Only request neutron certificate from neutron dhcp service

The certificate request for the "neutron" certificate was set in the neutron base template. This had the secondary effect of causing every node that has a neutron service to try to request the certificate. This fixes that issue by moving those bits to where the certificate is actually used (which is only by the dhcp agent). Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377 Closes-Bug: #1816465 (cherry picked from commit 44245d19dd)
2019-02-18 18:35:46 +02:00 · 2019-02-18 18:35:46 +02:00 · 97eb154e91
parent 8e1fc18a3c
commit 97eb154e91
3 changed files with 22 additions and 35 deletions
--- a/docker/services/neutron-dhcp.yaml
+++ b/docker/services/neutron-dhcp.yaml
@ -98,10 +98,6 @@ outputs:
        map_merge:
          - get_attr: [NeutronBase, role_data, config_settings]
          - get_attr: [NeutronLogging, config_settings]
-          - if:
-            - internal_tls_enabled
-            - tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
-            - {}
          - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: DockerNeutronDHCPImage}
@ -230,7 +226,13 @@ outputs:
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
-        get_attr: [NeutronBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: neutron
+              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+              type: node
+          - null
      host_prep_tasks:
        list_concat:
          - {get_attr: [NeutronLogging, host_prep_tasks]}
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@ -95,9 +95,6 @@ parameters:
    description: Driver or drivers to handle sending notifications.
    constraints:
      - allowed_values: [ 'messagingv2', 'noop' ]
-  EnableInternalTLS:
-    type: boolean
-    default: false
  RpcPort:
    default: 5672
    description: The network port for messaging backend
@ -126,7 +123,6 @@ parameters:
 conditions:
  dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]}
  service_debug_unset: {equals : [{get_param: NeutronDebug}, '']}
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 outputs:
  role_data:
@ -164,29 +160,3 @@ outputs:
            - dhcp_agents_zero
            - {}
            - tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork}
-          - if:
-            - internal_tls_enabled
-            - generate_service_certificates: true
-              tripleo::profile::base::neutron::certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/neutron.crt'
-                service_key: '/etc/pki/tls/private/neutron.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                principal:
-                  str_replace:
-                    template: "neutron/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
-            - null
-      metadata_settings:
-        if:
-          - internal_tls_enabled
-          -
-            - service: neutron
-              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-              type: node
-          - null
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@ -139,6 +139,21 @@ outputs:
              - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
                neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
                neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
+                generate_service_certificates: true
+                tripleo::profile::base::neutron::certificate_specs:
+                  service_certificate: '/etc/pki/tls/certs/neutron.crt'
+                  service_key: '/etc/pki/tls/private/neutron.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  principal:
+                    str_replace:
+                      template: "neutron/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
              - {}
          - if:
              - dhcp_ovs_intergation_bridge_unset