Merge "Include PKI role only once"

defaults/main.yml

@@ -725,6 +725,7 @@ nova_pki_compute_install_certificates:
 # nova_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
 # TLS certficates for console hosts
+nova_pki_console_condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' and 'nova_console' in group_names }}"
 nova_pki_console_certificates:
   # Client certificate used by novnv proxy to authenticate with compute hosts using vencrypt
   - name: "nova_{{ ansible_facts['hostname'] }}-client"
@@ -738,7 +739,7 @@ nova_pki_console_certificates:
       - keyEncipherment
     extended_key_usage:
       - clientAuth
-    condition: "{{ nova_qemu_vnc_tls == 1 and 'novnc' in nova_console_proxy_types }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
 
 # Installation details for SSL certificates for console hosts
 nova_pki_console_install_certificates:
@@ -747,19 +748,19 @@ nova_pki_console_install_certificates:
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
   - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}"
     dest: "{{ nova_vencrypt_client_key }}"
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
   - src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}"
     dest: "{{ nova_vencrypt_ca_certs }}"
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
-    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
+    condition: "{{ nova_pki_console_condition | bool }}"
 
 # host which holds the ssh certificate authority
 nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
@@ -799,6 +800,14 @@ nova_ssh_keypairs_principals:
 # Define if communication between haproxy and service backends should be
 # encrypted with TLS.
 nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+nova_pki_certificates_condition: >-
+  {{
+    nova_backend_ssl and (
+      'nova_console' in group_names or
+      'nova_api_metadata' in group_names or
+      'nova_api_os_compute' in group_names
+    )
+  }}
 
 nova_pki_certificates:
    # Used to encrypt traffic between haproxy and nova backends
@@ -807,7 +816,7 @@ nova_pki_certificates:
     cn: "{{ ansible_facts['hostname'] }}"
     san: "{{ nova_pki_san }}"
     signed_by: "{{ nova_pki_intermediate_cert_name }}"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"
 
 # nova destination files for SSL certificates
 nova_ssl_cert: /etc/nova/nova.pem
@@ -820,13 +829,13 @@ nova_pki_install_certificates:
     owner: "{{ nova_system_user_name }}"
     group: "{{ nova_system_user_name }}"
     mode: "0644"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"
   - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}"
     dest: "{{ nova_ssl_key }}"
     owner: "{{ nova_system_user_name }}"
     group: "{{ nova_system_user_name }}"
     mode: "0600"
-    condition: "{{ nova_backend_ssl }}"
+    condition: "{{ nova_pki_certificates_condition | bool }}"
 
 # Periodically move records for deleted resources to shadow tables
 nova_archive_deleted: False

tasks/main.yml

@@ -139,7 +139,7 @@
     - nova-config
 
 # Create certs after nova groups have been created but before handlers
-- name: Create and install SSL certificates for API
+- name: Create and install SSL certificates for API and Consoles
   include_role:
     name: pki
     tasks_from: main_certs.yml
@@ -152,10 +152,10 @@
     pki_dir: "{{ nova_pki_dir }}"
     pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
     pki_regen_cert: "{{ nova_pki_regen_cert }}"
-    pki_certificates: "{{ nova_pki_certificates }}"
+    pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
-    pki_install_certificates: "{{ nova_pki_install_certificates }}"
+    pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
   when:
-    - "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names"
+    - nova_pki_certificates_condition | bool or nova_pki_console_condition | bool
   tags:
     - always
 
@@ -181,26 +181,6 @@
   tags:
     - always
 
-- name: Create and install SSL certificates for console hosts
-  include_role:
-    name: pki
-    tasks_from: main_certs.yml
-    apply:
-      tags:
-        - nova-config
-        - pki
-  vars:
-    pki_setup_host: "{{ nova_pki_setup_host }}"
-    pki_dir: "{{ nova_pki_dir }}"
-    pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
-    pki_regen_cert: "{{ nova_pki_regen_cert }}"
-    pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
-    pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
-  when:
-    - "'nova_console' in group_names"
-  tags:
-    - always
-
 - name: Including nova_post_install tasks
   import_tasks: nova_post_install.yml
   tags: