Do not set rabbitmq SSL CA certs when InternalTLSCAFile is ''

The undercloud installation sets InternalTLSCAFile to '' when
undercloud_service_certificate is set (done via
I5d7f35194f98b2d5c06a417cac75d52ff646def0 "undercloud: Disable CA path
if user-provided cert is used"). In this case we end up setting
rabbitmq::{ssl_cacert,ssl_management_cacert} to '' which then breaks
puppet-rabbitmq because it verifies that they are absolute paths.

Let's just skip passing them when InternalTLSCAFile is set to
empty.

Depends-On: I4e9801ba3ced734e5aa3fa22df522fab0e84761a
Closes-Bug: #1947776
Change-Id: I16f0fd04e1ae941d09d567eadaeb5bda959099fc
This commit is contained in:
Michele Baldessari 2021-10-19 21:38:13 +02:00
parent 067211b74f
commit f8e7bf2bba

View File

@ -128,6 +128,8 @@ conditions:
- 6
key_size_override_set:
not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
rabbitmq_cacert_set:
not: {equals: [{get_param: InternalTLSCAFile}, '']}
resources:
ContainersCommon:
@ -210,8 +212,6 @@ outputs:
rabbitmq::ssl_port: 5672
rabbitmq::ssl_depth: 1
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
rabbitmq::ssl_interface:
str_replace:
template:
@ -241,6 +241,11 @@ outputs:
if:
- {get_param: EnableInternalTLS}
- true
# Only set CAs then InternalTLSCAFile is not ''
- if:
- rabbitmq_cacert_set
- rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
- if:
- {get_param: EnableInternalTLS}
- tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'