Merge pull request #1056 from stackhpc/backend-tls-network

markgoddard · web-flow · commit b2be632d272b · 2024-04-30T10:27:52.000+01:00
Generate backend TLS files for network hosts
diff --git a/etc/kayobe/ansible/vault-generate-backend-tls.yml b/etc/kayobe/ansible/vault-generate-backend-tls.yml
@@ -1,8 +1,8 @@
 ---
 # Required for uri module to work with self-signed certificates and for systems to trust
 # the self-signed CA
-- name: Install CA on controllers
-  hosts: controllers
+- name: Install CA
+  hosts: controllers:network
   tasks:
     - name: Copy the intermediate CA
       copy:
@@ -16,7 +16,7 @@
       shell: "{{ 'update-ca-trust' if ansible_facts.os_family == 'RedHat' else 'update-ca-certificates' }}"
 
 - name: Generate backend API certificates
-  hosts: controllers
+  hosts: controllers:network
   vars:
     vault_api_addr: "https://{{ kolla_internal_fqdn }}:8200"
     vault_intermediate_ca_name: "OS-TLS-INT"
diff --git a/releasenotes/notes/backend-tls-network-aa7b09008a2e1914.yaml b/releasenotes/notes/backend-tls-network-aa7b09008a2e1914.yaml
@@ -0,0 +1,6 @@
+---
+issues:
+  - |
+    Generate backend TLS files for network hosts. This fixes backend TLS
+    configuration for deployments where some API services are running on
+    network hosts.
