commit d1ecdb0e65ea066d91281b9ae7442e097b00e882
author Mykyta Karpin <mkarpin@mirantis.com> Thu Oct 11 13:11:39 2018 +0300
committer Mykyta Karpin <mkarpin@mirantis.com> Thu Oct 11 13:11:39 2018 +0300
tree 425a10eb8eedb2801dc01c74bc5892e6d9b7bac0
parent e992a7d4e679fb2c712c7664942dd0cfb8eedf34

Add cluster_vip_address to alternative names

Due to the behaviour of python requests lib, which checks
server certificates dns names against hostname from url, e.g
in http://10.11.0.10:35357 it takes 10.11.0.10 as hostname,
openstack clients fail to verify certificate of openstack_api.

Change-Id: I1c342b77275cd0a770417ae14e9659d2fe4ba085
Related-Prod: https://mirantis.jira.com/browse/PROD-23860

salt/minion/cert/openstack_api.yml

diff --git a/salt/minion/cert/openstack_api.yml b/salt/minion/cert/openstack_api.yml
index 1095f7e..03e8974 100644
--- a/salt/minion/cert/openstack_api.yml
+++ b/salt/minion/cert/openstack_api.yml
@@ -2,7 +2,7 @@
   _param:
     salt_minion_ca_host: ${linux:network:fqdn}
     salt_minion_ca_authority: salt_master_ca
-    openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+    openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address}
     openstack_api_cert_key_file: "/etc/ssl/private/openstack_api.key"
     openstack_api_cert_cert_file: "/etc/ssl/certs/openstack_api.crt"
     openstack_api_cert_all_file: "/etc/ssl/certs/openstack_api_with_chain.crt"