Do not set rabbitmq SSL CA certs when InternalTLSCAFile is ''
The undercloud installation sets InternalTLSCAFile to '' when undercloud_service_certificate is set (done via I5d7f35194f98b2d5c06a417cac75d52ff646def0 "undercloud: Disable CA path if user-provided cert is used"). In this case we end up setting rabbitmq::{ssl_cacert,ssl_management_cacert} to '' which then breaks puppet-rabbitmq because it verifies that they are absolute paths. Let's just skip passing them when InternalTLSCAFile is set to empty. Depends-On: I4e9801ba3ced734e5aa3fa22df522fab0e84761a Closes-Bug: #1947776 Change-Id: I16f0fd04e1ae941d09d567eadaeb5bda959099fc
This commit is contained in:
parent
067211b74f
commit
f8e7bf2bba
@ -128,6 +128,8 @@ conditions:
|
||||
- 6
|
||||
key_size_override_set:
|
||||
not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
||||
rabbitmq_cacert_set:
|
||||
not: {equals: [{get_param: InternalTLSCAFile}, '']}
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
@ -210,8 +212,6 @@ outputs:
|
||||
rabbitmq::ssl_port: 5672
|
||||
rabbitmq::ssl_depth: 1
|
||||
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
|
||||
rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
|
||||
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
|
||||
rabbitmq::ssl_interface:
|
||||
str_replace:
|
||||
template:
|
||||
@ -241,6 +241,11 @@ outputs:
|
||||
if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
- true
|
||||
# Only set CAs then InternalTLSCAFile is not ''
|
||||
- if:
|
||||
- rabbitmq_cacert_set
|
||||
- rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
|
||||
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
|
||||
- if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
- tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
||||
|
Loading…
Reference in New Issue
Block a user