Refactor map file to import role data only
The smallest piece of salt formula is state. In our formulas each
state is an abstraction of 'role' for example:
* api (installs api services)
* conductor (installs ironic conductor)
* client (installs ironic resources like nodes, ports, etc.)
Each state have its own API (the format of pillar it accepts). We would
like to keep pillar data unified and in long term automatically
validated. By importing anything non role-specific makes
unification/automatic validation hard to maintain.
This patch refactor map.jinja and ironic config file templates to import
only role specific data from map file.
Change-Id: I22e9dc9144df7ad19a00a3e3fe66c00b22d96812
Related-Prod: PROD-16503
diff --git a/ironic/_common.sls b/ironic/_common.sls
index 992c49a..5d8e2bf 100644
--- a/ironic/_common.sls
+++ b/ironic/_common.sls
@@ -1,4 +1,4 @@
-{%- from "ironic/map.jinja" import api,conductor, system_cacerts_file with context %}
+{%- from "ironic/map.jinja" import api,conductor with context %}
{%- if api.get("enabled", False) %}
{%- set ironic, service_name = api, 'api' %}
{%- elif conductor.get('enabled', False) %}
@@ -27,7 +27,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ ironic.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -41,6 +41,6 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ ironic.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/ironic/files/newton/ironic.conf b/ironic/files/newton/ironic.conf
index 7583ef1..c68c59e 100644
--- a/ironic/files/newton/ironic.conf
+++ b/ironic/files/newton/ironic.conf
@@ -1,4 +1,4 @@
-{%- from "ironic/map.jinja" import api,conductor,system_cacerts_file with context -%}
+{%- from "ironic/map.jinja" import api,conductor with context -%}
{%- if api.get("enabled", False) %}
{%- set ironic = api %}
{%- elif conductor.get('enabled', False) %}
@@ -939,7 +939,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the
# slave database. (string value)
@@ -2748,11 +2748,8 @@
{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if ironic.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ ironic.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+
+kombu_ssl_ca_certs = {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/ironic/files/ocata/ironic.conf b/ironic/files/ocata/ironic.conf
index 87c1716..672c413 100644
--- a/ironic/files/ocata/ironic.conf
+++ b/ironic/files/ocata/ironic.conf
@@ -1,4 +1,4 @@
-{%- from "ironic/map.jinja" import api,conductor,system_cacerts_file with context -%}
+{%- from "ironic/map.jinja" import api,conductor with context -%}
{%- if api.get("enabled", False) %}
{%- set ironic = api %}
{%- elif conductor.get('enabled', False) %}
@@ -1237,7 +1237,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file',system_cacerts_file) }}{% endif %}
+connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the
# slave database. (string value)
@@ -3080,11 +3080,8 @@
{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if ironic.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ ironic.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+
+kombu_ssl_ca_certs = {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/ironic/map.jinja b/ironic/map.jinja
index 4f71018..73a59ee 100644
--- a/ironic/map.jinja
+++ b/ironic/map.jinja
@@ -1,13 +1,15 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
- 'Debian': '/etc/ssl/certs/ca-certificates.crt',
- 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
+{%- set cacert_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+ })
+%}
{% set api = salt['grains.filter_by']({
'Common': {
'pkgs': ['ironic-api'],
'service': 'ironic-api',
'api_type': 'mixed',
+ 'cacert_file': cacert_file,
}
}, base='Common', merge=pillar.ironic.get('api', {})) %}
@@ -15,6 +17,7 @@
'Common': {
'service': 'ironic-conductor',
'ipxe_rom_files': ['undionly.kpxe', 'ipxe.efi'],
+ 'cacert_file': cacert_file,
},
'Debian': {
'pkgs': ['ipmitool', 'ironic-conductor', 'tftpd-hpa', 'syslinux-common', 'pxelinux', 'ipxe'],
@@ -35,7 +38,8 @@
{% set client = salt['grains.filter_by']({
'Common': {
'pkgs': ['python-ironicclient'],
- 'nodes': {}
+ 'nodes': {},
+ 'cacert_file': cacert_file,
},
}, base='Common', merge=pillar.ironic.get('client', {})) %}