Refactor map file to import role data only
The smallest piece of salt formula is state. In our formulas each
state is an abstraction of 'role' for example:
* controller (installs api services)
* compute (installs neutron agent on compute node)
* gateway (installs neutron l3 agent)
* client (installs neutron resources like networks, subnets,
ports etc.)
Each state have its own API (the format of pillar it accepts). We would
like to keep pillar data unified and in long term automatically
validated. By importing anything non role-specific makes
unification/automatic validation hard to maintain.
This patch refactor map.jinja and neutron config file templates to import
only role specific data from map file.
Change-Id: I22e9dc9144df7ad19a00a3e3fe66c00b22d96812
Related-Prod: PROD-16498
diff --git a/neutron/compute.sls b/neutron/compute.sls
index c6a1df5..cc1f1aa 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -1,4 +1,4 @@
-{% from "neutron/map.jinja" import compute, fwaas, system_cacerts_file with context %}
+{% from "neutron/map.jinja" import compute, fwaas with context %}
{%- if compute.enabled %}
{% if compute.backend.engine == "ml2" %}
@@ -129,7 +129,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ compute.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/neutron/files/mitaka/neutron-generic.conf.Debian b/neutron/files/mitaka/neutron-generic.conf.Debian
index 36c7fc4..ee5b2bf 100644
--- a/neutron/files/mitaka/neutron-generic.conf.Debian
+++ b/neutron/files/mitaka/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -1289,11 +1289,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if neutron.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.get('cacert_file', neutron.cacert_file) }}
{%- endif %}
rabbit_userid = {{ neutron.message_queue.user }}
diff --git a/neutron/files/mitaka/neutron-server.conf.Debian b/neutron/files/mitaka/neutron-server.conf.Debian
index a3dcdc1..b9d3b79 100644
--- a/neutron/files/mitaka/neutron-server.conf.Debian
+++ b/neutron/files/mitaka/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
+{%- from "neutron/map.jinja" import fwaas, server with context %}
[DEFAULT]
@@ -750,7 +750,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
{% if server.backend.engine == "ml2" %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
{% else %}
connection = sqlite:////var/lib/neutron/neutron.sqlite
{% endif %}
@@ -1386,11 +1386,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
rabbit_userid = {{ server.message_queue.user }}
diff --git a/neutron/files/newton/neutron-generic.conf.Debian b/neutron/files/newton/neutron-generic.conf.Debian
index 3d8c5fb..a9e3a56 100644
--- a/neutron/files/newton/neutron-generic.conf.Debian
+++ b/neutron/files/newton/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -1227,11 +1227,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if neutron.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.get('cacert_file', neutron.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/files/newton/neutron-server.conf.Debian b/neutron/files/newton/neutron-server.conf.Debian
index fc763eb..dd0a918 100644
--- a/neutron/files/newton/neutron-server.conf.Debian
+++ b/neutron/files/newton/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import server, system_cacerts_file with context %}
+{%- from "neutron/map.jinja" import server with context %}
[DEFAULT]
#
@@ -760,7 +760,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
{% if server.backend.engine == "ml2" %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
{% else %}
connection = sqlite:////var/lib/neutron/neutron.sqlite
{% endif %}
@@ -1312,11 +1312,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/files/ocata/neutron-generic.conf.Debian b/neutron/files/ocata/neutron-generic.conf.Debian
index 123386d..0d16a6d 100644
--- a/neutron/files/ocata/neutron-generic.conf.Debian
+++ b/neutron/files/ocata/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
+{%- from "neutron/map.jinja" import gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
+{%- from "neutron/map.jinja" import compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -1535,11 +1535,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if neutron.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.get('cacert_file', neutron.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/files/ocata/neutron-server.conf.Debian b/neutron/files/ocata/neutron-server.conf.Debian
index 79376a2..ee470cc 100644
--- a/neutron/files/ocata/neutron-server.conf.Debian
+++ b/neutron/files/ocata/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
+{%- from "neutron/map.jinja" import fwaas, server with context %}
[DEFAULT]
#
@@ -850,7 +850,7 @@
# Deprecated group/name - [sql]/connection
{% if server.backend.engine in ["ml2", "ovn"] %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
{% else %}
connection = sqlite:////var/lib/neutron/neutron.sqlite
{% endif %}
@@ -1626,11 +1626,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if server.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index 81513d8..6046b96 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -1,4 +1,4 @@
-{% from "neutron/map.jinja" import gateway, fwaas, system_cacerts_file with context %}
+{% from "neutron/map.jinja" import gateway, fwaas with context %}
{%- if fwaas.get('enabled', False) %}
include:
@@ -77,7 +77,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ gateway.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ gateway.message_queue.ssl.get('cacert_file', gateway.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/neutron/map.jinja b/neutron/map.jinja
index 9631d1b..4c95928 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -1,9 +1,12 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
- 'Debian': '/etc/ssl/certs/ca-certificates.crt',
- 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
+{%- set default_params = {
+ 'cacert_file': salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+ })}
+%}
{% set compute = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['neutron-openvswitch-agent', 'openvswitch-switch', 'python-pycadf'],
'pkgs_ovn': ['ovn-common', 'ovn-host'],
@@ -24,9 +27,10 @@
'enabled': false
}
},
-}, merge=pillar.neutron.get('compute', {})) %}
+}, merge=pillar.neutron.get('compute', {}), base='BaseDefaults') %}
{% set gateway = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['neutron-dhcp-agent', 'neutron-openvswitch-agent', 'neutron-l3-agent', 'openvswitch-common', 'neutron-metadata-agent'],
'services': ['neutron-openvswitch-agent', 'neutron-metadata-agent', 'neutron-l3-agent', 'neutron-dhcp-agent'],
@@ -37,9 +41,10 @@
'services': ['neutron-openvswitch-agent', 'neutron-metadata-agent', 'neutron-l3-agent', 'neutron-dhcp-agent'],
'dpdk': false
},
-}, merge=pillar.neutron.get('gateway', {})) %}
+}, merge=pillar.neutron.get('gateway', {}), base='BaseDefaults') %}
{% set server = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['neutron-server','python-neutron-lbaas', 'gettext-base', 'python-pycadf'],
'pkgs_ovn': ['python-networking-ovn', 'ovn-common', 'ovn-central'],
@@ -66,7 +71,7 @@
'enabled': false
}
},
-}, merge=pillar.neutron.get('server', {})) %}
+}, merge=pillar.neutron.get('server', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
'Debian': {
diff --git a/neutron/server.sls b/neutron/server.sls
index ab624f5..a6de469 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import server, fwaas, system_cacerts_file with context %}
+{%- from "neutron/map.jinja" import server, fwaas with context %}
{%- if fwaas.get('enabled', False) %}
include:
@@ -289,7 +289,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -303,7 +303,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
{%- endif %}
{%- endif %}