Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"

5 years ago · 3cce9cfa07
4 changed files with 26 additions and 56 deletions
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@ -12,7 +12,6 @@ resource_registry:
  OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml

  OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
-  OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml

  # We use apache as a TLS proxy
  OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -143,7 +143,6 @@ resource_registry:
  OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
  OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
  OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
-  OS::TripleO::Services::MySQLTLS: OS::Heat::None
  OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
  OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
  OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@ -1,47 +0,0 @@
-heat_template_version: ocata
-
-description: >
-  MySQL configurations for using TLS via certmonger.
-
-parameters:
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  # The following parameters are not needed by the template but are
-  # required to pass the pep8 tests
-  DefaultPasswords:
-    default: {}
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-
-outputs:
-  role_data:
-    description: MySQL configurations for using TLS via certmonger.
-    value:
-      service_name: mysql_internal_tls_certmonger
-      config_settings:
-        generate_service_certificates: true
-        tripleo::profile::base::database::mysql::certificate_specs:
-          service_certificate: '/etc/pki/tls/certs/mysql.crt'
-          service_key: '/etc/pki/tls/private/mysql.key'
-          hostname:
-            str_replace:
-              template: "%{hiera('cloud_name_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
-          principal:
-            str_replace:
-              template: "mysql/%{hiera('cloud_name_NETWORK')}"
-              params:
-                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
-      metadata_settings:
-        - service: mysql
-          network: {get_param: [ServiceNetMap, MysqlNetwork]}
-          type: vip
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@ -42,13 +42,13 @@ parameters:
    description: The password for the nova db account
    type: string
    hidden: true
+  EnableInternalTLS:
+    type: boolean
+    default: false

-resources:
+conditions:

-  MySQLTLS:
-    type: OS::TripleO::Services::MySQLTLS
-    properties:
-      ServiceNetMap: {get_param: ServiceNetMap}
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 outputs:
  role_data:
@ -57,7 +57,6 @@ outputs:
      service_name: mysql
      config_settings:
        map_merge:
-          - get_attr: [MySQLTLS, role_data, config_settings]
          -
            # The Galera package should work in cluster and
            # non-cluster modes based on the config file.
@ -102,10 +101,30 @@ outputs:
              {get_param: [ServiceNetMap, MysqlNetwork]}
            tripleo::profile::base::database::mysql::generate_dropin_file_limit:
              {get_param: MysqlIncreaseFileLimit}
+          - generate_service_certificates: true
+            tripleo::profile::base::database::mysql::certificate_specs:
+              service_certificate: '/etc/pki/tls/certs/mysql.crt'
+              service_key: '/etc/pki/tls/private/mysql.key'
+              hostname:
+                str_replace:
+                  template: "%{hiera('cloud_name_NETWORK')}"
+                  params:
+                    NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+              principal:
+                str_replace:
+                  template: "mysql/%{hiera('cloud_name_NETWORK')}"
+                  params:
+                    NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
      step_config: |
        include ::tripleo::profile::base::database::mysql
      metadata_settings:
-        get_attr: [MySQLTLS, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: vip
+          - null
      upgrade_tasks:
        - name: Check for galera root password
          tags: step0