Bug 1337332

Summary: Horizon endpoints shown as http based in keystone endpoint-list on SSL-enabled overcloud
Product: Red Hat OpenStack Reporter: Dan Yasny <dyasny>
Component: openstack-puppet-modulesAssignee: Juan Antonio Osorio <josorior>
Status: CLOSED ERRATA QA Contact: Dan Yasny <dyasny>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: dbecker, jguiditt, josorior, mburns, mcornea, morazi, nkinder, rhel-osp-director-maint, sasha, srevivo
Target Milestone: asyncKeywords: ZStream
Target Release: 8.0 (Liberty)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-puppet-modules-7.0.19-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-14 19:53:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Yasny 2016-05-18 21:11:22 UTC 
Description of problem:
Horizon endpoints shown as http based in keystone endpoint-list on SSL-enabled overcloud
+----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+
|                id                |   region  |                      publicurl                      |                   internalurl                    |                    adminurl                   |            service_id            |
+----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+
| 0155a41cd06d40c687af3696b5272af9 | regionOne |    https://192.168.200.180:13776/v1/%(tenant_id)s   |   http://192.168.100.11:8776/v1/%(tenant_id)s    |  http://192.168.100.11:8776/v1/%(tenant_id)s  | ebc366add66644f9bba757d81035ade9 |
| 03cb933eb91441a48ea3ea8236e70330 | regionOne |            https://192.168.200.180:13292/           |           http://192.168.110.10:9292/            |          http://192.168.110.10:9292/          | 326c52bd42b142fda84f6204e00b3c45 |
| 10d3d54aff1d40859bfa9dfb92dd99ec | regionOne |            https://192.168.200.180:13696/           |           http://192.168.100.11:9696/            |          http://192.168.100.11:9696/          | bc78ca9bbfae48e5a55c4e460a114975 |
| 3d6839ce484f4d9d804bbfeed686469e | regionOne |         http://192.168.200.180:80/dashboard/        |       http://192.168.200.180:80/dashboard/       |   http://192.168.200.180:80/dashboard/admin   | ad5e47afeefd48aea5e8b1b1c7d43948 |
| 41f66e777d4342a0b834e5a8637ff002 | regionOne |          https://192.168.200.180:13000/v2.0         |         http://192.168.100.11:5000/v2.0          |          http://192.0.2.6:35357/v2.0          | 6d39d30c11224c8dbfecaa18efaf21c5 |
| 4413098261454d9ab91c08d126ab729b | regionOne | https://192.168.200.180:13808/v1/AUTH_%(tenant_id)s | http://192.168.110.10:8080/v1/AUTH_%(tenant_id)s |         http://192.168.110.10:8080/v1         | 4905137049704ca38b209def5604d9a0 |
| 99ad7f03dc154525bc57e9ab4845d412 | regionOne |   https://192.168.200.180:13774/v2.1/$(tenant_id)s  |  http://192.168.100.11:8774/v2.1/$(tenant_id)s   | http://192.168.100.11:8774/v2.1/$(tenant_id)s | 07c273e40952454d9fd667fb0f64d9ea |
| a32b5b6bed0e48a3949e2c6f890b579b | regionOne |    https://192.168.200.180:13004/v1/%(tenant_id)s   |   http://192.168.100.11:8004/v1/%(tenant_id)s    |  http://192.168.100.11:8004/v1/%(tenant_id)s  | c58d5a76d10440a09d809e5eff7ac4ec |
| b30fcaed1bf14afc93aefb09ff391bf5 | regionOne |    https://192.168.200.180:13776/v2/%(tenant_id)s   |   http://192.168.100.11:8776/v2/%(tenant_id)s    |  http://192.168.100.11:8776/v2/%(tenant_id)s  | f47eb9309f704c078e9e709df112dcfb |
| e3caa3cef6a94f08b40030cc18f88848 | regionOne |            https://192.168.200.180:13777/           |           http://192.168.100.11:8777/            |          http://192.168.100.11:8777/          | 0f993e45b8914efca20f932c46c50a85 |
+----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+

There is nothing listening on port 80 on the VIP on the controllers. 

curl http://192.168.200.180:80/dashboard/
curl: (7) Failed connect to 192.168.200.180:80; Connection refused

There is a setting in HAProxy on the controllers:
listen horizon
  bind 192.168.100.11:80 transparent
  bind 192.168.200.180:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  mode http
  cookie SERVERID insert indirect nocache   
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0 192.168.100.15:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-1 192.168.100.16:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-2 192.168.100.14:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2

However it does not pertain to the port 80 listener on the public VIP (192.168.200.180)

