From ea39d38321f387298d7e8ee27979badd9c6af128 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Wed, 10 Apr 2024 12:13:33 +0200
Subject: [PATCH] Ensure PKI role is run idempotently for AIO metal scenario

Due to clash in resulting certificate names they were re-genearated each
playbook run.

In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.

This will cause all backend certificates for API to be re-generated.

Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b
---
 defaults/main.yml                                    |  6 +++---
 ...ix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml | 12 ++++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 5b1a7896..df479ae9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -801,7 +801,7 @@ nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
 
 nova_pki_certificates:
    # Used to encrypt traffic between haproxy and nova backends
-  - name: "nova_{{ ansible_facts['hostname'] }}"
+  - name: "nova_{{ ansible_facts['hostname'] }}_api"
     provider: ownca
     cn: "{{ ansible_facts['hostname'] }}"
     san: "{{ nova_pki_san }}"
@@ -814,13 +814,13 @@ nova_ssl_key: /etc/nova/nova.key
 
 # Installation details for SSL certificates
 nova_pki_install_certificates:
-  - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+  - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api-chain.crt') }}"
     dest: "{{ nova_ssl_cert }}"
     owner: "{{ nova_system_user_name }}"
     group: "{{ nova_system_user_name }}"
     mode: "0644"
     condition: "{{ nova_backend_ssl }}"
-  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
     dest: "{{ nova_ssl_key }}"
     owner: "{{ nova_system_user_name }}"
     group: "{{ nova_system_user_name }}"
diff --git a/releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml b/releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml
new file mode 100644
index 00000000..94ca0191
--- /dev/null
+++ b/releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    For deployments with ``nova_backend_ssl: True`` TLS certificates for
+    Nova API backends will be re-generated during upgrade. From now on they
+    will be suffixed with `_api`.
+fixes:
+  - |
+    PKI role idempotence has been fixed for the ``metal`` scenario when
+    nova-compute was placed on the same hosts as nova-api.
+    Previously, certificates were re-generated each run due to non-unique
+    names.