MySQL: Use conditional instead of nested stack for TLS-specific bits

Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save
resources.

Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a

diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 6331f44..2fdecb4 100644 (file)
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -12,7 +12,6 @@ resource_registry:
   OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
 
   OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
-  OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
 
   # We use apache as a TLS proxy
   OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml

diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 1c9830d..b294d7c 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -143,7 +143,6 @@ resource_registry:
   OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
   OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
   OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
-  OS::TripleO::Services::MySQLTLS: OS::Heat::None
   OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
   OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
   OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml

diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
deleted file mode 100644 (file)
index 9f7eaf5..0000000
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
-  MySQL configurations for using TLS via certmonger.
-
-parameters:
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  # The following parameters are not needed by the template but are
-  # required to pass the pep8 tests
-  DefaultPasswords:
-    default: {}
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-
-outputs:
-  role_data:
-    description: MySQL configurations for using TLS via certmonger.
-    value:
-      service_name: mysql_internal_tls_certmonger
-      config_settings:
-        generate_service_certificates: true
-        tripleo::profile::base::database::mysql::certificate_specs:
-          service_certificate: '/etc/pki/tls/certs/mysql.crt'
-          service_key: '/etc/pki/tls/private/mysql.key'
-          hostname:
-            str_replace:
-              template: "%{hiera('cloud_name_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
-          principal:
-            str_replace:
-              template: "mysql/%{hiera('cloud_name_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
-      metadata_settings:
-        - service: mysql
-          network: {get_param: [ServiceNetMap, MysqlNetwork]}
-          type: vip

diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 7078b60..da55da3 100644 (file)
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -42,13 +42,13 @@ parameters:
     description: The password for the nova db account
     type: string
     hidden: true
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
-resources:
+conditions:
 
-  MySQLTLS:
-    type: OS::TripleO::Services::MySQLTLS
-    properties:
-      ServiceNetMap: {get_param: ServiceNetMap}
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 outputs:
   role_data:
@@ -57,7 +57,6 @@ outputs:
       service_name: mysql
       config_settings:
         map_merge:
-          - get_attr: [MySQLTLS, role_data, config_settings]
           -
             # The Galera package should work in cluster and
             # non-cluster modes based on the config file.
@@ -102,10 +101,30 @@ outputs:
               {get_param: [ServiceNetMap, MysqlNetwork]}
             tripleo::profile::base::database::mysql::generate_dropin_file_limit:
               {get_param: MysqlIncreaseFileLimit}
+          - generate_service_certificates: true
+            tripleo::profile::base::database::mysql::certificate_specs:
+              service_certificate: '/etc/pki/tls/certs/mysql.crt'
+              service_key: '/etc/pki/tls/private/mysql.key'
+              hostname:
+                str_replace:
+                  template: "%{hiera('cloud_name_NETWORK')}"
+                  params:
+                    NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+              principal:
+                str_replace:
+                  template: "mysql/%{hiera('cloud_name_NETWORK')}"
+                  params:
+                    NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
       step_config: |
         include ::tripleo::profile::base::database::mysql
       metadata_settings:
-        get_attr: [MySQLTLS, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: vip
+          - null
       upgrade_tasks:
         - name: Check for galera root password
           tags: step0