From 2f4dd2c927660e1d950e9d6ef49e4cdc628c94df Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Fri, 26 Jul 2019 11:50:19 -0230
Subject: [PATCH] Only generate Octavia certs on stack create

We are regenerating octavia certs whenever an overcloud is updated,
breaking any deployments using the auto-generated certs. Certificate
updates after the initial deployment require special handling and
shouldn't be performed by stack updates/upgrades at this time.

Note: depends on changed because the dependent patch was a semantic
backport.

Depends-On: I8088a0a42094b2d038ba29779535a05195138747
Closes-Bug: #1838039
Change-Id: I05f69df627e5637fdb254285cb3ad6d3d8328f90
(cherry picked from commit b61156785517f767a9ad0ee1613588f6b049fc8c)
---
 .../octavia/octavia-deployment-config.j2.yaml    | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/deployment/octavia/octavia-deployment-config.j2.yaml b/deployment/octavia/octavia-deployment-config.j2.yaml
index 2af2cb5be5..114038ec99 100644
--- a/deployment/octavia/octavia-deployment-config.j2.yaml
+++ b/deployment/octavia/octavia-deployment-config.j2.yaml
@@ -34,6 +34,13 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  StackAction:
+    type: string
+    description: >
+      Heat action on performed top-level stack.  Note StackUpdateType is
+      set to UPGRADE when a major-version upgrade is in progress.
+    constraints:
+    - allowed_values: ['CREATE', 'UPDATE']
   OctaviaPostWorkflowName:
     description: Mistral workflow name for octavia configuration steps
                  once the overcloud is ready.
@@ -187,6 +194,13 @@ conditions:
       - raw
     - get_param: NovaEnableRbdBackend
 
+  generate_certs:
+      and:
+      - get_param: OctaviaGenerateCerts
+      - equals:
+        - get_param: StackAction
+        - CREATE
+
 resources:
 {% if not octavia_standalone %}
   default_key_pair:
@@ -226,7 +240,7 @@ resources:
           server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
           ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
           client_cert_path: { get_param: OctaviaClientCertFile }
-          generate_certs: { get_param: OctaviaGenerateCerts }
+          generate_certs: {if: [generate_certs, true, false]}
           mgmt_port_dev: { get_param: OctaviaMgmtPortDevName }
           os_password: { get_param: AdminPassword }
           os_project_name: 'admin'