Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 82db6ab)
Rabbitmq: Use conditional instead of nested stack for TLS-specific bits
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 27 Mar 2017 09:11:27 +0000 (12:11 +0300)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 27 Mar 2017 10:33:12 +0000 (13:33 +0300)
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save
resources.

Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa

environments/enable-internal-tls.yaml patch | blob | history
overcloud-resource-registry-puppet.j2.yaml patch | blob | history
puppet/services/rabbitmq-internal-tls-certmonger.yaml [deleted file] patch | blob | history
puppet/services/rabbitmq.yaml patch | blob | history

diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index e245a6a..b16d451 100644 (file)
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -14,7 +14,6 @@ resource_registry:
   OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
   OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
-  OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml
 
   # We use apache as a TLS proxy
   OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index d9eaf8d..5debed5 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -170,7 +170,6 @@ resource_registry:
   OS::TripleO::Services::PacemakerRemote: OS::Heat::None
   OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
   OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
-  OS::TripleO::Services::RabbitMQTLS: OS::Heat::None
   OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
   OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None
   OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None
diff --git a/puppet/services/rabbitmq-internal-tls-certmonger.yaml b/puppet/services/rabbitmq-internal-tls-certmonger.yaml
deleted file mode 100644 (file)
index 39d6b90..0000000
--- a/puppet/services/rabbitmq-internal-tls-certmonger.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
-  RabbitMQ configurations for using TLS via certmonger.
-
-parameters:
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  # The following parameters are not needed by the template but are
-  # required to pass the pep8 tests
-  DefaultPasswords:
-    default: {}
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-
-outputs:
-  role_data:
-    description: RabbitMQ configurations for using TLS via certmonger.
-    value:
-      service_name: rabbitmq_internal_tls_certmonger
-      config_settings:
-        generate_service_certificates: true
-        tripleo::profile::base::rabbitmq::certificate_specs:
-          service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
-          service_key: '/etc/pki/tls/private/rabbitmq.key'
-          hostname:
-            str_replace:
-              template: "%{hiera('fqdn_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
-          principal:
-            str_replace:
-              template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
-      metadata_settings:
-        - service: rabbitmq
-          network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
-          type: node
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 92a0015..4747978 100644 (file)
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -52,14 +52,8 @@ parameters:
     type: boolean
     default: false
 
-resources:
-
-  RabbitMQTLS:
-    type: OS::TripleO::Services::RabbitMQTLS
-    properties:
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
+conditions:
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 outputs:
   role_data:
@@ -69,7 +63,6 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
       config_settings:
         map_merge:
-          - get_attr: [RabbitMQTLS, role_data, config_settings]
           -
             rabbitmq::file_limit: {get_param: RabbitFDLimit}
             rabbitmq::default_user: {get_param: RabbitUserName}
@@ -124,6 +117,24 @@ outputs:
             # TODO(jaosorior): Remove this once we set a proper default in
             # puppet-tripleo
             tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
+          -
+            if:
+            - internal_tls_enabled
+            - generate_service_certificates: true
+              tripleo::profile::base::rabbitmq::certificate_specs:
+                service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
+                service_key: '/etc/pki/tls/private/rabbitmq.key'
+                hostname:
+                  str_replace:
+                    template: "%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+                principal:
+                  str_replace:
+                    template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+            - {}
       step_config: |
         include ::tripleo::profile::base::rabbitmq
       upgrade_tasks:
@@ -134,4 +145,10 @@ outputs:
           tags: step4
           service: name=rabbitmq-server state=started
       metadata_settings:
-        get_attr: [RabbitMQTLS, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: rabbitmq
+              network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+              type: node
+          - null