Do not ask for cephdashboard certificates when it is disabled

When deploying with TLS-E and cephadm, I disabled the ceph dashboard: (undercloud) [stack@undercloud-0 ~]$ openstack stack environment show overcloud -f yaml |grep -i cephenabledashboard CephEnableDashboard: false Yet it still tries to request a cert for it (and fails due to https://bugs.launchpad.net/tripleo/+bug/1926746): 2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 | FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa', 'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name': 'ceph_dashboard', 'principal': 'ceph_dashboard/ctrl-3-0.mainnetwork.bgp.ftw@BGP.FTW', 'run_after': '# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/ {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ]; then\n systemctl restart "$mgr_unit"\nfi\n'} | error={"ansible_loop_var": "item", "changed": false, "cmd": "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k /etc/pki/tls/private/ceph_dashboard.key -f /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca": "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048", "name": "ceph_dashboard", "principal": "ceph_dashboard/ctrl-3-0.mainnetwork.bgp.ftw@BGP.FTW", "run_after": "# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ]; then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "New signing request \"20210503140253\" added.\n", "stdout_lines": ["New signing request \"20210503140253\" added."]} With this patch applied I correctly get passed this point and am able to reach later steps: 2021-05-04 12:40:44.300445 | 5254004b-fe7a-5ccf-c0b9-0000000000df | TASK | External deployment step 2 The problem is that the 'enable_internal_tls' is global and only checks for internal TLS being enabled so it will still be triggered when CephEnabledDashboard is set to false. Let's switch it to the internal condition internal_tls_enabled which takes the dashboard into account. Change-Id: I73a58b00f31bfeffb724e12515d8c5cb0625ca7f Closes-Bug: #1927093
2021-05-04 14:40:00 +02:00 · 2021-05-04 14:40:00 +02:00 · 92f722a05c
commit 92f722a05c
parent 5fd7b3c9f6
1 changed files with 34 additions and 33 deletions
--- a/deployment/cephadm/ceph-mgr.yaml
+++ b/deployment/cephadm/ceph-mgr.yaml
@ -146,36 +146,37 @@ outputs:
            network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
            type: node
      deploy_steps_tasks:
-        - name: Certificate generation
-          when:
-            - step|int == 1
-            - enable_internal_tls
-          block:
-            - include_role:
-                name: linux-system-roles.certificate
-              vars:
-                certificate_requests:
-                  - name: ceph_dashboard
-                    dns:
-                      str_replace:
-                        template: "{{fqdn_$NETWORK}}"
-                        params:
-                          $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
-                    principal:
-                      str_replace:
-                        template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
-                        params:
-                          $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
-                    run_after: |
-                      # Get mgr systemd unit
-                      mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
-                      # Restart the mgr systemd unit
-                      if [ -n "$mgr_unit" ]; then
-                          systemctl restart "$mgr_unit"
-                      fi
-                    key_size:
-                      if:
-                        - key_size_override_set
-                        - {get_param: CephCertificateKeySize}
-                        - {get_param: CertificateKeySize}
-                    ca: ipa
+        if:
+          - internal_tls_enabled
+          - - name: Certificate generation
+              when:
+                - step|int == 1
+              block:
+                - include_role:
+                    name: linux-system-roles.certificate
+                  vars:
+                    certificate_requests:
+                      - name: ceph_dashboard
+                        dns:
+                          str_replace:
+                            template: "{{fqdn_$NETWORK}}"
+                            params:
+                              $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
+                        principal:
+                          str_replace:
+                            template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
+                            params:
+                              $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
+                        run_after: |
+                          # Get mgr systemd unit
+                          mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
+                          # Restart the mgr systemd unit
+                          if [ -n "$mgr_unit" ]; then
+                              systemctl restart "$mgr_unit"
+                          fi
+                        key_size:
+                          if:
+                            - key_size_override_set
+                            - {get_param: CephCertificateKeySize}
+                            - {get_param: CertificateKeySize}
+                        ca: ipa