Bug 1594019
| Summary: | HorizonSecureCookies is missing from the new environments/ssl/enable-tls.yaml | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Darin Sorrentino <dsorrent> | |
| Component: | openstack-tripleo-heat-templates | Assignee: | Emilien Macchi <emacchi> | |
| Status: | CLOSED ERRATA | QA Contact: | Gurenko Alex <agurenko> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 13.0 (Queens) | CC: | aschultz, cchen, dsorrent, hrybacki, jagee, josorior, kbasil, mburns, mowens, mzheng, pkesavar, rmascena | |
| Target Milestone: | z5 | Keywords: | Triaged, ZStream | |
| Target Release: | 13.0 (Queens) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-tripleo-heat-templates-8.0.7-30.el7ost | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1667977 (view as bug list) | Environment: | ||
| Last Closed: | 2019-03-14 13:54:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1667977 | |||
|
Description
Darin Sorrentino
2018-06-21 21:18:35 UTC
Upon further analysis, there's another parameter in the deprecated file that is not in the new one. GnocchiIncomingStorageDriver is in the deprecated one but not in the new file. Do we still need to do this? Darin, can you give us reproduction steps for this? I'm not sure if you encountered this while reviewing the templates themselves or during deployment. Either way, any info would be great for our QE. WRT the GnocchiIncomingStorageDriver parameter -- I can't speak to this. Hi Harry,
Another customer was asking me almost the same question.
# grep -v ^$ /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml | grep -v \# > /tmp/new_tls
# grep -v ^$ /usr/share/openstack-tripleo-heat-templates/environments/enable-tls.yaml | grep -v \# > /tmp/old_tls
# diff /tmp/old_tls /tmp/new_tls -u
--- /tmp/old_tls 2018-06-26 03:52:47.018834222 -0400
+++ /tmp/new_tls 2018-06-26 03:52:34.613798136 -0400
@@ -1,9 +1,9 @@
parameter_defaults:
- HorizonSecureCookies: True
SSLCertificate: |
The contents of your certificate go here
SSLIntermediateCertificate: ''
SSLKey: |
The contents of the private key go here
+ DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
resource_registry:
- OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml
+ OS::TripleO::NodeTLSData: ../../puppet/extraconfig/tls/tls-cert-inject.yaml
Our new enable-tls.yaml doesn't contain HorizonSecureCookies and this will lead Horizon lack of CSRF_COOKIE_SECURE + SESSION_COOKIE_SECURE option in a SSL/TLS enabled environment.
Best Regards,
Chen
Re-assigning needinfo against Darin. May you (and Chen) please provide me with the specifics about how your Cu. deployed and hit this issue? I found this while reviewing the THT when I was enabling TLS in the overcloud. I originally went to use ./environments/enable-tls.yaml, however in that file it says it is deprecated and instructs me to use ./environments/ssl/enable-tls.yaml instead. When I noticed that the setting was absent, I looked for it's utilization in the deplyment and examined (./puppet/services/horizon.yaml) that actually does the configuration and noted that the default is "false" which is not what we want for TLS. Downstream build complete. Updating FIV and moving bug to MODIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0448 |