 'endpoint_cache/user_domain_name': value => $dc_keystone_user_domain;
- 'endpoint_cache/project_domain_name': value => $dc_keystone_project_domain;
- 'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout;
- }
- }
-
- if $dc_keystone_identity_uri {
- certmon_config { 'endpoint_cache/auth_uri': value => "${dc_keystone_identity_uri}/v3"; }
- }
-
}
else
{
@@ -140,11 +106,5 @@ class sysinv::certmon::keystone::password (
certmon_config {
'keystone_authtoken/password': value => lookup('sysinv::certmon::local_keystone_password'), secret => true;
}
-
- if $::platform::params::distributed_cloud_role == 'systemcontroller' {
- certmon_config {
- 'endpoint_cache/password': value => lookup('sysinv::certmon::dc_keystone_password'), secret => true;
- }
- }
}
}
diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
index 20670cc9b..852f6c185 100644
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@@ -1653,6 +1653,13 @@ class platform::kubernetes::worker::rootca::trustbothcas::runtime
class platform::kubernetes::master::rootca::trustnewca::runtime
inherits ::platform::kubernetes::params {
+ include ::platform::params
+
+ $cloud_role = (
+ $::platform::params::distributed_cloud_role == 'systemcontroller' or
+ $::platform::params::distributed_cloud_role == 'subcloud'
+ )
+
# Copy the new root CA cert in place
exec { 'put_new_ca_cert_in_place':
command => "/bin/cp ${rootca_certfile_new} ${rootca_certfile}",
@@ -1680,6 +1687,11 @@ class platform::kubernetes::master::rootca::trustnewca::runtime
-> exec { 'restart_cert_mon':
command => 'sm-restart-safe service cert-mon',
}
+ # Restart dccert-mon since it uses admin.conf
+ -> exec { 'restart_dc_cert_mon':
+ command => 'sm-restart-safe service dccertmon',
+ onlyif => $cloud_role,
+ }
# Restart kube-apiserver to pick up the new cert
-> exec { 'restart_apiserver':
command => "/usr/bin/kill -s SIGHUP $(pidof kube-apiserver)",