Version-Release number of selected component (if applicable):
openstack-heat-templates-0-0.1.20151019.el7ost.noarch
openstack-tripleo-heat-templates-0.8.14-9.el7ost.noarch
openstack-tripleo-heat-templates-kilo-0.8.14-9.el7ost.noarch
openstack-ironic-common-4.2.2-4.el7ost.noarch
openstack-ceilometer-api-5.0.2-2.el7ost.noarch
openstack-heat-api-cfn-5.0.1-5.el7ost.noarch
openstack-swift-object-2.5.0-2.el7ost.noarch
openstack-selinux-0.6.58-1.el7ost.noarch
openstack-tripleo-image-elements-0.9.9-2.el7ost.noarch
openstack-ceilometer-central-5.0.2-2.el7ost.noarch
openstack-nova-conductor-12.0.3-1.el7ost.noarch
openstack-glance-11.0.1-4.el7ost.noarch
openstack-ceilometer-common-5.0.2-2.el7ost.noarch
openstack-nova-compute-12.0.3-1.el7ost.noarch
openstack-swift-2.5.0-2.el7ost.noarch
openstack-ironic-inspector-2.2.5-2.el7ost.noarch
openstack-neutron-openvswitch-7.0.4-3.el7ost.noarch
openstack-heat-common-5.0.1-5.el7ost.noarch
openstack-heat-api-5.0.1-5.el7ost.noarch
openstack-swift-account-2.5.0-2.el7ost.noarch
openstack-swift-proxy-2.5.0-2.el7ost.noarch
openstack-ceilometer-collector-5.0.2-2.el7ost.noarch
openstack-heat-templates-0-0.1.20151019.el7ost.noarch
openstack-tripleo-heat-templates-0.8.14-9.el7ost.noarch
openstack-tripleo-common-0.3.1-1.el7ost.noarch
openstack-ironic-conductor-4.2.2-4.el7ost.noarch
openstack-puppet-modules-7.0.17-1.el7ost.noarch
openstack-utils-2014.2-1.el7ost.noarch
openstack-neutron-common-7.0.4-3.el7ost.noarch
openstack-neutron-7.0.4-3.el7ost.noarch
openstack-neutron-ml2-7.0.4-3.el7ost.noarch
openstack-ironic-api-4.2.2-4.el7ost.noarch
openstack-heat-engine-5.0.1-5.el7ost.noarch
openstack-nova-scheduler-12.0.3-1.el7ost.noarch
openstack-swift-container-2.5.0-2.el7ost.noarch
openstack-nova-api-12.0.3-1.el7ost.noarch
openstack-ceilometer-polling-5.0.2-2.el7ost.noarch
openstack-tripleo-puppet-elements-0.0.5-1.el7ost.noarch
openstack-ceilometer-alarm-5.0.2-2.el7ost.noarch
openstack-keystone-8.0.1-1.el7ost.noarch
openstack-nova-cert-12.0.3-1.el7ost.noarch
openstack-nova-common-12.0.3-1.el7ost.noarch
openstack-tripleo-0.0.7-1.el7ost.noarch
python-openstackclient-1.7.2-1.el7ost.noarch
openstack-heat-api-cloudwatch-5.0.1-5.el7ost.noarch
openstack-swift-plugin-swift3-1.9-1.el7ost.noarch
openstack-ceilometer-notification-5.0.2-2.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
1. deploy RHOS 8 with SSL enabled on the overcloud

Actual results:
as described above

Expected results:
either keystone should point to an https endpoint, or there should be a listener on port 80 redirecting to https.

Additional info:
Comment 2 Juan Antonio Osorio 2016-05-19 05:24:36 UTC 
I'm guessing this is for OSP-8. This should be partly fixed in OSP9 as per this commit https://review.openstack.org/#/c/294456 . Should I backport?

The lack of TLS in the keystone endpoints for horizon is an issue, however, I'll look into it.
Comment 3 Marius Cornea 2016-05-19 07:26:35 UTC 
Horizon should show up when calling the public vip over https even though the public api endpoint is http. I believe this is done by the haproxy rsprep rule.

So curl https://192.168.200.180 should return the dashboard.

The 80->443 port redirection should be fixed by the the patch Juan mentioned. This was initially reported in BZ#1301738 and marked as an RFE but I see it's still in NEW state.
Comment 4 Nathan Kinder 2016-05-19 14:59:38 UTC 
This seems like it's something we should consider backporting for OSPd 8.y.  The URL for the dashboard in the endpoint catalog simply won't work due to the 'http' scheme since there is nothing listening on that port.  Given that TLS support is a really important feature for OSP8, I think we should fix this if it's not too difficult of a backport.
Comment 7 errata-xmlrpc 2016-06-14 19:53:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1228