From 0bd9954bd715a84191457015c582263065b31076 Mon Sep 17 00:00:00 2001 From: Matthew Treinish Date: Tue, 25 Apr 2017 17:14:03 -0400 Subject: [PATCH] Correct the ca-cert for mqtt on subunit worker This patch fixes a mistake on my part, previously the location of the ca certs on archlinux, but on ubuntu this isn't where they live. So the mqtt libs can't properly encrypt the traffic and things are getting stuck in a loop and not working. This commit fixes this by writing the cert from instantssl/comodo to disk and then pointing the worker at that. This way it should always work. Change-Id: I21b1a64b457545115ff862e3c3388c5892c5497b --- manifests/site.pp | 7 ++++--- modules/openstack_project/manifests/subunit_worker.pp | 10 ++++++++++ .../templates/logstash/jenkins-subunit-worker.yaml.erb | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index c56aee5d60..017ae1e848 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -485,9 +485,10 @@ node /^subunit-worker\d+\.openstack\.org$/ { sysadmins => hiera('sysadmins', []), } class { 'openstack_project::subunit_worker': - subunit2sql_db_host => hiera('subunit2sql_db_host', ''), - subunit2sql_db_pass => hiera('subunit2sql_db_password', ''), - mqtt_pass => hiera('mqtt_service_user_password'), + subunit2sql_db_host => hiera('subunit2sql_db_host', ''), + subunit2sql_db_pass => hiera('subunit2sql_db_password', ''), + mqtt_pass => hiera('mqtt_service_user_password'), + mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'), } } diff --git a/modules/openstack_project/manifests/subunit_worker.pp b/modules/openstack_project/manifests/subunit_worker.pp index a8ea763b3d..f789e1283e 100644 --- a/modules/openstack_project/manifests/subunit_worker.pp +++ b/modules/openstack_project/manifests/subunit_worker.pp @@ -19,6 +19,7 @@ class openstack_project::subunit_worker ( $subunit2sql_db_pass, $mqtt_user = 'infra', $mqtt_pass = undef, + $mqtt_ca_cert_contents = undef, ) { file { '/etc/subunit2sql/subunit-woker.yaml': @@ -29,6 +30,15 @@ class openstack_project::subunit_worker ( content => template('openstack_project/logstash/jenkins-subunit-worker.yaml.erb'), } + file { '/etc/subunit2sql/mqtt-root-CA.pem.crt': + ensure => present, + content => $mqtt_ca_cert_contents, + replace => true, + owner => 'subunit', + group => 'subunit', + mode => '0555', + } + include subunit2sql subunit2sql::worker { 'A': config_file => '/etc/subunit2sql/subunit-woker.yaml', diff --git a/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb b/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb index 5a19c03534..d56144c1c3 100644 --- a/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb +++ b/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb @@ -6,4 +6,4 @@ mqtt-port: 8883 mqtt-topic: gearman-subunit/<%= @hostname %> mqtt-user: <%= @mqtt_user %> mqtt-pass: <%= @mqtt_pass %> -mqtt-ca_certs: "/etc/ca-certificates/extracted/tls-ca-bundle.pem" +mqtt-ca_certs: /etc/subunit2sql/mqtt-root-CA.pem.crt