Bind mount the IPA crt when internal_tls is enabled

In order for later reviews to make use of the FreeIPA internal CA we need to first bind mount it within the container. We need to add a default in the hiera definition (/etc/ipa/ca.crt) in order to break a cyclic dependency on the subsequent patches. (THT child change will set the rabbitmq::ssl_cacert key) Related-Bug: #1946374 Change-Id: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26 (cherry picked from commit fdca31a200)
2021-10-08 23:25:38 +02:00 · 2021-10-08 23:25:38 +02:00 · 28135309d9
parent 68b60ad291
commit 28135309d9
1 changed files with 10 additions and 0 deletions
--- a/manifests/profile/pacemaker/rabbitmq_bundle.pp
+++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp
@ -66,6 +66,10 @@
 #   (Optional) Whether TLS in the internal network is enabled or not.
 #   Defaults to hiera('enable_internal_tls', false)
 #
+# [*rabbitmq_cacert*]
+#   (Optional) When internal tls is enabled this should point to the CA file
+#   Defaults to hiera('rabbitmq::ssl_cacert', '/etc/ipa/ca.crt')
+#
 # [*rabbitmq_extra_policies*]
 #   (Optional) Hash of extra policies for the HA queues
 #   Defaults to hiera('rabbitmq_extra_policies', {'ha-promote-on-shutdown' => 'always'})
@ -118,6 +122,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
  $notify_nodes                 = hiera('oslo_messaging_notify_node_names_override',
                                        hiera('oslo_messaging_notify_node_names', [])),
  $enable_internal_tls          = hiera('enable_internal_tls', false),
+  $rabbitmq_cacert              = hiera('rabbitmq::ssl_cacert', '/etc/ipa/ca.crt'),
  $rabbitmq_extra_policies      = hiera('rabbitmq_extra_policies', {'ha-promote-on-shutdown' => 'always'}),
  $pcs_tries                    = hiera('pcs_tries', 20),
  $step                         = Integer(hiera('step')),
@ -284,6 +289,11 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key',
            'options'    => 'ro',
          },
+          'rabbitmq-pki-cafile' => {
+            'source-dir' => $rabbitmq_cacert,
+            'target-dir' => "/var/lib/kolla/config_files/src-tls${rabbitmq_cacert}",
+            'options'    => 'ro',
+          },
        }
      } else {
        $storage_maps_tls = {}