From 871b625a7bccd52e33741e9f8cbfad96affa12df Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 15 Nov 2017 13:58:25 +0000 Subject: [PATCH] Enable httpd to request certificates for the "external" network Deployers can change the network that a service is running on through the ServiceNetMap. A common change is to switch the keystone admin API to run in the external network instead of the ctlplane network. Doing this in a TLS everywhere environment breaks, since we were explicitly skipping the external network. This no longer skips that network, thus enabling this use-case. Change-Id: I488517528a77a257dede2f59488bb95ffc77743b Closes-Bug: #1732443 (cherry picked from commit 451020b72e7b27b2615e770f5bbce490258b18be) --- puppet/services/apache.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 6c55fde3d4..c398000e14 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -60,10 +60,9 @@ resources: value: # NOTE(jaosorior) Get unique network names to create # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # is for HAProxy so it isn't used for apache either. + # we don't need a certificate for that. yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + expression: list($.data.map.items().map($1[1])).distinct().where($ != tenant) data: map: get_param: ServiceNetMap