Description of request:
Currently in order for TLS Everywhere to work properly, it requires setting the IDM server as the DNS server on the ctlplane network in tripleo. This is very limiting in two ways. One it restricts the IDM server to requiring IPv4, since the ctlplane network requires IPv4. Secondly, and more importantly, since the ctlplane network is isolated in many environments, this means that openstack needs to reach out via a masquerade on the ctlplane network in order to reach IDM. This means that all auth traffic and CA renewals must now masquerade through the undercloud. This not only introduces additional load, but also a bottleneck.

Business requirements: The customer needs to be able to use the external/management network to reach the IDM server, those are IPv6, and are routable. Having support for IDM on any network for TLS Everywhere would be a good generic version of the change. The customer also has the requirement that nothing on the overcloud must use the ctlplane masquerade for anything. Additionally, they have the requirement that if the Undercloud goes down, it should not disrupt the overcloud.

Functional requirements:  TLS Everywhere should be able to use a server accessible by any network, not just the ctlplane. This should work with IPv4 and IPv6

Test plan: Can test that without the ctlplane masquerade set, and without the DNS server set in the ctlplane network, that we can still successfully deploy TLS Everywhere

Timeline dependencies: This is needed for their planned production rollout of OSP13. Hopefully someone from the customer can chime in with the timeline, all we know is that it's soonish

Affected packages: something in tripleo, maybe novajoin

Yes, we can assist in testing this functionality