From e0f50b4b3aa1fc0c2dc4da5c596b776e1c34c6f2 Mon Sep 17 00:00:00 2001
From: Harry Rybacki <hrybacki@redhat.com>
Date: Thu, 1 Aug 2019 14:40:19 -0400
Subject: [PATCH] Fix broken metadata_settings for redis templates

metadata_settings in docker/services/redis.yaml was returning a list
of two items rather than one as expected. As a result, the compact/
mangedby service principals were not being created by novajoin service.
This results ina permission issue during overcloud deploy as the
`getcert` request will hit a permissions issue during Step2.

Note that this only affects Rocky and earlier branches. The issue was
resolved in Stein when redis service was flattened[1,2].

- Push tls logic into redis-base and consume in child templates.
- Move away from use_tls_proxy to more accurate internal_tls_enabled
- Ensure redis service has both service principals created if internal
  tls is enabled
[1] - https://review.opendev.org/#/c/635930/
[2] - https://review.opendev.org/640944

Change-Id: Ic781905b63a0635b7bd0c7079fa84ca1e7f93989
Partial-bug: #1838679
(cherry picked from commit b96b049f983662ea0badbca5d4f7b0e95b880338)
---
 docker/services/database/redis.yaml      | 10 ----------
 puppet/services/database/redis-base.yaml | 17 ++++++++++++++---
 puppet/services/database/redis.yaml      | 12 +++---------
 3 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml
index 05c74e978f..d2c02dc0c4 100644
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@@ -198,16 +198,6 @@ outputs:
                 - {}
       metadata_settings:
         get_attr: [RedisBase, role_data, metadata_settings]
-        if:
-          - internal_tls_enabled
-          -
-            - service: redis
-              network: {get_param: [ServiceNetMap, RedisNetwork]}
-              type: vip
-            - service: redis
-              network: {get_param: [ServiceNetMap, RedisNetwork]}
-              type: node
-          - null
       host_prep_tasks:
         - name: create persistent directories
           file:
diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml
index 94e62df2f8..5c3da0e688 100644
--- a/puppet/services/database/redis-base.yaml
+++ b/puppet/services/database/redis-base.yaml
@@ -47,7 +47,7 @@ parameters:
     type: boolean
 
 conditions:
-  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+  internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
   redis_ipv6: {get_param: RedisIPv6}
 
 outputs:
@@ -69,7 +69,7 @@ outputs:
         # proxy in front.
         redis::bind:
           if:
-          - use_tls_proxy
+          - internal_tls_enabled
           - if:
             - redis_ipv6
             - '::1'
@@ -85,7 +85,7 @@ outputs:
         redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
         redis::sentinel::sentinel_bind:
           if:
-          - use_tls_proxy
+          - internal_tls_enabled
           - if:
             - redis_ipv6
             - '::1'
@@ -96,3 +96,14 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
         redis::ulimit: {get_param: RedisFDLimit}
+      metadata_settings:
+        if:
+          - internal_tls_enabled
+          -
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: vip
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: node
+          - null
\ No newline at end of file
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index 0854ffd82c..4411d592d1 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -35,7 +35,7 @@ parameters:
     default: false
 
 conditions:
-  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+  internal_tls_enabled: {equals : [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -73,7 +73,7 @@ outputs:
                   $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
             tripleo::profile::base::database::redis::tls_proxy_port: 6379
           - if:
-            - use_tls_proxy
+            - internal_tls_enabled
             - tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
               redis_certificate_specs:
                 service_certificate: '/etc/pki/tls/certs/redis.crt'
@@ -93,13 +93,7 @@ outputs:
       step_config: |
         include ::tripleo::profile::base::database::redis
       metadata_settings:
-        if:
-          - use_tls_proxy
-          -
-            - service: redis
-              network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
-              type: vip
-          - null
+        get_attr: [RedisBase, role_data, metadata_settings]
       upgrade_tasks:
         - name: Check if redis is deployed
           command: systemctl is-enabled redis