fence_azure_arm:add stack cloud support && azure_fence: use correct credential_scope and profile for stack hub

(cherry picked from commit 2ce37fd4799e7a5bdb5934d05252151c4784f037)
2024-05-24 16:54:15 +08:00 · 2024-05-24 16:54:15 +08:00 · c159cabcf3
commit c159cabcf3
parent 6c3e8a3ce8
3 changed files with 183 additions and 2 deletions
--- a/backport-azure_fence-use-correct-credential_scope-and-profile.patch
+++ b/backport-azure_fence-use-correct-credential_scope-and-profile.patch
@ -0,0 +1,59 @@
+From 9087760db005abfd9b3e07319846232214d8dae2 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Fri, 16 Jun 2023 16:03:11 +0200
+Subject: [PATCH 15/46] azure_fence: use correct credential_scope and profile
+ for stack hub
+
+---
+ lib/azure_fence.py.py | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/lib/azure_fence.py.py b/lib/azure_fence.py.py
+index 6f1eee5b..ab40b483 100644
+--- a/lib/azure_fence.py.py
+++ b/lib/azure_fence.py.py
+@@ -353,11 +353,19 @@ def get_azure_compute_client(config):
+                 fail_usage("metadata-endpoint not specified")
+ 
+         try:
+            from azure.profiles import KnownProfiles
+            if (config.Cloud.lower() == "stack"):
+                client_profile = KnownProfiles.v2020_09_01_hybrid
+                credential_scope = cloud_environment.endpoints.active_directory_resource_id + "/.default"
+            else:
+                client_profile = KnownProfiles.default
+                credential_scope = cloud_environment.endpoints.resource_manager + "/.default"
+             compute_client = ComputeManagementClient(
+                 credentials,
+                 config.SubscriptionId,
+                 base_url=cloud_environment.endpoints.resource_manager,
+-                credential_scopes=[cloud_environment.endpoints.resource_manager + "/.default"]
+                profile=client_profile,
+                credential_scopes=[credential_scope],
+             )
+         except TypeError:
+             compute_client = ComputeManagementClient(
+@@ -383,11 +391,19 @@ def get_azure_network_client(config):
+                 fail_usage("metadata-endpoint not specified")
+ 
+         try:
+            from azure.profiles import KnownProfiles
+            if (config.Cloud.lower() == "stack"):
+                client_profile = KnownProfiles.v2020_09_01_hybrid
+                credential_scope = cloud_environment.endpoints.active_directory_resource_id + "/.default"
+            else:
+                client_profile = KnownProfiles.default
+                credential_scope = cloud_environment.endpoints.resource_manager + "/.default"
+             network_client = NetworkManagementClient(
+                 credentials,
+                 config.SubscriptionId,
+                 base_url=cloud_environment.endpoints.resource_manager,
+-                credential_scopes=[cloud_environment.endpoints.resource_manager + "/.default"]
+                profile=client_profile,
+                credential_scopes=[credential_scope],
+             )
+         except TypeError:
+             network_client = NetworkManagementClient(
+-- 
+2.25.1
+
--- a/backport-fence_azure_arm-add-stack-cloud-support.patch
+++ b/backport-fence_azure_arm-add-stack-cloud-support.patch
@ -0,0 +1,116 @@
+From 6e0228536d30ca1bd95bfd1628c0247f094ecaa8 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 2 Mar 2022 13:49:16 +0100
+Subject: [PATCH 14/46] fence_azure_arm: add stack cloud support
+
+---
+ agents/azure_arm/fence_azure_arm.py     | 18 ++++++++++++++----
+ lib/azure_fence.py.py                   | 10 ++++++++++
+ tests/data/metadata/fence_azure_arm.xml | 10 ++++++++++
+ 3 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/agents/azure_arm/fence_azure_arm.py b/agents/azure_arm/fence_azure_arm.py
+index 6908169c..e3b7c85c 100755
+--- a/agents/azure_arm/fence_azure_arm.py
+++ b/agents/azure_arm/fence_azure_arm.py
+@@ -183,20 +183,30 @@ def define_new_opts():
+         "getopt" : ":",
+         "longopt" : "cloud",
+         "help" : "--cloud=[name]                 Name of the cloud you want to use. Supported\n\
+-                                  values are china, germany or usgov. Do not use\n\
+-                                  this parameter if you want to use public\n\
+-                                  Azure.",
+                                  values are china, germany, usgov, or stack. Do\n\
+                                  not use this parameter if you want to use\n\
+                                  public Azure.",
+         "shortdesc" : "Name of the cloud you want to use.",
+         "required" : "0",
+         "order" : 7
+     }
+    all_opt["metadata-endpoint"] = {
+        "getopt" : ":",
+        "longopt" : "metadata-endpoint",
+        "help" : "--metadata-endpoint=[URL]      URL to metadata endpoint (used when cloud=stack).",
