Bug 1613576

Summary: octavia_api_tls_proxy does not work due to missing code and dependencies
Product: Red Hat OpenStack Reporter: Kellen Gattis <kgattis>
Component: puppet-tripleoAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: high Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: akaris, amuller, astafeye, bbonguar, bcafarel, beagles, broskos, cgoncalves, ihrachys, jamsmith, jjoyce, jmelvin, jschluet, jthomas, kgattis, lmiccini, lpeer, majopela, mburns, mhernon, rzaleski, slinaber, tfreger, tvignaud
Target Milestone: z3Keywords: TestOnly, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-8.3.4-10.el7ost openstack-tripleo-heat-templates-8.0.4-31.el7ost openstack-tripleo-common-8.6.3-15.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1635341 (view as bug list) Environment:
Last Closed: 2019-03-14 13:54:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644747, 1661781    
Bug Blocks: 1635341    
Attachments:
Description Flags
Internal TLS patch for Octavia none

Description Kellen Gattis 2018-08-07 23:25:10 UTC
Created attachment 1474127 [details]
Internal TLS patch for Octavia

Description of problem:

After enabling internal TLS and Octavia, an octavia_api_tls_proxy container is created, but will continually restart because httpd cannot be found and won't work even after image dependencies are met due to missing related code involving Octavia and haproxy.

List of issues:
1) httpd and mod_ssl not installed in octavia-api image.
2) httpd conf file (25-octavia-api-proxy.conf) not generated by puppet.  This is needed in order to proxy incoming requests to localhost.
3) Octavia API does not listen on localhost when Internal TLS is enabled.
4) haproxy does not communicate with Octavia API endpoints using SSL when Internal TLS is enabled.
5) Stack updates can block in Step 4 when trying to remove the octavia_api_tls_proxy container due to the octavia_api_tls_proxy container being stuck in a 'restarting' state.

Version-Release number of selected component (if applicable):


How reproducible:
Easy to reproduce

Steps to Reproduce:
1. Enable Octavia
2. Enable Internal TLS
3. Deploy a stack/update the stack

Actual results:
An octavia_api_tls_proxy container is created and fails to start because httpd is missing.

Expected results:
octavia_api_tls_proxy runs without restarting, binds to the Octavia Network API port, and proxies successfully to a localhost Octavia API listener.

Additional info:

In order to fix, a new octavia-api image needs to be built with the httpd and mod_ssl packages installed.

In addition, the following files need to be updated to enable Internal TLS for Octavia.

1) /usr/share/openstack-puppet/modules/tripleo/manifests/haproxy.pp
2) /usr/share/openstack-puppet/modules/tripleo/manifests/profile/base/octavia/api.pp
3) /usr/share/openstack-tripleo-heat-templates/puppet/services/octavia-api.yaml

Patch is attached for the above file updates.

Comment 1 Nir Magnezi 2018-08-08 13:39:43 UTC
Brent will look at this.

Comment 8 Carlos Goncalves 2018-08-28 10:09:14 UTC
Patches up for review upstream, still requiring a deployment test.

Comment 33 Brent Eagles 2018-09-24 22:10:23 UTC
Approval continues to be delayed due to upstream CI issues. I will update again in the morning.

Comment 44 Carlos Goncalves 2018-10-03 15:51:17 UTC
It shouldn't matter for this deployment case because the Octavia API service is being deployed in the controller node, but for future reference: https://review.openstack.org/#/c/607617/

Comment 59 Bruna Bonguardo 2019-02-19 09:26:01 UTC
This bug is ON_QA, but it depends on bug https://bugzilla.redhat.com/show_bug.cgi?id=1661781

Should we proceed or wait?

Comment 62 errata-xmlrpc 2019-03-14 13:54:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0448