Refactor map file to import role data only
The smallest piece of salt formula is state. In our formulas each
state is an abstraction of 'role' for example:
* controller (installs api services)
* compute (installs nova-compute)
* client (installs nova resources like flavors, keypairs,
availability-zones etc.)
Each state have its own API (the format of pillar it accepts). We would
like to keep pillar data unified and in long term automatically
validated. By importing anything non role-specific makes
unification/automatic validation hard to maintain.
This patch refactor map.jinja and nova config file templates to import
only role specific data from map file.
Related-Prod: PROD-16464
Change-Id: I3ca78a765cad4bfe1a72b95c3a753c1f278c143b
diff --git a/nova/compute.sls b/nova/compute.sls
index eb3127e..9c9b03b 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import compute, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import compute with context %}
{%- if compute.get('enabled') %}
@@ -87,7 +87,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ compute.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/nova/controller.sls b/nova/controller.sls
index 4bc8035..a55d037 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -1,4 +1,4 @@
-{% from "nova/map.jinja" import controller, system_cacerts_file with context %}
+{% from "nova/map.jinja" import controller with context %}
{%- if controller.get('enabled') %}
@@ -34,7 +34,7 @@
- makedirs: true
{%- else %}
file.exists:
- - name: {{ controller.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
{%- endif %}
@@ -330,7 +330,7 @@
- file: /etc/nova/nova.conf
{%- else %}
file.exists:
- - name: {{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
- require_in:
- file: /etc/nova/nova.conf
{%- endif %}
diff --git a/nova/files/mitaka/nova-compute.conf.Debian b/nova/files/mitaka/nova-compute.conf.Debian
index c46f18d..784a088 100644
--- a/nova/files/mitaka/nova-compute.conf.Debian
+++ b/nova/files/mitaka/nova-compute.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import compute, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import compute with context %}
[DEFAULT]
logdir=/var/log/nova
@@ -204,11 +204,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if compute.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ compute.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
{%- endif %}
[glance]
diff --git a/nova/files/mitaka/nova-controller.conf.Debian b/nova/files/mitaka/nova-controller.conf.Debian
index d6f6c23..a08900f 100644
--- a/nova/files/mitaka/nova-controller.conf.Debian
+++ b/nova/files/mitaka/nova-controller.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import controller with context %}
[DEFAULT]
verbose = True
log-dir = /var/log/nova
@@ -137,11 +137,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
[cache]
@@ -180,7 +176,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', conroller.cacert_file) }}{% endif %}
[api_database]
idle_timeout = 180
@@ -193,7 +189,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
[glance]
diff --git a/nova/files/newton/nova-compute.conf.Debian b/nova/files/newton/nova-compute.conf.Debian
index e729c04..813b49d 100644
--- a/nova/files/newton/nova-compute.conf.Debian
+++ b/nova/files/newton/nova-compute.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import compute, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import compute with context %}
[DEFAULT]
logdir=/var/log/nova
@@ -112,11 +112,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if compute.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ compute.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
{%- endif %}
[oslo_concurrency]
diff --git a/nova/files/newton/nova-controller.conf.Debian b/nova/files/newton/nova-controller.conf.Debian
index c8e0bee..841e99f 100644
--- a/nova/files/newton/nova-controller.conf.Debian
+++ b/nova/files/newton/nova-controller.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import controller with context %}
[DEFAULT]
verbose = True
log-dir = /var/log/nova
@@ -98,11 +98,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs={{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
[vnc]
@@ -184,7 +180,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', conroller.cacert_file) }}{% endif %}
[oslo_middleware]
enable_proxy_headers_parsing=True
@@ -200,7 +196,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
[glance]
diff --git a/nova/files/ocata/nova-compute.conf.Debian b/nova/files/ocata/nova-compute.conf.Debian
index 337b3f5..ecd3b5b 100644
--- a/nova/files/ocata/nova-compute.conf.Debian
+++ b/nova/files/ocata/nova-compute.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import compute, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import compute with context %}
[DEFAULT]
#
@@ -7967,11 +7967,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if compute.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ compute.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs = {{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
{%- endif %}
diff --git a/nova/files/ocata/nova-controller.conf.Debian b/nova/files/ocata/nova-controller.conf.Debian
index 9287087..95cdfad 100644
--- a/nova/files/ocata/nova-controller.conf.Debian
+++ b/nova/files/ocata/nova-controller.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "nova/map.jinja" import controller, system_cacerts_file with context %}
+{%- from "nova/map.jinja" import controller with context %}
[DEFAULT]
#
@@ -3416,7 +3416,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the database. (string
# value)
@@ -4460,7 +4460,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}{% endif %}
# If True, SQLite uses synchronous mode. (boolean value)
# Deprecated group/name - [DEFAULT]/sqlite_synchronous
@@ -7952,11 +7952,7 @@
kombu_ssl_version = TLSv1_2
{%- endif %}
-{%- if controller.message_queue.ssl.cacert_file is defined %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
-{%- else %}
-kombu_ssl_ca_certs = {{ system_cacerts_file }}
-{%- endif %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
[oslo_messaging_zmq]
diff --git a/nova/map.jinja b/nova/map.jinja
index 51eb23f..8ad808e 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -1,7 +1,9 @@
-{%- set system_cacerts_file = salt['grains.filter_by']({
- 'Debian': '/etc/ssl/certs/ca-certificates.crt',
- 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-})%}
+{%- set default_params = {
+ 'cacert_file': salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+ })}
+%}
{% set compute_bind_defaults = {
'vnc_address': '10.0.0.10',
@@ -29,6 +31,7 @@
{%- endif %}
{% set controller = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': pkgs_list,
'services': services_list,
@@ -49,7 +52,7 @@
'enabled': false
},
},
-}, merge=pillar.nova.get('controller', {})) %}
+}, merge=pillar.nova.get('controller', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
'Debian': {
@@ -76,6 +79,7 @@
}, merge=salt['pillar.get']('linux:network'), base='default') %}
{%- load_yaml as compute_defaults %}
+BaseDefaults: {{ default_params }}
Debian:
pkgs:
- nova-common
@@ -132,8 +136,7 @@
network: {{ compute_network }}
heal_instance_info_cache_interval: '60'
{%- endload %}
-
-{% set compute = salt["grains.filter_by"](compute_defaults, merge=pillar.nova.get("compute", {})) %}
+{% set compute = salt["grains.filter_by"](compute_defaults, merge=pillar.nova.get("compute", {}), base='BaseDefaults') %}
{% set monitoring = salt['grains.filter_by']({
'default': {