From c54bb2b70a7278b2fb8ce7ce67eaa4b3681f4156 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Tue, 9 Sep 2025 14:12:39 +0200
Subject: [PATCH] Generate certificates only for API hosts

Right now PKI role is included based of `cinder_backend_ssl`
variable, which might be globally overridable with
`openstack_service_backend_ssl`.

At the same time these certificates are used only for uWSGI, as
a backend web server, and not used anywhere else. But they will
be issued for cinder-volume and cinder-backup without any need.

Extended condition will check if we are running against a group which
also need certificates to be present.

Change-Id: I40d7fffd77ce4c6bff58279ba6bc0c5858b7452c
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
---
 tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index 9a3c9db4..dd772a75 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -130,6 +130,7 @@
     pki_install_certificates: "{{ cinder_pki_install_certificates }}"
   when:
     - cinder_backend_ssl
+    - cinder_services['cinder-api']['group'] in group_names
   tags:
     - always