Refactor map file to import role data only This patch update map.file to add default for cacert_file in the role data. Change-Id: I684528ee98198521dbbdbdadebe7a45ee0c85dc0 Related-Prod: PROD-16500

commit: 68a91e5a98ac63accf8f2c1d4daf6642ffae60b1 [log] [tgz]
author: Vasyl Saienko <vsaienko@mirantis.com> Tue Jan 09 18:24:34 2018 +0200
committer: Vasyl Saienko <vsaienko@mirantis.com> Tue Jan 09 16:27:57 2018 +0000
tree: 48ff6fbc7422c9e6b41308e94ad1d876e8f6a70c
parent: 96a3f43f6cf1149559e54a00b5548bdf46333749 [diff]
diff --git a/designate/files/liberty/designate.conf.Debian b/designate/files/liberty/designate.conf.Debian
index 1099a90..e07ba60 100644
--- a/designate/files/liberty/designate.conf.Debian
+++ b/designate/files/liberty/designate.conf.Debian

@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
+{%- from "designate/map.jinja" import server with context %}
 [DEFAULT]
 # Where an option is commented out, but filled in this shows the default
 # value of that option
@@ -330,7 +330,7 @@
 # SQLAlchemy Pool Manager Cache
 #-----------------------
 [pool_manager_cache:sqlalchemy]
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
 
 #connection_debug = 100
 #connection_trace = False

diff --git a/designate/files/mitaka/designate.conf.Debian b/designate/files/mitaka/designate.conf.Debian
index abd9a53..2f5fb4a 100644
--- a/designate/files/mitaka/designate.conf.Debian
+++ b/designate/files/mitaka/designate.conf.Debian

@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
+{%- from "designate/map.jinja" import server with context %}
 [DEFAULT]
 # Where an option is commented out, but filled in this shows the default
 # value of that option
@@ -85,11 +85,7 @@
 {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
 kombu_ssl_version = TLSv1_2
 {%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
 {%- endif %}
 
 ########################
@@ -432,7 +428,7 @@
 #-----------------------
 [pool_manager_cache:sqlalchemy]
 #connection = sqlite:///$state_path/designate_pool_manager.sqlite
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
 
 #connection_debug = 100
 #connection_trace = False

diff --git a/designate/files/ocata/designate.conf.Debian b/designate/files/ocata/designate.conf.Debian
index 32b811b..65382f0 100644
--- a/designate/files/ocata/designate.conf.Debian
+++ b/designate/files/ocata/designate.conf.Debian

@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server, pool_manager, system_cacerts_file with context %}
+{%- from "designate/map.jinja" import server, pool_manager with context %}
 
 [DEFAULT]
 # Where an option is commented out, but filled in this shows the default
@@ -87,11 +87,7 @@
 {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
 kombu_ssl_version = TLSv1_2
 {%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
 {%- endif %}
 
 ########################
@@ -480,7 +476,7 @@
 #-----------------------
 [pool_manager_cache:sqlalchemy]
 #connection = sqlite:///$state_path/designate_pool_manager.sqlite
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
 
 #connection_debug = 100
 #connection_trace = False

diff --git a/designate/map.jinja b/designate/map.jinja
index 244d8c9..c770dcc 100644
--- a/designate/map.jinja
+++ b/designate/map.jinja

@@ -1,8 +1,3 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
-    'Debian': '/etc/ssl/certs/ca-certificates.crt',
-    'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
-
 {%- set version = salt['pillar.get']('designate:server:version') -%}
 {%- set api_address = salt['pillar.get']('designate:server:bind:api:address', '127.0.0.1') -%}
 {%- set api_port = salt['pillar.get']('designate:server:bind:api:port', '9001') -%}
@@ -19,10 +14,12 @@
     'Debian': {
         'pkgs': ['designate-api', 'designate-central', 'designate-sink'],
         'services': ['designate-api', 'designate-central', 'designate-sink'],
+        'cacert_file': '/etc/ssl/certs/ca-certificates.crt',
     },
     'RedHat': {
         'pkgs': ['openstack-designate-api', 'openstack-designate-central', 'openstack-designate-sink'],
         'services': ['designate-api', 'designate-central', 'designate-sink'],
+        'cacert_file': '/etc/pki/tls/certs/ca-bundle.crt',
     },
 }, merge=pillar.designate.get('server', {}), base='default') %}
 

diff --git a/designate/server.sls b/designate/server.sls
index df50a0b..0d998a3 100644
--- a/designate/server.sls
+++ b/designate/server.sls

@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
+{%- from "designate/map.jinja" import server with context %}
 {%- if server.enabled %}
 
 {%- if server.backend is defined %}
@@ -105,7 +105,7 @@
       - file: /etc/designate/designate.conf
 {%- else %}
   file.exists:
-   - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+   - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
    - require_in:
      - file: /etc/designate/designate.conf
 {%- endif %}
@@ -124,7 +124,7 @@
       - file: /etc/designate/designate.conf
 {%- else %}
   file.exists:
-   - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+   - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
    - require_in:
      - file: /etc/designate/designate.conf
 {%- endif %}
commit	68a91e5a98ac63accf8f2c1d4daf6642ffae60b1	[log] [tgz]
author	Vasyl Saienko <vsaienko@mirantis.com>	Tue Jan 09 18:24:34 2018 +0200
committer	Vasyl Saienko <vsaienko@mirantis.com>	Tue Jan 09 16:27:57 2018 +0000
tree	48ff6fbc7422c9e6b41308e94ad1d876e8f6a70c
parent	96a3f43f6cf1149559e54a00b5548bdf46333749 [diff]