A queens based TLS-E deployment will have host and service entries
added to IPA via the novajoin service. These services get added when a
script is executed on the node that retrieves the nova metadata from
the config drive.
With the current code, the script on the nodes is only executed when
the controller/compute is first enrolled as an ipa client. On subsequent
stack updates/upgrades, no new entries are added to the IPA server.
In between queens and train, several services were enabled to use
TLS-everywhere. In an upgrade to train from queens, these new service
entries would not be added, and cert issuance for these services would
fail.
Code has been added to add the missing services. We do this using the
more fine grained and supported tripleo-ipa ansible code - which is the
preferred method moving forward.
This code will be relevant for train only.
Change-Id: I24b09d368e185dce8820773de53196dd5e380b7c
b2ac1d3788