Bug 1548345

Summary: TLS Deployments don't work in Ocata with Pre-Provisioned Nodes
Product: Red Hat OpenStack Reporter: Erwan Gallen <egallen>
Component: openstack-tripleo-heat-templatesAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact:
Priority: high    
Version: 11.0 (Ocata)CC: aschultz, bhaubeck, dpeacock, jslagle, mburns, rhel-osp-director-maint
Target Milestone: z5Keywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-6.2.7-5.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-18 17:03:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erwan Gallen 2018-02-23 09:21:09 UTC 
Description of problem:
Enabling External TLS with the files:
enable-tls.yaml
tls-endpoints-public-dns.yaml
do not work with RHOSP 11 with Pre-Provisioned Nodes

There is no /etc/pki/tls/private/overcloud_enpoint.pem generated
There is no calls of the certificates in /etc/haproxy/haproxy.cfg

Version-Release number of selected component:
RHOSP 11

How reproducible:
Standard deployments works.
Adding TLS templates do not work.
We don't see tripleo::haproxy::service_certificate defined in the hieradata.
OS::TripleO::NodeTLSData seems not to work with custom roles

Steps to Reproduce:
1. Adding enable-tls.yaml and tls-endpoints-public-dns.yaml to a working configuration
2. Making a fresh new deployment
3. The stack finish with a CREATE_COMPLETE, endpoints are populated with SSL addresses, overcloudrc files are generated with https://CloudName:13000 but nothing is listening on HAProxy because configuration is not done

Actual results:
No TLS

Expected results:
Having TLS for external endpoints
Comment 1 James Slagle 2018-02-23 13:56:54 UTC 
Fixed by: https://code.engineering.redhat.com/gerrit/131021

QA testplan:
deploy a split-stack overcloud (deployed-server) with overcloud ssl. it should be successful.

all test plans should probably be updated to use ssl with the overcloud
Comment 2 Erwan Gallen 2018-02-23 14:06:12 UTC 
This patch on puppet/role.role.j2.yaml done this morning by James Slagle with the support of Steven Hardy and Juan Antonio Osorio Robles fixed the issue on my RHOSP 11 external SSL deployment:
https://review.openstack.org/#/c/547249

[root@controller0 ~]# cat /etc/haproxy/haproxy.cfg | grep -c overcloud_endpoint.pem
18

[stack@director ~]$ openssl s_client -connect company.com:13000
CONNECTED(00000003)
depth=3 C = COM, O = COMPANY, OU = 0002 552081317, CN = AUTHORITY
verify return:1
depth=2 C = COM, O = COMPANY, OU = 0002 444608442, CN = AUTHORITY COMPANY
verify return:1
depth=1 C = COM, O = COMPANY, OU = 0002 444608442, CN = AC AUTHORITY
verify return:1
depth=0 C = COM, O = COMPANY, OU = 0002 444608442, CN = company.com
verify return:1
---
Certificate chain
 0 s:/C=COM/O=COMPANY/OU=0002 444608442/CN=company.com
   i:/C=COM/O=COMPANY/OU=0002 444608442/CN=AUTHORITY COMPANY
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFeDCCA2...


Thanks for this fix and your hard work
Comment 11 Gurenko Alex 2018-05-16 11:39:33 UTC 
Verified on puddle 2018-05-15.2

[stack@undercloud-0 ~]$ rpm -q openstack-tripleo-heat-templates
openstack-tripleo-heat-templates-6.2.12-2.el7ost.noarch
Comment 14 errata-xmlrpc 2018-05-18 17:03:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1627