Browse Source

Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"

changes/24/440124/38
Jenkins 5 years ago
committed by Gerrit Code Review
parent
commit
3cce9cfa07
  1. 1
      environments/enable-internal-tls.yaml
  2. 1
      overcloud-resource-registry-puppet.j2.yaml
  3. 47
      puppet/services/database/mysql-internal-tls-certmonger.yaml
  4. 33
      puppet/services/database/mysql.yaml

1
environments/enable-internal-tls.yaml

@ -12,7 +12,6 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml

1
overcloud-resource-registry-puppet.j2.yaml

@ -143,7 +143,6 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml

47
puppet/services/database/mysql-internal-tls-certmonger.yaml

@ -1,47 +0,0 @@
heat_template_version: ocata
description: >
MySQL configurations for using TLS via certmonger.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
# The following parameters are not needed by the template but are
# required to pass the pep8 tests
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: MySQL configurations for using TLS via certmonger.
value:
service_name: mysql_internal_tls_certmonger
config_settings:
generate_service_certificates: true
tripleo::profile::base::database::mysql::certificate_specs:
service_certificate: '/etc/pki/tls/certs/mysql.crt'
service_key: '/etc/pki/tls/private/mysql.key'
hostname:
str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
metadata_settings:
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip

33
puppet/services/database/mysql.yaml

@ -42,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
EnableInternalTLS:
type: boolean
default: false
resources:
conditions:
MySQLTLS:
type: OS::TripleO::Services::MySQLTLS
properties:
ServiceNetMap: {get_param: ServiceNetMap}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@ -57,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@ -102,10 +101,30 @@ outputs:
{get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::generate_dropin_file_limit:
{get_param: MysqlIncreaseFileLimit}
- generate_service_certificates: true
tripleo::profile::base::database::mysql::certificate_specs:
service_certificate: '/etc/pki/tls/certs/mysql.crt'
service_key: '/etc/pki/tls/private/mysql.key'
hostname:
str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
get_attr: [MySQLTLS, role_data, metadata_settings]
if:
- internal_tls_enabled
-
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip
- null
upgrade_tasks:
- name: Check for galera root password
tags: step0

Loading…
Cancel
Save