From 68dfc3006490db60915fd74853fe49b82204a1e4 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 18 Feb 2019 18:35:46 +0200
Subject: [PATCH] Only request neutron certificate from neutron dhcp service

The certificate request for the "neutron" certificate was set in the
neutron base template. This had the secondary effect of causing every
node that has a neutron service to try to request the certificate.

This fixes that issue by moving those bits to where the certificate is
actually used (which is only by the dhcp agent).

Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377
Closes-Bug: #1816465
(cherry picked from commit 44245d19dd2ac8ebb8b0c0096c4c318381424add)
(cherry picked from commit 97eb154e913514b15cc2ef9776875fbd6f90559d)
---
 docker/services/neutron-dhcp.yaml | 12 +++++++-----
 puppet/services/neutron-base.yaml | 30 ------------------------------
 puppet/services/neutron-dhcp.yaml | 15 +++++++++++++++
 3 files changed, 22 insertions(+), 35 deletions(-)

diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml
index a7a60c4966..98c0b1ba6a 100644
--- a/docker/services/neutron-dhcp.yaml
+++ b/docker/services/neutron-dhcp.yaml
@@ -93,10 +93,6 @@ outputs:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
           - get_attr: [NeutronLogging, config_settings]
-          - if:
-            - internal_tls_enabled
-            - tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
-            - {}
           - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
             tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
             tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: DockerNeutronDHCPImage}
@@ -213,7 +209,13 @@ outputs:
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       metadata_settings:
-        get_attr: [NeutronBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: neutron
+              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+              type: node
+          - null
       host_prep_tasks:
         list_concat:
           - {get_attr: [NeutronLogging, host_prep_tasks]}
diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index 379df5669c..aed2c46c64 100644
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -113,9 +113,6 @@ parameters:
     description: Driver or drivers to handle sending notifications.
     constraints:
       - allowed_values: [ 'messagingv2', 'noop' ]
-  EnableInternalTLS:
-    type: boolean
-    default: false
   EnableVLANTransparency:
     default: false
     description: >
@@ -126,7 +123,6 @@ parameters:
 conditions:
   dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]}
   service_debug_unset: {equals : [{get_param: NeutronDebug}, '']}
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 outputs:
   role_data:
@@ -163,29 +159,3 @@ outputs:
             - dhcp_agents_zero
             - {}
             - tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork}
-          - if:
-            - internal_tls_enabled
-            - generate_service_certificates: true
-              tripleo::profile::base::neutron::certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/neutron.crt'
-                service_key: '/etc/pki/tls/private/neutron.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                principal:
-                  str_replace:
-                    template: "neutron/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
-            - null
-      metadata_settings:
-        if:
-          - internal_tls_enabled
-          -
-            - service: neutron
-              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-              type: node
-          - null
diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml
index 91b049529a..6fea4b376b 100644
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@@ -131,6 +131,21 @@ outputs:
               - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
                 neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
                 neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
+                generate_service_certificates: true
+                tripleo::profile::base::neutron::certificate_specs:
+                  service_certificate: '/etc/pki/tls/certs/neutron.crt'
+                  service_key: '/etc/pki/tls/private/neutron.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  principal:
+                    str_replace:
+                      template: "neutron/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
               - {}
           - if:
               - dhcp_ovs_intergation_bridge_unset