Filter cert-mon for geo-redundancy in audit and DC_CertWatcher
This commit adds a filter for querying all subclouds from dcmanager, to
account for secondary subclouds that should not be audited by cert-mon
for this system controller. The filter is performed against a list of
invalid deploy states that should be considered when querying
the list of subcloud from dcmanager.
Likewise, the DC_CertWatcher -> DCIntermediateCertRenew flow must ensure
that subclouds which are secondary to this system controller are ignored
by the kubernetes watch in place for the DC intermediate cert renewal
detection. Subclouds are filtered by the watch based on their online
state and their deploy-status. A subcloud with invalid deploy state is
ignored by this system controller.
Test Cases
PASS:
- Trigger audits on service restart. Verify that offline/secondary
subclouds are excluded.
- Ensure full daily audit is executed. Verify that all subclouds
belonging to this system controller are audited. Secondary subclouds
are not audited.
- Verify that DC_CertWatcher -> DCIntermediateCertRenew watch fires are
ignored for offline and/or invalid deploy state
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/914907 /opendev. org/starlingx/ config/ commit/ 03443ef16c0c47d 15631eb9001b413 a3b8ea39fc
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 03443ef16c0c47d 15631eb9001b413 a3b8ea39fc
Author: Kyle MacLeod <email address hidden>
Date: Tue Apr 2 11:52:39 2024 -0400
Filter cert-mon for geo-redundancy in audit and DC_CertWatcher
This commit adds a filter for querying all subclouds from dcmanager, to
account for secondary subclouds that should not be audited by cert-mon
for this system controller. The filter is performed against a list of
invalid deploy states that should be considered when querying
the list of subcloud from dcmanager.
Likewise, the DC_CertWatcher -> DCIntermediateC ertRenew flow must ensure
that subclouds which are secondary to this system controller are ignored
by the kubernetes watch in place for the DC intermediate cert renewal
detection. Subclouds are filtered by the watch based on their online
state and their deploy-status. A subcloud with invalid deploy state is
ignored by this system controller.
Test Cases
PASS: ertRenew watch fires are
- Trigger audits on service restart. Verify that offline/secondary
subclouds are excluded.
- Ensure full daily audit is executed. Verify that all subclouds
belonging to this system controller are audited. Secondary subclouds
are not audited.
- Verify that DC_CertWatcher -> DCIntermediateC
ignored for offline and/or invalid deploy state
Closes-Bug: 2060068
Change-Id: Iffe3d7c76db8d2 f17aed0bfebc792 af0f9d75ca2
Signed-off-by: Kyle MacLeod <email address hidden>