Generate certificates only for API hosts

Right now PKI role is included based of `cinder_backend_ssl` variable, which might be globally overridable with `openstack_service_backend_ssl`. At the same time these certificates are used only for uWSGI, as a backend web server, and not used anywhere else. But they will be issued for cinder-volume and cinder-backup without any need. Extended condition will check if we are running against a group which also need certificates to be present. Change-Id: I40d7fffd77ce4c6bff58279ba6bc0c5858b7452c Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
2025-09-09 14:12:39 +02:00
parent eb01602ebc
commit c54bb2b70a
1 changed files with 1 additions and 0 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -130,6 +130,7 @@
    pki_install_certificates: "{{ cinder_pki_install_certificates }}"
  when:
    - cinder_backend_ssl
+    - cinder_services['cinder-api']['group'] in group_names
  tags:
    - always