Use ServiceNetMap to filter PublicNetwork in haproxy-tls

Replace the filtering using the hard-coded "external"
network name with a yaql filter using the PublicNetwork in
ServiceNetMap instead.

This should allow fully custom network name/name_lower to be
used as long as service_net_map_replace is also used or the
ServiceNetMap is provided with appropriate overrides.

Also removes jinj2 filtering on 'tenant' network, this network
does not have a VIP by default so it is alreayd filtered by the
'and network.vip' in the jinj2 for loop. In the case 'tenant'
network does have VIP it would make sense to create a certificate
for it as well.

Related-Bug: #1946239
Change-Id: I7fa8e9931f27dbe3352b06c830441eac5bc3733e
This commit is contained in:
Harald Jensås 2021-10-27 09:08:39 +02:00
parent f6eddad78c
commit 273b41a5da

View File

@ -53,15 +53,23 @@ resources:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that, and the external
# network will be handled in another template.
# NOTE(jaosorior|hjensas) Get unique network names to create
# certificates for those.
# * The 'ctlplane' network is always included.
# * The tenant network is skipped in jinja2 filter since it
# does not have a VIP. We don't need a certificate for the
# tenant nework.
# * The "external" (PublicNetwork) network will be handled in
# another template, it is skipped by a yaql filter on the
# PublicNetwork defined in ServiceNetMap.
yaql:
expression: let(public_network => $.data.public_network) -> $.data.networks.where($ != $public_network or $ = 'ctlplane')
data:
public_network: {get_param: [ServiceNetMap, PublicNetwork]}
networks:
- ctlplane
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
{%- if network.name_lower != 'external' and network.name_lower != 'tenant' %}
- {{network.name_lower}}
{%- endif %}
{%- endfor %}
{% raw -%}
outputs: