Ensure PKI role is run idempotently for AIO metal scenario

Due to clash in resulting certificate names they were re-genearated each playbook run. In order to sort that we need to rename certificate names. As `nova_backend_ssl` was implemented latest and not that widely adopted, we change name for it. This will cause all backend certificates for API to be re-generated. Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b
2024-04-10 12:13:33 +02:00 · 2024-04-10 12:13:33 +02:00 · ea39d38321
commit ea39d38321
parent 3515638326
2 changed files with 15 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -801,7 +801,7 @@ nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

 nova_pki_certificates:
   # Used to encrypt traffic between haproxy and nova backends
-  - name: "nova_{{ ansible_facts['hostname'] }}"
+  - name: "nova_{{ ansible_facts['hostname'] }}_api"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ nova_pki_san }}"
@ -814,13 +814,13 @@ nova_ssl_key: /etc/nova/nova.key

 # Installation details for SSL certificates
 nova_pki_install_certificates:
-  - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+  - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api-chain.crt') }}"
    dest: "{{ nova_ssl_cert }}"
    owner: "{{ nova_system_user_name }}"
    group: "{{ nova_system_user_name }}"
    mode: "0644"
    condition: "{{ nova_backend_ssl }}"
-  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
    dest: "{{ nova_ssl_key }}"
    owner: "{{ nova_system_user_name }}"
    group: "{{ nova_system_user_name }}"
--- a/releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml
+++ b/releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml
@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    For deployments with ``nova_backend_ssl: True`` TLS certificates for
+    Nova API backends will be re-generated during upgrade. From now on they
+    will be suffixed with `_api`.
+fixes:
+  - |
+    PKI role idempotence has been fixed for the ``metal`` scenario when
+    nova-compute was placed on the same hosts as nova-api.
+    Previously, certificates were re-generated each run due to non-unique
+    names.