From 80086fd342032ec448a84ecf7c5dbe98d381450a Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 15 Dec 2016 16:20:40 +0200
Subject: Add metadata settings for needed kerberos principals

These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.

bp tls-via-certmonger
bp novajoin

Change-Id: I873094bb69200052febda629fda698a7a782c031
---
 .../services/apache-internal-tls-certmonger.yaml   | 35 +++++++++++++++-------
 1 file changed, 25 insertions(+), 10 deletions(-)

(limited to 'puppet/services/apache-internal-tls-certmonger.yaml')

diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
index 07ec1b3c..97d6ff8e 100644
--- a/puppet/services/apache-internal-tls-certmonger.yaml
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -21,6 +21,22 @@ parameters:
                  via parameter_defaults in the resource registry.
     type: json
 
+resources:
+
+  ApacheNetworks:
+    type: OS::Heat::Value
+    properties:
+      value:
+        # NOTE(jaosorior) Get unique network names to create
+        # certificates for those. We skip the tenant network since
+        # we don't need a certificate for that, and the external
+        # network will be handled in another template.
+        yaql:
+          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+          data:
+            map:
+              get_param: ServiceNetMap
+
 outputs:
   role_data:
     description: Role data for the Apache role.
@@ -38,13 +54,12 @@ outputs:
                   hostname: "%{hiera('fqdn_NETWORK')}"
                   principal: "HTTP/%{hiera('fqdn_NETWORK')}"
               for_each:
-                NETWORK:
-                  # NOTE(jaosorior) Get unique network names to create
-                  # certificates for those. We skip the tenant network since
-                  # we don't need a certificate for that, and the external
-                  # network will be handled in another template.
-                  yaql:
-                    expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
-                    data:
-                      map:
-                        get_param: ServiceNetMap
+                NETWORK: {get_attr: [ApacheNetworks, value]}
+      metadata_settings:
+        repeat:
+          template:
+            - service: HTTP
+              network: $NETWORK
+              type: node
+          for_each:
+            $NETWORK: {get_attr: [ApacheNetworks, value]}
-- 
cgit 1.2.3-korg