Bug 1684334

Summary: Enabling SSL/TLS everywhere won't work properly renewing certificates using containerize environment
Product: Red Hat OpenStack Reporter: Alberto Gonzalez <alberto.gonzalez>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: jjoyce, josorior, jschluet, slinaber, tvignaud
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 05:43:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alberto Gonzalez 2019-03-01 01:37:09 UTC 
Description of problem:

After installation of OSP13 using TLS/SSL everywhere, I can see the "post-save command" for the certificates are not properly configured for containers.

Request ID 'mysql':
	post-save command: "systemctl reload mariadb"
Request ID 'rabbitmq':
	post-save command: "systemctl restart rabbitmq-server"
Request ID 'redis':
	post-save command: 
Request ID 'neutron':
	post-save command: "true"
Request ID 'novnc-proxy':
	post-save command: "systemctl restart openstack-nova-novncproxy"
Request ID 'httpd-ctlplane':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-external':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-internal_api':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-management':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-storage':
	post-save command: "systemctl reload httpd"
Request ID 'httpd-storage_mgmt':
	post-save command: "systemctl reload httpd"
Request ID 'libvirt-vnc-client-cert':
	post-save command: "systemctl reload libvirtd"
Request ID 'haproxy-ctlplane-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-internal_api-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-storage-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"
Request ID 'haproxy-storage_mgmt-cert':
	post-save command: "cat /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt  /etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key > /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.pem && if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi"

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install OSP13 using template /environments/ssl/tls-everywhere-endpoints-dns.yaml
2. Connect to the one of the controllers
3. Run sudo getcert list

Actual results:

Post-save commands will reload systemctl service


Expected results:

Post-save commands will restart docker container (i.e haproxy-bundle-docker-0)


Additional info:
Comment 1 Alberto Gonzalez 2019-03-01 02:12:52 UTC 
I see some commits related here:
https://github.com/openstack/puppet-tripleo/commit/bd9846062c22be898d8720d1ee4ffbb65808fc8f

is there any plan to include it in any errata?
Comment 2 Juan Antonio Osorio 2019-03-01 05:43:10 UTC 

*** This bug has been marked as a duplicate of bug 1595876 ***