Only request neutron certificate from neutron dhcp service

The certificate request for the "neutron" certificate was set in the neutron base template. This had the secondary effect of causing every node that has a neutron service to try to request the certificate. This fixes that issue by moving those bits to where the certificate is actually used (which is only by the dhcp agent). Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377 Closes-Bug: #1816465 (cherry picked from commit 44245d19dd) (cherry picked from commit 97eb154e91)
2019-02-18 18:35:46 +02:00 · 2019-02-18 18:35:46 +02:00 · 68dfc30064
parent 97cf4dea1d
commit 68dfc30064
3 changed files with 22 additions and 35 deletions
--- a/docker/services/neutron-dhcp.yaml
+++ b/docker/services/neutron-dhcp.yaml
@ -93,10 +93,6 @@ outputs:
        map_merge:
          - get_attr: [NeutronBase, role_data, config_settings]
          - get_attr: [NeutronLogging, config_settings]
-          - if:
-            - internal_tls_enabled
-            - tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
-            - {}
          - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: DockerNeutronDHCPImage}
@ -213,7 +209,13 @@ outputs:
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
-        get_attr: [NeutronBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: neutron
+              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+              type: node
+          - null
      host_prep_tasks:
        list_concat:
          - {get_attr: [NeutronLogging, host_prep_tasks]}
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@ -113,9 +113,6 @@ parameters:
    description: Driver or drivers to handle sending notifications.
    constraints:
      - allowed_values: [ 'messagingv2', 'noop' ]
-  EnableInternalTLS:
-    type: boolean
-    default: false
  EnableVLANTransparency:
    default: false
    description: >
@ -126,7 +123,6 @@ parameters:
 conditions:
  dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]}
  service_debug_unset: {equals : [{get_param: NeutronDebug}, '']}
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 outputs:
  role_data:
@ -163,29 +159,3 @@ outputs:
            - dhcp_agents_zero
            - {}
            - tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork}
-          - if:
-            - internal_tls_enabled
-            - generate_service_certificates: true
-              tripleo::profile::base::neutron::certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/neutron.crt'
-                service_key: '/etc/pki/tls/private/neutron.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                principal:
-                  str_replace:
-                    template: "neutron/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
-            - null
-      metadata_settings:
-        if:
-          - internal_tls_enabled
-          -
-            - service: neutron
-              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-              type: node
-          - null
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@ -131,6 +131,21 @@ outputs:
              - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
                neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
                neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
+                generate_service_certificates: true
+                tripleo::profile::base::neutron::certificate_specs:
+                  service_certificate: '/etc/pki/tls/certs/neutron.crt'
+                  service_key: '/etc/pki/tls/private/neutron.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  principal:
+                    str_replace:
+                      template: "neutron/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
              - {}
          - if:
              - dhcp_ovs_intergation_bridge_unset