Bug 1608450

Summary: TLS everywhere deployment fails - missing TLS bits in T-H-T
Product: Red Hat OpenStack Reporter: Pavan <pkesavar>
Component: openstack-tripleo-heat-templatesAssignee: Damien Ciabrini <dciabrin>
Status: CLOSED ERRATA QA Contact: Marian Krcmarik <mkrcmari>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: chjones, dciabrin, jagee, mburns, rmascena, sclewis
Target Milestone: z3Keywords: Triaged, ZStream
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.12-8.el7ost puppet-tripleo-7.4.12-8.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-20 13:02:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1513502, 1566598, 1573583, 1579023    

Description Pavan 2018-07-25 14:45:15 UTC
Description of problem:

Version-Release number of selected component (if applicable):
RHOSP-12 with TLS everywhere enabled
Topology: Compute:1,Controller:1,freeipa:1

Additional info:

The puppet code has TLS Bits, however the TripleO-Heat-Templates(T-H-T) does not have TLS bits

Debugging logs:
[root@controller-0 heat-admin]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@controller-0 heat-admin]# docker ps -a
CONTAINER ID        IMAGE                                                    COMMAND                  CREATED             STATUS                      PORTS               NAMES
8ac903f6903a        192.168.24.1:8787/rhosp12/openstack-redis:2018-07-19.1   "/var/lib/docker-p..."   17 minutes ago      Exited (1) 17 minutes ago                       docker-puppet-redis
[root@controller-0 heat-admin]# docker logs -f docker-puppet-redis
+ mkdir -p /etc/puppet
+ cp -a /tmp/puppet-etc/auth.conf /tmp/puppet-etc/hiera.yaml /tmp/puppet-etc/hieradata /tmp/puppet-etc/modules /tmp/puppet-etc/puppet.conf /tmp/puppet-etc/ssl /etc/puppet
+ rm -Rf /etc/puppet/ssl
+ echo '{"step": 6}'
+ TAGS=
+ '[' -n file,file_line,concat,augeas,cron,exec ']'
+ TAGS='--tags file,file_line,concat,augeas,cron,exec'
+ origin_of_time=/var/lib/config-data/redis.origin_of_time
+ touch /var/lib/config-data/redis.origin_of_time
+ sync
+ set +e
+ FACTER_hostname=controller-0
+ FACTER_uuid=docker
+ /usr/bin/puppet apply --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,exec /etc/config.pp
Failed to get D-Bus connection: Operation not permitted
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Warning: Undefined variable 'deploy_config_name';
   (file & line not available)
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Error: Evaluation Error: Error while evaluating a Function Call, tls_proxy_bind_ip is not set in the hieradata. at /etc/puppet/modules/tripleo/manifests/profile/base/database/redis.pp:86:9 on node controller-0.redhat.local
+ rc=1
+ set -e
+ '[' 1 -ne 2 -a 1 -ne 0 ']'
+ exit 1

Comment 2 Damien Ciabrini 2018-07-25 14:50:12 UTC
Is this a failure introduced in recent puddles? I remember we explicitely disabled TLS for Redis in OSP12, so we need to figure out what triggers the TLS path in the puppet-code for redis.

Comment 8 Damien Ciabrini 2018-07-29 07:42:37 UTC
Proposed patches upstream in puppet-tripleo and tripleo-heat-templates

Comment 16 errata-xmlrpc 2018-08-20 13:02:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2331