Stop generating certificate requests for disabled networks
The certificate requests created based on ApacheNetworks require fqdn_NETWORK to be set.
The will only be defined for the networks that are enabled for the current role.
Currently requests are generated for all networks. This happens to work for the Controller role
as all networks are enabled. However it fails on DCN compute nodes that are not on the external
network (they use apache for local glance-api services).
Change-Id: I05ba5fb48c617a5bbedebb8b74c23bec9abf3bbd
(cherry picked from commit 4e3d900942
)
This commit is contained in:
parent
0d5371a6b9
commit
7013a04e04
|
@ -72,9 +72,12 @@ resources:
|
|||
# NOTE(xek) Get unique network names to create certificates.
|
||||
# We skip the tenant and management network (vip != false)
|
||||
# since we don't generate certificates for those.
|
||||
- ctlplane
|
||||
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
|
||||
- {{network.name_lower}}
|
||||
{%- for role in roles %}
|
||||
{{ role.name }}:
|
||||
- ctlplane
|
||||
{%- for network in networks if network.name in role.networks and network.enabled|default(true) and network.vip|default(false) %}
|
||||
- {{network.name_lower}}
|
||||
{%- endfor %}
|
||||
{%- endfor %}
|
||||
|
||||
outputs:
|
||||
|
@ -119,7 +122,7 @@ outputs:
|
|||
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
|
||||
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
|
||||
metadata_settings:
|
||||
if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
|
@ -129,7 +132,7 @@ outputs:
|
|||
network: $NETWORK
|
||||
type: node
|
||||
for_each:
|
||||
$NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
$NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
|
||||
upgrade_tasks: []
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
|
@ -167,4 +170,4 @@ outputs:
|
|||
- {get_param: CertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
|
||||
|
|
Loading…
Reference in New Issue