From 699a149e700ec10e75ae954aa1be588c81731066 Mon Sep 17 00:00:00 2001
From: Victor Romano <victor.gluzromano@windriver.com>
Date: Wed, 31 Jul 2024 11:41:01 -0300
Subject: [PATCH] Disable dcagent user creation on SystemController

It's not necessary to have the dcagent keystone user present on
system controller. Its presence can cause problems during upgrade
as it would be necessary for the dcagent user in the subcloud to
have the same password as system controller upon creation (before
dcdbsync synching upon managing the subcloud).

Test plan:
  - PASS: Build a developer ISO. Deploy a DC system with 2 system
          controllers and 1 subcloud. Verify the dcagent user is
          created only on the subcloud.
  - PASS: Manage the subcloud and verify the dcagent service is
          working as expected.
  - PASS: Perform a network reconfiguration on the subcloud. Verify
          the operation finishes successfully.

Story: 2011106
Task: 50747

Change-Id: I13deb83f2e8b602fd8d733b999cf579d4db05034
Signed-off-by: Victor Romano <victor.gluzromano@windriver.com>
---
 .../src/dcagent/manifests/keystone/auth.pp    | 61 +++++++++----------
 .../modules/openstack/manifests/keystone.pp   |  5 +-
 .../src/modules/platform/manifests/dcagent.pp |  3 +-
 3 files changed, 31 insertions(+), 38 deletions(-)

diff --git a/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp b/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp
index a84a9aec3..c34b773b6 100644
--- a/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp
+++ b/modules/puppet-dcagent/src/dcagent/manifests/keystone/auth.pp
@@ -22,7 +22,7 @@ class dcagent::keystone::auth (
   $service_description    = 'DCAgent service',
   $service_name           = 'dcagent',
   $service_type           = 'dcagent',
-  $configure_endpoint     = false,
+  $configure_endpoint     = true,
   $configure_user         = true,
   $configure_user_role    = true,
   $public_url             = 'http://127.0.0.1:8325/v1',
@@ -33,37 +33,34 @@ class dcagent::keystone::auth (
 
   $real_service_name = pick($service_name, $auth_name)
 
-  $should_configure_endpoint = $distributed_cloud_role ? {
-    'subcloud' => true,
-    default    => $configure_endpoint,
-  }
+  if $distributed_cloud_role == 'subcloud' {
+    keystone::resource::service_identity { 'dcagent':
+      configure_user      => $configure_user,
+      configure_user_role => $configure_user_role,
+      configure_endpoint  => $configure_endpoint,
+      service_type        => $service_type,
+      service_description => $service_description,
+      service_name        => $real_service_name,
+      region              => $region,
+      auth_name           => $auth_name,
+      password            => $password,
+      email               => $email,
+      tenant              => $tenant,
+      public_url          => $public_url,
+      admin_url           => $admin_url,
+      internal_url        => $internal_url,
+    }
 
-  keystone::resource::service_identity { 'dcagent':
-    configure_user      => $configure_user,
-    configure_user_role => $configure_user_role,
-    configure_endpoint  => $should_configure_endpoint,
-    service_type        => $service_type,
-    service_description => $service_description,
-    service_name        => $real_service_name,
-    region              => $region,
-    auth_name           => $auth_name,
-    password            => $password,
-    email               => $email,
-    tenant              => $tenant,
-    public_url          => $public_url,
-    admin_url           => $admin_url,
-    internal_url        => $internal_url,
-  }
-
-  # dcagent is a private service only used by dcmanager-audit and dcorch,
-  # its API is not exposed for public access.
-  -> exec { 'Delete dcagent public endpoint':
-    path      => '/usr/bin',
-    command   => @("CMD"/L),
-      /bin/sh -c 'source /etc/platform/openrc && \
-      openstack endpoint list --service dcagent --interface public --format value -c ID | \
-      xargs --no-run-if-empty openstack endpoint delete'
-      | CMD
-    logoutput => true,
+    # dcagent is a private service only used by dcmanager-audit and dcorch,
+    # its API is not exposed for public access.
+    -> exec { 'Delete dcagent public endpoint':
+      path      => '/usr/bin',
+      command   => @("CMD"/L),
+        /bin/sh -c 'source /etc/platform/openrc && \
+        openstack endpoint list --service dcagent --interface public --format value -c ID | \
+        xargs --no-run-if-empty openstack endpoint delete'
+        | CMD
+      logoutput => true,
+    }
   }
 }
diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
index 48adbc5e2..86a50dfbe 100644
--- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
@@ -315,7 +315,6 @@ class openstack::keystone::endpoint::runtime {
       include ::dcorch::keystone::auth
       include ::dcmanager::keystone::auth
       include ::dcdbsync::keystone::auth
-      include ::dcagent::keystone::auth
     }
 
     if $::platform::params::distributed_cloud_role == 'subcloud' {
@@ -403,16 +402,14 @@ class openstack::keystone::endpoint::reconfig
     if $::platform::params::distributed_cloud_role =='systemcontroller' {
       Keystone_endpoint["${region}/dcmanager::dcmanager"] -> Keystone_endpoint["${region}/sysinv::platform"]
       Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"]
-      Keystone_endpoint["${region}/dcagent::dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
       include ::dcorch::keystone::auth
       include ::dcmanager::keystone::auth
       include ::dcdbsync::keystone::auth
-      include ::dcagent::keystone::auth
     }
 
     if $::platform::params::distributed_cloud_role == 'subcloud' {
       Keystone_endpoint["${region}/dcdbsync::dcorch-dbsync"] -> Keystone_endpoint["${region}/sysinv::platform"]
-      Keystone_endpoint["${region}/dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
+      Keystone_endpoint["${region}/dcagent::dcagent"] -> Keystone_endpoint["${region}/sysinv::platform"]
       include ::dcdbsync::keystone::auth
       include ::dcagent::keystone::auth
     }
diff --git a/puppet-manifests/src/modules/platform/manifests/dcagent.pp b/puppet-manifests/src/modules/platform/manifests/dcagent.pp
index b88b1a8d7..e877a8a13 100644
--- a/puppet-manifests/src/modules/platform/manifests/dcagent.pp
+++ b/puppet-manifests/src/modules/platform/manifests/dcagent.pp
@@ -10,8 +10,7 @@ class platform::dcagent::params (
 
 class platform::dcagent
   inherits ::platform::dcagent::params {
-  if ($::platform::params::distributed_cloud_role == 'subcloud' or
-      $::platform::params::distributed_cloud_role == 'systemcontroller') {
+  if ($::platform::params::distributed_cloud_role == 'subcloud') {
     if $service_create {
       if $::platform::params::init_keystone {
         include ::dcagent::keystone::auth