Refactor map file to import role data only
The smallest piece of salt formula is state. In our formulas each
state is an abstraction of 'role' for example:
* server (installs api services)
* client (installs heat stacks)
Each state have its own API (the format of pillar it accepts). We would
like to keep pillar data unified and in long term automatically
validated. By importing anything non role-specific makes
unification/automatic validation hard to maintain.
This patch refactor map.jinja and keystone config file templates to import
only role specific data from map file.
Change-Id: I148c933aa12500b1525cb70b7a161d67fcd387a0
Related-Prod: PROD-16502
diff --git a/heat/files/liberty/heat.conf.Debian b/heat/files/liberty/heat.conf.Debian
index 0f1a06d..d7f47cc 100644
--- a/heat/files/liberty/heat.conf.Debian
+++ b/heat/files/liberty/heat.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
+{%- from "heat/map.jinja" import server with context %}
[DEFAULT]
#
@@ -337,7 +337,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/files/mitaka/heat.conf.Debian b/heat/files/mitaka/heat.conf.Debian
index de8ef4b..1c43235 100644
--- a/heat/files/mitaka/heat.conf.Debian
+++ b/heat/files/mitaka/heat.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
+{%- from "heat/map.jinja" import server with context %}
[DEFAULT]
#
@@ -342,7 +342,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -649,11 +649,8 @@
{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
diff --git a/heat/files/newton/heat.conf.Debian b/heat/files/newton/heat.conf.Debian
index 1a99387..4c2bc4d 100644
--- a/heat/files/newton/heat.conf.Debian
+++ b/heat/files/newton/heat.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
+{%- from "heat/map.jinja" import server with context %}
[DEFAULT]
#
@@ -352,7 +352,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -623,11 +623,8 @@
{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/heat/files/ocata/heat.conf.Debian b/heat/files/ocata/heat.conf.Debian
index 9375e27..d7ee431 100644
--- a/heat/files/ocata/heat.conf.Debian
+++ b/heat/files/ocata/heat.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
+{%- from "heat/map.jinja" import server with context %}
[DEFAULT]
#
@@ -1238,7 +1238,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -2106,11 +2106,8 @@
{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/heat/map.jinja b/heat/map.jinja
index 2a2d972..6a1743e 100644
--- a/heat/map.jinja
+++ b/heat/map.jinja
@@ -1,9 +1,12 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
- 'Debian': '/etc/ssl/certs/ca-certificates.crt',
- 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
+{%- set default_params = {
+ 'cacert_file': salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+ })}
+%}
{% set server = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['heat-api', 'heat-api-cfn', 'heat-api-cloudwatch', 'heat-engine', 'heat-common','python-heatclient', 'gettext-base'],
'services': ['heat-api', 'heat-api-cfn', 'heat-api-cloudwatch', 'heat-engine'],
@@ -18,7 +21,7 @@
'cors': {},
'clients': {}
},
-}, merge=pillar.heat.get('server', {})) %}
+}, merge=pillar.heat.get('server', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
'Debian': {
diff --git a/heat/server.sls b/heat/server.sls
index 2868af6..3d22ebd 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
+{%- from "heat/map.jinja" import server with context %}
{%- if server.enabled %}
heat_server_packages:
@@ -146,7 +146,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -160,7 +160,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
- require_in:
- file: /etc/heat/heat.conf