Merge "MySQL: Use conditional instead of nested stack for TLS-specific bits"

This commit is contained in:
Jenkins 2017-03-28 12:54:11 +00:00 committed by Gerrit Code Review
commit 3cce9cfa07
4 changed files with 26 additions and 56 deletions

View File

@ -12,7 +12,6 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml

View File

@ -143,7 +143,6 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronBgpvpnApi: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml

View File

@ -1,47 +0,0 @@
heat_template_version: ocata
description: >
MySQL configurations for using TLS via certmonger.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
# The following parameters are not needed by the template but are
# required to pass the pep8 tests
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: MySQL configurations for using TLS via certmonger.
value:
service_name: mysql_internal_tls_certmonger
config_settings:
generate_service_certificates: true
tripleo::profile::base::database::mysql::certificate_specs:
service_certificate: '/etc/pki/tls/certs/mysql.crt'
service_key: '/etc/pki/tls/private/mysql.key'
hostname:
str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
metadata_settings:
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip

View File

@ -42,13 +42,13 @@ parameters:
description: The password for the nova db account
type: string
hidden: true
EnableInternalTLS:
type: boolean
default: false
resources:
conditions:
MySQLTLS:
type: OS::TripleO::Services::MySQLTLS
properties:
ServiceNetMap: {get_param: ServiceNetMap}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@ -57,7 +57,6 @@ outputs:
service_name: mysql
config_settings:
map_merge:
- get_attr: [MySQLTLS, role_data, config_settings]
-
# The Galera package should work in cluster and
# non-cluster modes based on the config file.
@ -102,10 +101,30 @@ outputs:
{get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::generate_dropin_file_limit:
{get_param: MysqlIncreaseFileLimit}
- generate_service_certificates: true
tripleo::profile::base::database::mysql::certificate_specs:
service_certificate: '/etc/pki/tls/certs/mysql.crt'
service_key: '/etc/pki/tls/private/mysql.key'
hostname:
str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql
metadata_settings:
get_attr: [MySQLTLS, role_data, metadata_settings]
if:
- internal_tls_enabled
-
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip
- null
upgrade_tasks:
- name: Check for galera root password
tags: step0