Bug 1571990

Summary: [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node
Product: Red Hat OpenStack Reporter: Tim Rozet <trozet>
Component: puppet-neutronAssignee: Tim Rozet <trozet>
Status: CLOSED ERRATA QA Contact: Itzik Brown <itbrown>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: jjoyce, jschluet, mkolesni, nyechiel, slinaber, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: odl_deployment, odl_tls
Fixed In Version: puppet-neutron-12.4.1-0.20180412211913 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
N/A
Last Closed: 2018-06-27 13:53:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1488826    

Description Tim Rozet 2018-04-25 21:42:24 UTC 
Description of problem:
In the current behavior, the OVS configuration for ODL adds a certificate to ODL via the VIP.  This works fine in no-ha deployments, but in HA it only results in 1 ODL instance adding the certificate, so only 1 ODL accepts an OVSDB connection. This is because of issues with using MD-SAL trust store type (see https://bugzilla.redhat.com/show_bug.cgi?id=1571985).  Since MD-SAL trust store doesn't work, we have to use a file based trust store.  In that case the file is not highly available, so we need to add the certificate to every ODL node.

How reproducible:
Always in SSL/TLS HA ODL deployment
Comment 6 Itzik Brown 2018-05-03 13:52:54 UTC 
Checked with:
puppet-neutron-12.4.1-0.20180412211913.el7ost.noarch
Comment 10 errata-xmlrpc 2018-06-27 13:53:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086