Bug 1320379
| Summary: | RFE: Allow Conversion from non-SSL to SSL | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Andreas Karis <akaris> |
| Component: | openstack-tripleo | Assignee: | Juan Antonio Osorio <josorior> |
| Status: | CLOSED ERRATA | QA Contact: | Marius Cornea <mcornea> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 (Kilo) | CC: | jcoufal, jmelvin, josorior, jschluet, mburns, mcornea, michele, nkinder, rcritten, rhel-osp-director-maint, sasha, scohen, srevivo |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | 10.0 (Newton) | Flags: | scohen:
needinfo+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-0.0.1-0.20160916135259.4de13b3.el7ost, puppet-tripleo-5.3.0-5.el7ost | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-14 15:29:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andreas Karis
2016-03-23 04:53:56 UTC
So I think that the issue is here:
rdomanager_oscplugin/v1/overcloud_deploy.py
(...)
keystone.setup_endpoints(
services,
client=keystone_client,
os_auth_url=overcloud_endpoint,
public_host=overcloud_ip_or_fqdn)
(...)
Which at some point creates endpoints by means of this helper function which will simply abandon if endpoints already exist:
os_cloud_config/keystone.py
(...)
def _create_endpoint(keystone, region, service_id, public_uri, admin_uri,
internal_uri):
"""Helper for idempotent creating of endpoint.
:param keystone: keystone v2 client
:param region: endpoint region
:param service_id: id of associated service
:param public_uri: endpoint public uri
:param admin_uri: endpoint admin uri
:param internal_uri: endpoint internal uri
"""
if keystone.endpoints.findall(publicurl=public_uri):
LOG.info('Endpoint for service %s and public uri %s '
'already exists.', service_id, public_uri)
else:
LOG.debug('Creating endpoint for service %s.', service_id)
keystone.endpoints.create(
region, service_id, public_uri, admin_uri, internal_uri)
(...)
that is indeed the issue; os-cloud-config is only run once in the post config. It isn't run on updates... We need to stop using that and take puppet into use for creating/updating the keystone endpoints. Because, AFAIK, os-cloud-config doesn't even have the capabilities of updating the endpoints at all. Currently, we do not support migrating from non-SSL to SSL without a complete re-deployment. That makes this request an RFE. Tested on openstack-tripleo-heat-templates-5.0.0-0.6.0rc3.el7ost It looks that we're missing a step to do 'pcs resource haproxy restart' while running the overcloud deploy command which enables ssl. After the overcloud update is complete I'm not able to reach the haproxy endpoints and a haproxy restart is required. Marius, could you check if doing systemctl reload haproxy works? instead of doing pcs resource haproxy restart. Doing a reload of the configuration should work, and I have the feeling this bug https://bugs.launchpad.net/tripleo/+bug/1627254 is hitting us there. So, it seems that the issue is that we're not restarting haproxy via pacemaker anymore, so I've submitted a fix to work around that issue. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html |