Only request neutron certificate from neutron dhcp service

The certificate request for the "neutron" certificate was set in the neutron base template. This had the secondary effect of causing every node that has a neutron service to try to request the certificate. This fixes that issue by moving those bits to where the certificate is actually used (which is only by the dhcp agent). Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377 Closes-Bug: #1816465
2019-02-18 18:35:46 +02:00 · 2019-02-18 18:35:46 +02:00 · 44245d19dd
parent e506999744
commit 44245d19dd
2 changed files with 22 additions and 35 deletions
--- a/deployment/neutron/neutron-dhcp-container-puppet.yaml
+++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml
@ -162,10 +162,6 @@ outputs:
        map_merge:
          - get_attr: [NeutronBase, role_data, config_settings]
          - get_attr: [NeutronLogging, config_settings]
-          - if:
-            - internal_tls_enabled
-            - tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
-            - {}
          - tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_dnsmasq_wrapper: {get_param: NeutronEnableDnsmasqDockerWrapper}
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_process_wrapper: '/var/lib/neutron/dnsmasq_wrapper'
            tripleo::profile::base::neutron::dhcp_agent_wrappers::dnsmasq_image: {get_param: DockerNeutronDHCPImage}
@ -202,6 +198,21 @@ outputs:
              - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
                neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
                neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
+                generate_service_certificates: true
+                tripleo::profile::base::neutron::certificate_specs:
+                  service_certificate: '/etc/pki/tls/certs/neutron.crt'
+                  service_key: '/etc/pki/tls/private/neutron.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  principal:
+                    str_replace:
+                      template: "neutron/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                  postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
              - {}
          - if:
              - dhcp_ovs_intergation_bridge_unset
@ -332,7 +343,13 @@ outputs:
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
-        get_attr: [NeutronBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: neutron
+              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+              type: node
+          - null
      host_prep_tasks:
        list_concat:
          - {get_attr: [NeutronLogging, host_prep_tasks]}
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@ -105,9 +105,6 @@ parameters:
    type: string
    default: 'messagingv2'
    description: Driver or drivers to handle sending notifications.
-  EnableInternalTLS:
-    type: boolean
-    default: false
  RpcPort:
    default: 5672
    description: The network port for messaging backend
@ -136,7 +133,6 @@ parameters:
 conditions:
  dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]}
  service_debug_unset: {equals : [{get_param: NeutronDebug}, '']}
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  global_physnet_mtu_unset: {equals: [{get_param: NeutronGlobalPhysnetMtu}, 0]}

 outputs:
@ -179,29 +175,3 @@ outputs:
            - dhcp_agents_zero
            - {}
            - tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork}
-          - if:
-            - internal_tls_enabled
-            - generate_service_certificates: true
-              tripleo::profile::base::neutron::certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/neutron.crt'
-                service_key: '/etc/pki/tls/private/neutron.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                principal:
-                  str_replace:
-                    template: "neutron/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
-            - null
-      metadata_settings:
-        if:
-          - internal_tls_enabled
-          -
-            - service: neutron
-              network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
-              type: node
-          - null