Bug 1306399

Summary: glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: rhosp-directorAssignee: Cyril Roelandt <cyril>
Status: CLOSED NEXTRELEASE QA Contact: Avi Avraham <aavraham>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: aaviram, aavraham, akaris, bperkins, cschwede, cyril, dbecker, ekuvaja, gfidente, jcoufal, mburns, morazi, pgrist, rhel-osp-director-maint, scohen, tshefi, tvignaud
Target Milestone: ---Keywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-29 14:45:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marius Cornea 2016-02-10 17:39:55 UTC 
Description of problem:
glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud:


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-117.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
[root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg 
listen glance_registry
  server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2
Comment 1 Giulio Fidente 2016-02-10 18:03:49 UTC 
I think glance-registry doesn't need to have an SSL binding because it's not user-facing service. It is only glance-api calling it.
Comment 2 Marius Cornea 2016-02-10 18:13:06 UTC 
The issue is that there's no binding that uses the internal api vip. The config files are set up with the local ips thus the glance registry requests don't get balanced:

[root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg 
listen glance_registry
  server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2

[root@overcloud-controller-0 ~]# grep registry_host /etc/glance/*
/etc/glance/glance-api.conf:#registry_host=0.0.0.0
/etc/glance/glance-api.conf:registry_host=192.168.100.13
/etc/glance/glance-cache.conf:#registry_host=0.0.0.0
/etc/glance/glance-cache.conf:registry_host=192.168.100.13
/etc/glance/glance-scrubber.conf:#registry_host=0.0.0.0
Comment 3 Mike Burns 2016-04-07 21:07:13 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 7 Amit Aviram 2016-11-23 14:45:49 UTC 
I believe you are asking the wrong person.. (I'm Amit Aviram, aaviram)