Stop generating certificate requests for disabled networks

The certificate requests created based on ApacheNetworks require fqdn_NETWORK to be set. The will only be defined for the networks that are enabled for the current role. Currently requests are generated for all networks. This happens to work for the Controller role as all networks are enabled. However it fails on DCN compute nodes that are not on the external network (they use apache for local glance-api services). Change-Id: I05ba5fb48c617a5bbedebb8b74c23bec9abf3bbd (cherry picked from commit 4e3d900942)
2022-05-04 21:10:00 +01:00 · 2022-05-04 21:10:00 +01:00 · 7013a04e04
parent 0d5371a6b9
commit 7013a04e04
1 changed files with 9 additions and 6 deletions
--- a/deployment/apache/apache-baremetal-puppet.j2.yaml
+++ b/deployment/apache/apache-baremetal-puppet.j2.yaml
@ -72,9 +72,12 @@ resources:
        # NOTE(xek) Get unique network names to create certificates.
        # We skip the tenant and management network (vip != false)
        # since we don't generate certificates for those.
-        - ctlplane
-{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
-        - {{network.name_lower}}
+{%- for role in roles %}
+        {{ role.name }}:
+            - ctlplane
+{%- for network in networks if network.name in role.networks and network.enabled|default(true) and network.vip|default(false) %}
+            - {{network.name_lower}}
+{%- endfor %}
 {%- endfor %}

 outputs:
@ -119,7 +122,7 @@ outputs:
                        service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
                        service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
                    for_each:
-                      NETWORK: {get_attr: [ApacheNetworks, value]}
+                      NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
      metadata_settings:
        if:
          - {get_param: EnableInternalTLS}
@ -129,7 +132,7 @@ outputs:
                  network: $NETWORK
                  type: node
              for_each:
-                $NETWORK: {get_attr: [ApacheNetworks, value]}
+                $NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
      upgrade_tasks: []
      deploy_steps_tasks:
        - name: Certificate generation
@ -167,4 +170,4 @@ outputs:
                          - {get_param: CertificateKeySize}
                      ca: ipa
                    for_each:
-                      NETWORK: {get_attr: [ApacheNetworks, value]}
+                      NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}