starlingx/distcloud
Code Issues Proposed changes
distcloud/distributedcloud/dcmanager/orchestrator/validators/base.py
Victor Romano e00c7223b5 Modify kube-rootca audit to alarm first 
On previous installations, the subcloud kube-rootca certificate is
different than the one from system controller. Currently, the audit
is comparing cert_id and declaring out-of-sync if they don't match,
which leads to an out-of-sync in the endpoint post upgrade. This
commit changes the audit logic to first audit by alarms so upgraded
subclouds can remain in-sync. Audit by cert_id still happen, but
only if the subcloud was rehomed.

Additionally, the force parameter was re-introduced in kube-rootca
update orchestration. Since with alarm based audit different cert_ids
can still present an in-sync status, the user might want to update
subcloud cert to match system controller, so the force parameter is
necessary to allow this.

Note: Dcagent didn't previously allowed extra_args to be sent in
in the payload. To avoid breaking audit with previous versions of
dcagent sending an unknown key in the payload (which will thrown an
error), extra_args are being sent in request header with the key
"X-DCAGENT-HEADERS". Support for extra_args in the payload was added,
but can only be used when all supported dcagent versions have this
option.

Note: Due to the current issue that blocks upgrade test, this commit
did not test subcloud upgrade, but the scenario would follow a
similar path from the second test case below, where updating a
subcloud rootca to a different cert from system controller results in
an in-sync endpoint status.

Test plan:
  - PASS: Deploy a subcloud and verify kube-rootca_sync_status is
          in-sync.
  - PASS: Perform a kube-rootca update orchestration directly in the
          subcloud without passing a cert so it will auto generate
          one and verify kube-rootca_sync_status is still in-sync.
  - PASS: Rehome the subcloud from the previous test and verify
          kube-rootca_sync_status is out-of-sync.
  - PASS: Perform a kube-rootca update orchestration using dcmanager
          in an out-of-sync subcloud providing system controller certs
          and verify the final sync status is in-sync.
  - PASS: Perform a kube-rootca update orchestration using dcmanager
          in an in-sync subcloud with force parameter without
          providing certs and verify the final sync status is in-sync.
  - PASS: Install a N-1 release and verify kube-rootca_sync_status is
          in-sync.

Closes-bug: 2092069

Change-Id: If0cc002d0d4970730771ae90d80dc50c7daf4d4c
Signed-off-by: Victor Romano <victor.gluzromano@windriver.com>
2024-12-19 21:16:18 +00:00

83 lines
2.3 KiB
Python
Raw Blame History

#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
"""
Base class for dcmanager orchestrator's strategy validations.
"""
from oslo_log import log as logging
from dccommon import consts as dccommon_consts
from dcmanager.common import exceptions
from dcmanager.db import api as db_api
LOG = logging.getLogger(__name__)
class StrategyValidationBase(object):
"""Base class for strategy validation"""
def __init__(self):
self.accepts_force = False
self.endpoint_type = None
def validate_strategy_requirements(
self, context, subcloud_id, subcloud_name, force=False
):
"""Validates the requirements for a strategy
:param context: request context object
:param subcloud_id: subcloud's id
:param subcloud_name: subcloud's name
:param force: if the strategy should be forced to execute
:raises BadRequest: if the requirements for the strategy are not met
"""
if self.accepts_force and force:
return
subcloud_status = db_api.subcloud_status_get(
context, subcloud_id, self.endpoint_type
)
if subcloud_status.sync_status == dccommon_consts.SYNC_STATUS_IN_SYNC:
msg = (
f"Subcloud {subcloud_name} does not require {self.endpoint_type} update"
)
LOG.error(
"Failed creating software update strategy of type "
f"{self.endpoint_type}. {msg}"
)
raise exceptions.BadRequest(resource="strategy", msg=msg)
def build_extra_args(self, payload):
"""Builds the extra args for a strategy
In case the strategy does not accept extra args, None is returned.
:param payload: strategy request payload
"""
return None
def build_availability_status_filter(self):
"""Builds the availability status filter for valid subclouds
:return: availability status to filter
:rtype: str
"""
return dccommon_consts.AVAILABILITY_ONLINE
def build_sync_status_filter(self, force):
"""Builds the sync status filter for valid subclouds
:param force: if the strategy should be forced to execute
:return: sync status to filter
:rtype: list
"""
return [dccommon_consts.SYNC_STATUS_OUT_OF_SYNC]
View Git Blame Copy Permalink