From 89d605103c62f0a94944d5c9683c97a9156ef213 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 18 Nov 2020 14:32:26 +0100 Subject: [PATCH] Make sure apache metadata is set for nova-metadata service In case of cellv2 multicell environment nova-metadata is the only httpd managed service on the cell controller role. In case of tls-everywhere it is required that the cell controller host has ther needed metadata to be able to request the HTTP certificates. Otherwise the getcert request fails with "Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'" Change-Id: I57a49d1b7fc4c03b773f3a52b327584f537aca19 --- deployment/nova/nova-metadata-container-puppet.yaml | 2 ++ ...ova_metadata_http_cert_metadata-274e7e8a66727983.yaml | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index 5e2afe4f8a..3824d1703c 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -261,6 +261,8 @@ outputs: - not container_healthcheck_disabled - step|int == 5 host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]} + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: - when: - step|int == 1 diff --git a/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml b/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml new file mode 100644 index 0000000000..bc9d745943 --- /dev/null +++ b/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + In case of cellv2 multicell environment nova-metadata is the only + httpd managed service on the cell controller role. In case of + tls-everywhere it is required that the cell controller host has + ther needed metadata to be able to request the HTTP certificates. + Otherwise the getcert request fails with "Insufficient 'add' privilege + to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'"