Bug 1901621

Summary: Deployment of DistributedComputeScaleOut role with TLS-E fails on failed haproxy-storage_mgmt-cert certificate request
Product: Red Hat OpenStack Reporter: Marian Krcmarik <mkrcmari>
Component: puppet-tripleoAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact: Marian Krcmarik <mkrcmari>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: abishop, apevec, bdobreli, bperkins, jjoyce, johfulto, jschluet, jslagle, lhh, owalsh, slinaber, tvignaud
Target Milestone: z4Keywords: Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-11.5.0-1.20201114030108.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-17 15:36:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Krcmarik 2020-11-25 16:33:40 UTC 
Description of problem:
DCN deployment with TLS-S and nodes of DistributedComputeScaleOut role fails on:
  message: 'Could not evaluate: Could not get certificate: Server at https://site-freeipa-0.redhat.local/ipa/xml
    denied our request, giving up: 3007 (RPC failed at server.  ''fqdn'' is required).'
  source: "/Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Haproxy[haproxy-storage_mgmt]/Certmonger_certificate[haproxy-storage_mgmt-cert]"

The role does not include storage mgmt network in role definition and thus such certificate should not be requested from IPA server.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Deploy openstack with TLS-E and with nodes of DistributedComputeScaleOut role

Additional info:
    - level: warning
      message: 'Could not get certificate: Execution of ''/usr/bin/getcert request -I
        haproxy-storage_mgmt-cert -f /etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt
        -c IPA -N CN= -K haproxy/ -D overcloud.storagemgmt.redhat.local -D  -U id-kp-clientAuth
        -U id-kp-serverAuth -C /usr/bin/certmonger-haproxy-refresh.sh reload storage_mgmt
        -w -k /etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key'' returned
        2: New signing request "haproxy-storage_mgmt-cert" added.'
      source: Puppet
      tags:
      - warning
      time: '2020-11-24T16:05:43.460165237+00:00'
      file:
      line:
    - level: debug
      message: 'Executing: ''/usr/bin/getcert list -i haproxy-storage_mgmt-cert'''
      source: Puppet
      tags:
      - debug
      time: '2020-11-24T16:05:43.460520119+00:00'
      file:
      line:
    - level: err
      message: 'Could not evaluate: Could not get certificate: Server at https://site-freeipa-0.redhat.local/ipa/xml
        denied our request, giving up: 3007 (RPC failed at server.  ''fqdn'' is required).'
Comment 12 errata-xmlrpc 2021-03-17 15:36:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817