Merge "Stop generating certificate requests for disabled networks" into stable/wallaby

deployment/apache/apache-baremetal-puppet.j2.yaml

@@ -72,9 +72,12 @@ resources:
         # NOTE(xek) Get unique network names to create certificates.
         # We skip the tenant and management network (vip != false)
         # since we don't generate certificates for those.
-        - ctlplane
-{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
-        - {{network.name_lower}}
+{%- for role in roles %}
+        {{ role.name }}:
+            - ctlplane
+{%- for network in networks if network.name in role.networks and network.enabled|default(true) and network.vip|default(false) %}
+            - {{network.name_lower}}
+{%- endfor %}
 {%- endfor %}
 
 outputs:
@@ -119,7 +122,7 @@ outputs:
                         service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
                         service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
                     for_each:
-                      NETWORK: {get_attr: [ApacheNetworks, value]}
+                      NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
       metadata_settings:
         if:
           - {get_param: EnableInternalTLS}
@@ -129,7 +132,7 @@ outputs:
                   network: $NETWORK
                   type: node
               for_each:
-                $NETWORK: {get_attr: [ApacheNetworks, value]}
+                $NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}
       upgrade_tasks: []
       deploy_steps_tasks:
         - name: Certificate generation
@@ -167,4 +170,4 @@ outputs:
                           - {get_param: CertificateKeySize}
                       ca: ipa
                     for_each:
-                      NETWORK: {get_attr: [ApacheNetworks, value]}
+                      NETWORK: {get_attr: [ApacheNetworks, value, { get_param: RoleName }]}