Rabbitmq: Use conditional instead of nested stack for TLS-specific bits

Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save
resources.

Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
This commit is contained in:
Juan Antonio Osorio Robles 2017-03-27 12:11:27 +03:00
parent 82db6ab608
commit 69c213e3e3
4 changed files with 27 additions and 59 deletions

View File

@ -14,7 +14,6 @@ resource_registry:
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml
# We use apache as a TLS proxy # We use apache as a TLS proxy
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml

View File

@ -170,7 +170,6 @@ resource_registry:
OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::PacemakerRemote: OS::Heat::None
OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None
OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml
OS::TripleO::Services::RabbitMQTLS: OS::Heat::None
OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml
OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None
OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None

View File

@ -1,47 +0,0 @@
heat_template_version: ocata
description: >
RabbitMQ configurations for using TLS via certmonger.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
# The following parameters are not needed by the template but are
# required to pass the pep8 tests
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: RabbitMQ configurations for using TLS via certmonger.
value:
service_name: rabbitmq_internal_tls_certmonger
config_settings:
generate_service_certificates: true
tripleo::profile::base::rabbitmq::certificate_specs:
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
service_key: '/etc/pki/tls/private/rabbitmq.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
metadata_settings:
- service: rabbitmq
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
type: node

View File

@ -52,14 +52,8 @@ parameters:
type: boolean type: boolean
default: false default: false
resources: conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
RabbitMQTLS:
type: OS::TripleO::Services::RabbitMQTLS
properties:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
outputs: outputs:
role_data: role_data:
@ -69,7 +63,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [RabbitMQTLS, role_data, config_settings]
- -
rabbitmq::file_limit: {get_param: RabbitFDLimit} rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_user: {get_param: RabbitUserName}
@ -124,6 +117,24 @@ outputs:
# TODO(jaosorior): Remove this once we set a proper default in # TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo # puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::rabbitmq::certificate_specs:
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
service_key: '/etc/pki/tls/private/rabbitmq.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
- {}
step_config: | step_config: |
include ::tripleo::profile::base::rabbitmq include ::tripleo::profile::base::rabbitmq
upgrade_tasks: upgrade_tasks:
@ -134,4 +145,10 @@ outputs:
tags: step4 tags: step4
service: name=rabbitmq-server state=started service: name=rabbitmq-server state=started
metadata_settings: metadata_settings:
get_attr: [RabbitMQTLS, role_data, metadata_settings] if:
- internal_tls_enabled
-
- service: rabbitmq
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
type: node
- null