Need to pass in the application to be the forwarder so when
the version doesn't match the request can continue down the
pipeline. It was 'mostly' working before since the version
matching was registering all get requests as version requests
and just forwarding them, this commit also restricts that
version regex so that is no longer the case.
Change-Id: I887027a043e2a686770d4ece0ae511e00814be61
Closes-Bug: 1849831
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9670d7b2c5c70a2dae7d6d08d38
Closes-Bug: 1847661
Signed-off-by: Andy Ning <andy.ning@windriver.com>
- Adding endpoints for the subcloud's platform services to the central
keystone. This was done so horizon can reach all subclouds
- Allowing version requests to bypass the authtoken validator in the
dcorch proxy. version requests do not require authentication and
they are required by horizon to work in the SystemController region
Change-Id: I508e0168e77d1f46b8f5720fd16047177b4920c2
Partial-Bug: 1846239
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
In cmd/api.py the eventlet monkey_patch has been moved to be before api
app import. This is because if it's called too late, the api app and
db api module will be loaded without awareness of eventlet, the
threading local context in db api won't be eventlet compatible, causing
DB parallel operation errors.
Change-Id: I294657fc910c6a4696f91308d60697d005dc53b0
Closes-Bug: 1846411
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This update enhanced keystone-api-proxy to take a sync_endpoint
parameter from its configuration file and enqueue job for dcorch with
that sync_endpoint type. If sync_endpoint doesn't present in its
configuration file, it will use the default endpoint type to enqueue
job.
Change-Id: I85698638cee2598955c4deb41a6b8033b0ace9fd
Story: 2004766
Task: 36156
Depends-On: https://review.opendev.org/#/c/682062/
Signed-off-by: Andy Ning <andy.ning@windriver.com>
OAM firewallrules are now managed by Calico GlobalNetworkPolicy configuration
via k8s API (not by sysinv anymore). This update removed firewallrules
audit from dcorch.
Change-Id: I9fab73c016bb4af760c7d78f0db18dcc8bb77057
Closes-Bug: 1844147
Signed-off-by: Andy Ning <andy.ning@windriver.com>
In a Distributed Cloud system, when dcorch audit platform, it will
failed at audit_discrepancy() function call. This is because sysinv
audit_discrepancy() missed the 4th parameter. This update fixed this by
adding it in.
Change-Id: I72057b3406b4b362808d241fbc2e43bf07d7b677
Closes-Bug: 1843770
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit enhanced dcorch find_missing algorithm so that the first
audit after subcloud becomes managed won't try to create resources that
have matches in the subcloud (otherwise the creation will fail for DB
duplication error). This is neccessary for resources that are created
at deployment time and existing resources not yet tracked by dcorch.
Story: 2002842
Task: 22787
Change-Id: I60f94057caf71265942f3b37b400eeba4f368fed
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit updates dcorch to use the newly introduced dbsync service
APIs to synchronize identity resources from central cloud to subclouds.
The following identity resources are synced:
- users (local users only)
- user passwords
- projects
- roles
- project role assignments
- token revocation events
Story: 2002842
Task: 22787
Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit e9096c7a23)
Depends-On: https://review.opendev.org/#/c/655921
Depends-On: https://review.opendev.org/#/c/655773
Depends-On: https://review.opendev.org/#/c/655776
Depends-On: https://review.opendev.org/#/c/655927
Change-Id: I77c2cc712a1c3dc8a228883c3fea1423e5207dea
Aliases were first deprecated in oslo.messaging 5.20.0
during Pike, and they have been removed in Stein.
This update removes oslo transport aliases in both
dcorch and dcmanager messaging to support the
containerized keystone-api-proxy that uses Stein.
Story: 2004766
Task: 30450
Change-Id: I015e23575d56ab031a7a94efa4ec5464fcd3f543
Signed-off-by: Tao Liu <tao.liu@windriver.com>
Disable nova, cinder and neutron api proxy services
Disable nova, cinder and neutron sync threads
Add cluster IP support to generated subcloud
configuration file
Remove openstack users from subcloud user list
Story: 2004766
Task: 28884
Change-Id: I683ba05ee74b159716924f08814a7473e7053d4d
Signed-off-by: Tao Liu <tao.liu@windriver.com>
import six.moves to fix rename of urlparse and Queue
Change-Id: Iee1b6053e4c1a174c40cfa858bf62557d308194a
Story: 2004585
Task: 28446
Signed-off-by: Sun Austin <austin.sun@intel.com>
NTP/PTP enabled flag is not propagated properly to subclouds.
The root cause is the wrong boolean/string comparison of the enabled
flag. Need to to convert it to string to simplify the logic.
Change-Id: Ie9d67c567732caf5edba751fd1310b94d2c084ca
Closes-Bug: 1802530
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
During the sync Security Group needs to be compared with the tenant
names and not tenant ids. The tenant id which is the uuid are different
between regions. The compare does not match and an attempt to create
the Security Group fails since it already exists. This commit changes
the compare to use tenant names.
Closes-Bug: 1802397
Change-Id: I9363945868b857802e137dcf05757ec3691230c1
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
This update contains the following changes for Distributed
Cloud Fernet Key Synching & Management:
1.Distribute the fernet keys when the subcloud is managed
2.Setup a periodic task to rotate and re-distribute keys
3.Support fernet repo audit
Story: 2002842
Task: 22786
Depends-On: https://review.openstack.org/#/c/613620/
Change-Id: I203c937e9c2334da3f4766c0a49f32f71f7fd39e
Signed-off-by: Tao Liu <tao.liu@windriver.com>
There is a typo error in role deletion that prevents deleting the role
in subcloud during role synchronization. This update fixed this typo
error and made role synchronization work.
Closes-Bug: 1797960
Change-Id: Iff78ceffdd95b2676854d986126c6c2d001866de
Signed-off-by: Andy Ning <andy.ning@windriver.com>
PTP failed to sync because of "enabled" parameter passed.
It was passed as a boolean and ingnored by SysInv API.
Need to convert it to string before passing to SysInv.
Change-Id: Ice439bcb46bc901390c562f4ca5a8af0a73b738e
Closes-Bug: 1791997
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
There are 3 new parameters added to PTP configuration:
timestamping mode, transport protocol and delay mechanism.
Need to synchronize these parameters in the Distibuted Cloud.
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
The fault management (FM) APIs has been removed from the syinv API
service and a new FM API service has been introduced. This update adds
a new fm openstack driver for retrieving each region's alarm summary,
and it also modifies the alarm aggregate manager to use the fm driver.
In addition, it removes get alarm summary routine from sysinv and
adds the fm user to the subcloud user list
Story: 2002828
Task: 22747
Signed-off-by: Tao Liu <tao.liu@windriver.com>