starlingx/distcloud
Code Issues Proposed changes
distcloud/distributedcloud/dccertmon/common/config.py
Salman Rana 7d44c38c90 Introduce dccertmon service 
This commit introduces dccertmon, a new managed service for DC
certificate auditing and management.

Currently, platform cert management, DC cert management, and subcloud
cert auditing are coupled into a single platform service (certmon). To
meet the requirements of DC scalability and portability, DC specific
functionality must be decoupled. These changes lay the groundwork
for the new service, by:
- Creating the necessary service files.
- Introducing configs for the service.
- Declaring high level methods (Skeleton - lifecycle and manager)

DC-specific functionality will be migrated to this dccertmon service and
optimized in subsequent changes. Non-DC cert management will continue to
be handled by certmon.

Overall, this commit introduces:
- The OCF file necessary for high availability management of the
  dccertmon service by SM.
- Package configurations to build the service (Package: distributedcloud-dccertmon).
- Lifecycle manager for a running DC cert monitor service.
- Skeleton/base service application logic - CertificateMonitorManager.
- RPC notification handlers for subcloud online/managed.
- Configuration for the log folders and log rotation. The logs
  will be available in /var/log/dccertmon/dccertmon.log.

These changes are part of a set of commits to introduce the dccertmon service:
  [1] https://review.opendev.org/c/starlingx/ha/+/941205
  [2] https://review.opendev.org/c/starlingx/stx-puppet/+/941208

Test Plan:
  - PASS: Build dccertmon package
  - PASS: Install and bootstrap system with custom ISO containing the
          newly created dccertmon package
  - PASS: Verify that the dccertmon.service is loaded
  - PASS: Verify dccertmon is being properly logged to the correct
          folder.
  - PASS: Check logged messages and verify execution of
           - Cert Watcher thread
           - Task Executor (Audit thread)
           - Periodic tasks running at expected intervals
  - PASS: Configure and provision the service using SM and verify
          it has correctly started and can be restarted with
          'sm-restart'.
  - PASS: Tox checks running on dccertmon

  Note: This commit has been tested alongside the related changes and
        their respective test plans. [1][2]

Story: 2011311
Task: 51663

Change-Id: Ic23d8d13e4b292cf0508d23eaae99b8e07f36d31
Signed-off-by: Salman Rana <salman.rana@windriver.com>
2025-03-14 15:48:19 -04:00

133 lines
3.6 KiB
Python
Raw Blame History

#
# Copyright (c) 2025 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
import configparser
import os
import keyring
from oslo_config import cfg
from dccommon import consts as dccommon_consts
from dcmanager.common import utils
CONF = cfg.CONF
logging_default_format_string = (
"%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s"
)
config_values = {
"keystone_authtoken": {
"auth_url": "http://controller.internal:5000",
"auth_uri": "http://controller.internal:5000",
"auth_type": "password",
"project_name": "services",
"username": "sysinv",
"password": "None",
"user_domain_name": "Default",
"project_domain_name": "Default",
"interface": "internal",
"region_name": "None",
},
"DEFAULT": {
"syslog_log_facility": "local4",
"use_syslog": "True",
"debug": "False",
"logging_default_format_string": logging_default_format_string,
"logging_debug_format_suffix": "%(pathname)s:%(lineno)d",
"auth_strategy": "keystone",
"transport_url": "None",
},
"dccertmon": {
"retry_interval": "600",
"max_retry": "14",
"audit_interval": "86400",
"startup_audit_all": "False",
"network_retry_interval": "180",
"network_max_retry": "30",
"audit_batch_size": "40",
"audit_greenpool_size": "20",
"certificate_timeout_secs": "5",
},
"endpoint_cache": {
"auth_plugin": "password",
"username": "dcmanager",
"password": "None",
"project_name": "services",
"user_domain_name": "Default",
"project_domain_name": "Default",
"http_connect_timeout": "15",
"auth_uri": "http://controller.internal:5000/v3",
},
}
common_opts = [cfg.StrOpt("host", default="localhost", help="hostname of the machine")]
dc_cert_mon_opts = [
cfg.IntOpt(
"audit_interval",
default=86400, # 24 hours
help="Interval to run certificate audit",
),
cfg.IntOpt(
"retry_interval",
default=10 * 60, # retry every 10 minutes
help="Interval to reattempt accessing external system if failure occurred",
),
]
def register_config_opts():
CONF.register_opts(common_opts)
CONF.register_opts(dc_cert_mon_opts, "dccertmon")
def override_config_values():
rabbit_auth_password = keyring.get_password("amqp", "rabbit")
config_values["keystone_authtoken"]["region_name"] = utils.get_region_name(
"http://controller.internal:6385"
)
config_values["endpoint_cache"]["password"] = keyring.get_password(
"dcmanager", dccommon_consts.SERVICES_USER_NAME
)
config_values["keystone_authtoken"]["password"] = keyring.get_password(
"sysinv", dccommon_consts.SERVICES_USER_NAME
)
config_values["DEFAULT"][
"transport_url"
] = f"rabbit://guest:{rabbit_auth_password}@controller.internal:5672"
def create_conf_file():
output_dir = "/etc/dccertmon"
output_file = os.path.join(output_dir, "dccertmon.conf")
os.makedirs(output_dir, exist_ok=True)
config = configparser.RawConfigParser()
# Populate the config parser with values
for section, options in config_values.items():
config[section] = options
with open(output_file, "w") as f:
config.write(f)
os.chmod(output_file, 0o600)
def generate_config():
# Set dynamic values (e.g., passwords, urls, etc)
override_config_values()
# Create service conf file
create_conf_file()
def list_opts():
yield "dccertmon", dc_cert_mon_opts
yield None, common_opts
View Git Blame Copy Permalink