From 4e3d900942bd7a4f4cae8f95fac4ff1cfd07675b Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Wed, 4 May 2022 21:10:00 +0100 Subject: [PATCH] Stop generating certificate requests for disabled networks The certificate requests created based on ApacheNetworks require fqdn_NETWORK to be set. The will only be defined for the networks that are enabled for the current role. Currently requests are generated for all networks. This happens to work for the Controller role as all networks are enabled. However it fails on DCN compute nodes that are not on the external network (they use apache for local glance-api services). Change-Id: I05ba5fb48c617a5bbedebb8b74c23bec9abf3bbd --- deployment/apache/apache-baremetal-puppet.j2.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index 986d80e4fa..2c3edcb21d 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -72,9 +72,12 @@ resources: # NOTE(xek) Get unique network names to create certificates. # We skip the tenant and management network (vip != false) # since we don't generate certificates for those. - - ctlplane -{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %} - - {{network.name_lower}} +{%- for role in roles %} + {{ role.name }}: + - ctlplane +{%- for network in networks if network.name in role.networks and network.enabled|default(true) and network.vip|default(false) %} + - {{network.name_lower}} +{%- endfor %} {%- endfor %} outputs: @@ -119,7 +122,7 @@ outputs: service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} + NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]} metadata_settings: if: - {get_param: EnableInternalTLS} @@ -129,7 +132,7 @@ outputs: network: $NETWORK type: node for_each: - $NETWORK: {get_attr: [ApacheNetworks, value]} + $NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]} upgrade_tasks: [] deploy_steps_tasks: - name: Certificate generation @@ -167,4 +170,4 @@ outputs: - {get_param: CertificateKeySize} ca: ipa for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} + NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}