Comment 3 for bug 1846495

Reviewed: https://review.opendev.org/686399
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=668cc684fc93503128c946dae9f331b49437ec2c
Submitter: Zuul
Branch: master

commit 668cc684fc93503128c946dae9f331b49437ec2c
Author: Michele Baldessari <email address hidden>
Date: Thu Oct 3 15:04:47 2019 +0200

    Fix double cert mount in haproxy bundle when using tls everywhere

    When deploying with tls-everywhere the haproxy_init_bundle container
    will bind mount /etc/ipa/ca.crt twice and starting with podman 1.{3,4}.x
    this will break:

      "stderr: Error: /etc/ipa/ca.crt: duplicate mount destination"

    The TLS bind mounts are needed in haproxy_init_bundle (which is only
    in charge of creating the pcmk resource) because puppet-haproxy uses
    a validate command to check the config which will fail if we simply
    remove those bind mounts. Instead of skipping this verification with
    some parameter/tag, we try and avoid the duplicate cert by removing the
    ca.crt bind mount from deployed_cert_mounts.

    The duplication comes from:
    1) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/containers-common.yaml#L122-L127
    2) https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/haproxy/haproxy-pacemaker-puppet.yaml#L263

    Since changing it into 1) has large implication, we just avoid
    redefining it in 2).

    Tested with a full tls-everywhere deploy with the applied patch and the
    error is not seen any longer.

    Change-Id: I6493fd090c808da01d19cc12d1b8371c67708904
    Related-Bug: #1833347
    Closes-Bug: #1846495