From fa66c327fc180acdf66b43629f0feb84d0e24b41 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Wed, 7 Feb 2018 22:01:38 +0000
Subject: [PATCH] Do not generate apache/haproxy certs for invalid networks

Certs were being generated for all networks in service net map.
This was failing as we do not generate hieradata for all of these networks.

Switching from yaql to jinga templating to match the logic that
generates the hieradata.

Change-Id: Ic6c25aceb07ea3824a8fb23549bc5d1205e5cefc
Closes-bug: 1748023
Closes-Bug: 1748053
---
 puppet/services/{apache.yaml => apache.j2.yaml}       | 10 ++++++----
 ...r.yaml => haproxy-internal-tls-certmonger.j2.yaml} | 11 ++++++-----
 tripleo_heat_templates/tests/test_yaql.py             | 10 ----------
 3 files changed, 12 insertions(+), 19 deletions(-)
 rename puppet/services/{apache.yaml => apache.j2.yaml} (96%)
 rename puppet/services/{haproxy-internal-tls-certmonger.yaml => haproxy-internal-tls-certmonger.j2.yaml} (93%)

diff --git a/puppet/services/apache.yaml b/puppet/services/apache.j2.yaml
similarity index 96%
rename from puppet/services/apache.yaml
rename to puppet/services/apache.j2.yaml
index 8de9327225..d6830ffab8 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.j2.yaml
@@ -61,10 +61,12 @@ resources:
         # NOTE(jaosorior) Get unique network names to create
         # certificates for those. We skip the tenant network since
         # we don't need a certificate for that.
-        yaql:
-          expression: list($.data.values().toSet().where($ != tenant))
-          data:
-            get_param: ServiceNetMap
+        - ctlplane
+{%- for network in networks %}
+  {%- if network.name_lower != 'tenant' %}
+        - {{network.name_lower}}
+  {%- endif %}
+{%- endfor %}
 
 outputs:
   role_data:
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
similarity index 93%
rename from puppet/services/haproxy-internal-tls-certmonger.yaml
rename to puppet/services/haproxy-internal-tls-certmonger.j2.yaml
index 1f2ef4de63..f28da134a2 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
@@ -47,11 +47,12 @@ resources:
         # certificates for those. We skip the tenant network since
         # we don't need a certificate for that, and the external
         # network will be handled in another template.
-        yaql:
-          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
-          data:
-            map:
-              get_param: ServiceNetMap
+        - ctlplane
+{%- for network in networks if network.vip|default(false) %}
+  {%- if network.name_lower != 'external' and network.name_lower != 'tenant' %}
+        - {{network.name_lower}}
+  {%- endif %}
+{%- endfor %}
 
 outputs:
   role_data:
diff --git a/tripleo_heat_templates/tests/test_yaql.py b/tripleo_heat_templates/tests/test_yaql.py
index fe79c42d71..af2c300a71 100644
--- a/tripleo_heat_templates/tests/test_yaql.py
+++ b/tripleo_heat_templates/tests/test_yaql.py
@@ -33,13 +33,3 @@ class YAQLTestCase(base.BaseTestCase):
                 data = data[i]
             return data['yaql']['expression']
 
-    def test_apache_networks(self):
-        snippet = self.get_snippet(
-            'puppet/services/apache.yaml',
-            'resources.ApacheNetworks.properties.value')
-        self.assertEqual(
-            ['service'],
-            yaql.eval(
-                snippet,
-                {'data': {'nova': 'tenant', 'cinder': 'service',
-                          'glance': 'service'}}))