Bug 1778511

Summary: After applying TLS on public endpoints to existing cloud, radosgw returns 405 method not allowed
Product: Red Hat OpenStack Reporter: Kevin Jones <kejones>
Component: rhosp-directorAssignee: RHOS Maint <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: Sasha Smolyak <ssmolyak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: dbecker, gfidente, mburns, morazi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-02 14:28:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot from Horizon after TLS for public endpoints applied none

Description Kevin Jones 2019-12-01 18:47:41 UTC 
Description of problem:
I applied TLS to the public endpoints of an existing RHOSP 13 deployment. This deployment also has Ceph w/rgw deployed. Radosgw services run on my controllers.

After the deployment completes, the public endpoints are secured. Everything functions except object store.

Horizon throws a message that says "Error: Unable to get the Swift container listing."


Version-Release number of selected component (if applicable):
13

How reproducible:
100%

Steps to Reproduce:
1. Deploy RHOSP 13 overcloud with Ceph+rgw for object store
2. Create a cert/key for overcloud
3. Run a stack update to deploy TLS on public endpoints

Actual results:
TLS gets applied to public endpoints, however object storage starts returning 405 MethodNotAllowed errors

Expected results:
Object storage (using rgw) works after successful stack update 

Additional info:
I can't find any compelling logs or info online to figure out what the issue might be.
Comment 1 Kevin Jones 2019-12-01 18:53:45 UTC 
Created attachment 1641151 [details]
Screenshot from Horizon after TLS for public endpoints applied
Comment 5 Kevin Jones 2019-12-01 21:45:50 UTC 
I believe this issue can be closed actually. Though the changes needed to make RHOSP 13 work with OCP 4.2 IPI should be documented.

In order to use keystone for authentication in OCP 4.2, you must have TLS on your public Keystone endpoint.

In order to make Swift backed by rgw work, you must have rgw_swift_account_in_url enabled. This also means you have to update the endpoints (adding AUTH_%(project_id)s to the end of each).

(overcloud) [stack@director ~]$ openstack endpoint list | grep swift
| 21a5af48fa73480cbdc060bb6187d87f | regionOne | swift        | object-store    | True    | internal  | http://10.100.7.209:8080/swift/v1/AUTH_%(project_id)s           |
| 989ebf9c21a5436bb0a5bdc9e19b24c3 | regionOne | swift        | object-store    | True    | public    | https://openstack.kdjlab.com:13808/swift/v1/AUTH_%(project_id)s |
| fe15990604ba4c99a1ec239637005139 | regionOne | swift        | object-store    | True    | admin     | http://10.100.7.209:8080/swift/v1/AUTH_%(project_id)s