openstack/openstack-ansible-os_nova
Code Issues Proposed changes

Ensure PKI role is run idempotently for AIO metal scenario

Browse Source 
Due to clash in resulting certificate names they were re-genearated each
playbook run.

In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.

This will cause all backend certificates for API to be re-generated.

Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b
This commit is contained in:
Dmitriy Rabotyagov 2024-04-10 12:13:33 +02:00
parent 3515638326
commit ea39d38321
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@ -801,7 +801,7 @@ nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
nova_pki_certificates: nova_pki_certificates:
# Used to encrypt traffic between haproxy and nova backends # Used to encrypt traffic between haproxy and nova backends
- name: "nova_{{ ansible_facts['hostname'] }}" - name: "nova_{{ ansible_facts['hostname'] }}_api"
provider: ownca provider: ownca
cn: "{{ ansible_facts['hostname'] }}" cn: "{{ ansible_facts['hostname'] }}"
san: "{{ nova_pki_san }}" san: "{{ nova_pki_san }}"
@ -814,13 +814,13 @@ nova_ssl_key: /etc/nova/nova.key
# Installation details for SSL certificates # Installation details for SSL certificates
nova_pki_install_certificates: nova_pki_install_certificates:
- src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api-chain.crt') }}"
dest: "{{ nova_ssl_cert }}" dest: "{{ nova_ssl_cert }}"
owner: "{{ nova_system_user_name }}" owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}" group: "{{ nova_system_user_name }}"
mode: "0644" mode: "0644"
condition: "{{ nova_backend_ssl }}" condition: "{{ nova_backend_ssl }}"
- src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
dest: "{{ nova_ssl_key }}" dest: "{{ nova_ssl_key }}"
owner: "{{ nova_system_user_name }}" owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_user_name }}" group: "{{ nova_system_user_name }}"

12
releasenotes/notes/fix_aio_nova_pki_idempotence-e9b8aa38231825e8.yaml Normal file
View File

@ -0,0 +1,12 @@
---
upgrade:
- |
For deployments with ``nova_backend_ssl: True`` TLS certificates for
Nova API backends will be re-generated during upgrade. From now on they
will be suffixed with `_api`.
fixes:
- |
PKI role idempotence has been fixed for the ``metal`` scenario when
nova-compute was placed on the same hosts as nova-api.
Previously, certificates were re-generated each run due to non-unique
names.