openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Enable httpd to request certificates for the "external" network 

Deployers can change the network that a service is running on through
the ServiceNetMap. A common change is to switch the keystone admin API
to run in the external network instead of the ctlplane network. Doing
this in a TLS everywhere environment breaks, since we were explicitly
skipping the external network.

This no longer skips that network, thus enabling this use-case.

Change-Id: I488517528a77a257dede2f59488bb95ffc77743b
Closes-Bug: #1732443
(cherry picked from commit 451020b72e)
This commit is contained in:
Juan Antonio Osorio Robles 2017-11-15 13:58:25 +00:00
parent 5a3db4ef87
commit 871b625a7b
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
puppet/services/apache.yaml
View File

@ -60,10 +60,9 @@ resources:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that, and the external
# is for HAProxy so it isn't used for apache either.
# we don't need a certificate for that.
yaql:
expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
expression: list($.data.map.items().map($1[1])).distinct().where($ != tenant)
data:
map:
get_param: ServiceNetMap