Make sure apache metadata is set for nova-metadata service

In case of cellv2 multicell environment nova-metadata is the only httpd managed service on the cell controller role. In case of tls-everywhere it is required that the cell controller host has ther needed metadata to be able to request the HTTP certificates. Otherwise the getcert request fails with "Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'" Change-Id: I57a49d1b7fc4c03b773f3a52b327584f537aca19 (cherry picked from commit 89d605103c)
2020-11-18 14:32:26 +01:00 · 2020-11-18 14:32:26 +01:00 · 47ec461644
parent d325392623
commit 47ec461644
2 changed files with 11 additions and 0 deletions
--- a/deployment/nova/nova-metadata-container-puppet.yaml
+++ b/deployment/nova/nova-metadata-container-puppet.yaml
@ -269,6 +269,8 @@ outputs:
                msg: nova-metadata isn't working (healthcheck failed)
              when: nova_metadata_healthcheck_state.status.ExecMainStatus != '0'
      host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]
      external_upgrade_tasks:
        - when:
            - step|int == 1
--- a/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml
+++ b/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml
@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    In case of cellv2 multicell environment nova-metadata is the only
+    httpd managed service on the cell controller role. In case of
+    tls-everywhere it is required that the cell controller host has
+    ther needed metadata to be able to request the HTTP certificates.
+    Otherwise the getcert request fails with "Insufficient 'add' privilege
+    to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'"