+        "shortdesc" : "URL to metadata endpoint (used when cloud=stack).",
+        "required" : "0",
+        "order" : 8
+    }
+ 
+ # Main agent method
+ def main():
+     compute_client = None
+     network_client = None
+ 
+-    device_opt = ["login", "no_login", "no_password", "passwd", "port", "resourceGroup", "tenantId", "subscriptionId", "network-fencing", "msi", "cloud"]
+    device_opt = ["login", "no_login", "no_password", "passwd", "port",
+		  "resourceGroup", "tenantId", "subscriptionId",
+		  "network-fencing", "msi", "cloud", "metadata-endpoint"]
+ 
+     atexit.register(atexit_handler)
+ 
+diff --git a/lib/azure_fence.py.py b/lib/azure_fence.py.py
+index 5ca71eb4..6f1eee5b 100644
+--- a/lib/azure_fence.py.py
+++ b/lib/azure_fence.py.py
+@@ -251,6 +251,7 @@ def get_azure_config(options):
+     config.VMName = options.get("--plug")
+     config.SubscriptionId = options.get("--subscriptionId")
+     config.Cloud = options.get("--cloud")
+    config.MetadataEndpoint = options.get("--metadata-endpoint")
+     config.UseMSI = "--msi" in options
+     config.Tenantid = options.get("--tenantId")
+     config.ApplicationId = options.get("--username")
+@@ -279,6 +280,9 @@ def get_azure_cloud_environment(config):
+         elif (config.Cloud.lower() == "usgov"):
+             from msrestazure.azure_cloud import AZURE_US_GOV_CLOUD
+             cloud_environment = AZURE_US_GOV_CLOUD
+        elif (config.Cloud.lower() == "stack"):
+            from msrestazure.azure_cloud import get_cloud_from_metadata_endpoint
+            cloud_environment = get_cloud_from_metadata_endpoint(config.MetadataEndpoint)
+ 
+     return cloud_environment
+ 
+@@ -345,6 +349,9 @@ def get_azure_compute_client(config):
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
+        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
+                fail_usage("metadata-endpoint not specified")
+
+         try:
+             compute_client = ComputeManagementClient(
+                 credentials,
+@@ -372,6 +379,9 @@ def get_azure_network_client(config):
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
+        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
+                fail_usage("metadata-endpoint not specified")
+
+         try:
+             network_client = NetworkManagementClient(
+                 credentials,
+diff --git a/tests/data/metadata/fence_azure_arm.xml b/tests/data/metadata/fence_azure_arm.xml
+index c6e1f203..8b745076 100644
+--- a/tests/data/metadata/fence_azure_arm.xml
+++ b/tests/data/metadata/fence_azure_arm.xml
+@@ -98,6 +98,16 @@ When using network fencing the reboot-action will cause a quick-return once the
+ 		<content type="string"  />
+ 		<shortdesc lang="en">Name of the cloud you want to use.</shortdesc>
+ 	</parameter>
+	<parameter name="metadata-endpoint" unique="0" required="0" deprecated="1">
+		<getopt mixed="--metadata-endpoint=[URL]" />
+		<content type="string"  />
+		<shortdesc lang="en">URL to metadata endpoint (used when cloud=stack).</shortdesc>
+	</parameter>
+	<parameter name="metadata_endpoint" unique="0" required="0" obsoletes="metadata-endpoint">
+		<getopt mixed="--metadata-endpoint=[URL]" />
+		<content type="string"  />
+		<shortdesc lang="en">URL to metadata endpoint (used when cloud=stack).</shortdesc>
+	</parameter>
+ 	<parameter name="quiet" unique="0" required="0">
+ 		<getopt mixed="-q, --quiet" />
+ 		<content type="boolean"  />
+-- 
+2.25.1
+
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -6,7 +6,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.12.1
-Release: 8
+Release: 9
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@ -18,6 +18,8 @@ Patch3:	backport-fixes-to-allow-running-outside-of-AWS-network.patch
 Patch4:	backport-fail-when-power-action-request-fails.patch	
 Patch5: backport-fence_scsi-Automatically-detect-devices-for-shared-VGs.patch
 Patch6: backport-fence_scsi-Add-support-for-space-separated-devices-and-update-in-meta-data.patch
+Patch7: backport-fence_azure_arm-add-stack-cloud-support.patch
+Patch8: backport-azure_fence-use-correct-credential_scope-and-profile.patch

 # skipped: pve, raritan, rcd-serial, virsh
 %global allfenceagents %(cat <<EOF
@ -1133,9 +1135,13 @@ are located on corosync cluster nodes.
 %{_libdir}/fence-virt/cpg.so

 %changelog
+* Fri May 24 2024 liupei <liupei@kylinos.cn> - 4.12.1-9
+- fence_azure_arm:add stack cloud support
+- azure_fence: use correct credential_scope and profile for stack hub 
+
 * Thu May 23 2024 liupei <liupei@kylinos.cn> - 4.12.1-8
 - fence_scsi: Automatically detect devices for shared VGs
-  fence_scsi: Add support for space-separated devices and update in meta-data  
+- fence_scsi: Add support for space-separated devices and update in meta-data  

 * Wed May 22 2024 zhangxingrong <zhangxingrong@uniontech.com> - 4.12.1-7
 - backport some upstream patch