Bug 1889979

Summary: repos valitation fails when CDN repositories are used
Product: Red Hat OpenStack Reporter: Takashi Kajinami <tkajinam>
Component: openstack-tripleo-validationsAssignee: David Peacock <dpeacock>
Status: CLOSED DUPLICATE QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: dpeacock, gchamoul, jjoyce, jschluet, slinaber, tvignaud
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 16:05:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takashi Kajinami 2020-10-21 06:55:18 UTC 
Description of problem:

While running pre-upgrade validation[1], it was observed that repos validation fails with the following error.
~~~
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Failed to validate the SSL certificate for cdn.redhat.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618).
~~~

Even after installing CA cert for Red Hat CDN into trusted CA certs, the validation again fails because of 403 .
~~~
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Status code was 403 and not [200]: HTTP Error 403: Forbidden
~~~

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/framework_for_upgrades_13_to_16.1/planning-and-preparation-for-an-in-place-openstack-platform-upgrade#validating-red-hat-openstack-platform-oldvernum-before-the-upgrade

I checked the current implenmentation of repos validation, but it seems that this validation tries direct url access to the repository URLs which appear in "yum repolist".

https://github.com/openstack/tripleo-validations/blob/5d9383059e49e774502f191727303acc5e2950c4/validations/repos.yaml#L29-L32

However this doesn't work for CDN repository because
 - CA cert for CDN is not installed in systemwide CA certs
 - CDN repos doesn't accept HTTP request without authentication.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Deploy RHOSP13 with CDN repository
2. Run validation as described in the documentation[1]

Actual results:
repos validation always fails

Expected results:
repos validation doesn't fail

Additional info:
Comment 1 David Peacock 2020-11-04 16:05:27 UTC 

*** This bug has been marked as a duplicate of bug 1882826 ***