Bug 1416225

Summary: keystone admin endpoint not configured with ssl
Product: Red Hat OpenStack Reporter: Graeme Gillies <ggillies>
Component: puppet-tripleoAssignee: Roger Heslop <rheslop>
Status: CLOSED WONTFIX QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: alee, aschultz, asimonel, bnemec, djuran, emacchi, jagee, jjoyce, josorior, jschluet, mburns, mcornea, nkinder, pkesavar, rhel-osp-director-maint, rmascena, slinaber, tvignaud
Target Milestone: zstreamKeywords: Documentation, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-5.6.8-16.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-02 13:17:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graeme Gillies 2017-01-24 23:09:58 UTC 
Downstream clone of

https://bugs.launchpad.net/tripleo/+bug/1639996

When deploying an overcloud using RDO Newton TripleO, I have the following set in an environment file

parameter_defaults:
  ServiceNetMap:
    KeystoneAdminApiNetwork: external

And I am deploying the overcloud with ssl enabled.

Everything looks correct, the keystone adminurl endpoint is deployed on the external interface, but ssl is not enabled

$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+
| ID | Region | Service Name | Service Type |
+----------------------------------+-----------+--------------+----------------+
| d6f09efcfee1498db3e27812928ecd9e | regionOne | nova | compute |
| 2eb2a73c07f3401a8c55bb52d5e16428 | regionOne | heat | orchestration |
| 4ef8b17b94954b3cb6b6acf99acfe26d | regionOne | gnocchi | metric |
| f9eac3efb6d143bd94a3c93b988b0979 | RegionOne | heat-cfn | cloudformation |
| d20269db7eec4e1abab2e85fed78b3d2 | regionOne | swift | object-store |
| c76ebdc497a74f948c034961b748cfff | regionOne | heat-cfn | cloudformation |
| 95027035bbe04cb99377d3513149af9d | regionOne | glance | image |
| 0b68b0ca2fb4452785921dd523c55828 | regionOne | cinderv2 | volumev2 |
| 2170658fbed84966a73cc6467242d6bf | regionOne | neutron | network |
| 6cebaed704124836ba895a38ee09f405 | regionOne | aodh | alarming |
| c13aab23ca844f8c90e3261944952ee1 | regionOne | keystone | identity |
| e3b0c12428034ee5a9768386f9f6a8c3 | regionOne | cinderv3 | volumev3 |
| f519d0afafaf47ce9e08b66bc278720b | regionOne | cinder | volume |
| 7243f2c080d3459dac61d04c9f022650 | regionOne | ceilometer | metering |
+----------------------------------+-----------+--------------+----------------+
[stack@rhosops-test-tripleo openstack-deployment]$ openstack endpoint show keystone
+--------------+---------------------------------------------------------------+
| Field | Value |
+--------------+---------------------------------------------------------------+
| adminurl | http://10.8.208.1:35357/v2.0 |
| enabled | True |
| id | c13aab23ca844f8c90e3261944952ee1 |
| internalurl | http://172.16.0.2:5000/v2.0 |
| publicurl | https://cloud.rhosops-test.lab.eng.rdu2.redhat.com:13000/v2.0 |
| region | regionOne |
| service_id | d5e529a0d86b445bb606d9e8caa31ef9 |
| service_name | keystone |
| service_type | identity |
+--------------+---------------------------------------------------------------+

Note the difference between publicurl and adminurl.

While I understand normally this endpoint is deployed in an internal network, considering this endpoint is the most critical to the entire Openstack environment (from a security perspective) we should always enable it with SSL when the cloud has SSL turned on as part of the deployment
Comment 2 Ben Nemec 2017-03-02 16:54:16 UTC 
I have a patch upstream to make this the default, but there are concerns about how it will behave in the DNS endpoint case.  I haven't had a chance to set up a test environment to determine the best way to handle that yet, but I think that's the only remaining blocker.
Comment 4 Lon Hohberger 2018-10-04 10:36:08 UTC 
According to our records, this should be resolved by puppet-tripleo-5.6.8-16.el7ost.  This build is available now.
Comment 8 Raildo Mascena de Sousa Filho 2019-07-16 14:39:03 UTC 
Can you verify Nathan's comment on this BZ and see if we can verify this BZ again with the same build?
Comment 11 Roger Heslop 2020-04-02 13:17:15 UTC 
Closing | No new updates to be applied to RHOSP 10 documentation