Restore missing SAN IP in etcd cert

This patch fixes a regression in the etcd cert that is used with
tls-everywhere. The etcd service makes cluster connections using
its IP address, so with tls-e the etcd cert needs to include its
address as a SAN IP. The SAN IP was inadvertently dropped when
cert generation was moved from puppet to an ansible role.

Resolves: rhbz#2096230
Change-Id: I28e268c58bf63aaa81a67f48ca492fe97d9a07e9
This commit is contained in:
Alan Bishop 2022-06-13 06:42:59 -07:00
parent 1a12459ac9
commit 9ed1c7b920
1 changed files with 6 additions and 0 deletions

View File

@ -314,6 +314,12 @@ outputs:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
# etcd3 expects to use IP addresses, so add a SAN IP to its cert
ip:
str_replace:
template: "{{NETWORK_ip}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
principal:
str_replace:
template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"