Bug 1949168

Summary: Potential SSL issues after qdrouterd image update
Product: Red Hat OpenStack Reporter: Martin Magr <mmagr>
Component: puppet-tripleoAssignee: OSP Team <rhos-maint>
Status: CLOSED ERRATA QA Contact: Leonid Natapov <lnatapov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 16.1 (Train)CC: jbadiapa, jjoyce, joflynn, jschluet, lmadsen, lnatapov, m.andre, mmagr, mrunge, slinaber, spower, tvignaud
Target Milestone: z8Keywords: Documentation, Regression, Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-11.5.0-1.20211215173613.el8ost Doc Type: Enhancement
Doc Text:
This enhancement prepares your environment for update of the metrics_qdr service to a newer AMQ Interconnect release, which requires import of the CA certificate contents from the Service Telemetry Framework (STF) deployment. Changes are not yet required by administrators when deploying or updating Red Hat OpenStack Service Platform (RHOSP) as the metrics_qdr service has not yet been updated. This functionality is in preparation of the metrics_qdr service update in a future release. + The following procedure will be required once https://bugzilla.redhat.com/show_bug.cgi?id=1949169 has shipped. + This update corrects this problem by providing a new Orchestration service (heat) parameter, `MetricsQdrSSLProfiles`. + To obtain a Red Hat OpenShift TLS certificate, run the following commands: + ---- $ oc get secrets $ oc get secret/default-interconnect-selfsigned -o jsonpath='{.data.ca\.crt}' | base64 -d ---- + Add the `MetricsQdrSSLProfiles` parameter with the contents of your Red Hat OpenShift TLS certificate to a custom environment file: + ---- MetricsQdrSSLProfiles: - name: sslProfile caCertFileContent: | -----BEGIN CERTIFICATE----- ... TOpbgNlPcz0sIoNK3Be0jUcYHVMPKGMR2kk= -----END CERTIFICATE----- ---- + Then, redeploy your overcloud with the `openstack overcloud deploy` command.
 Story Points: ---
Clone Of: 1934440
: 1982764 (view as bug list) Environment:
Last Closed: 2022-03-24 10:59:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934440    
Bug Blocks: 1949169, 1982764, 2040605    

Description Martin Magr 2021-04-13 15:15:47 UTC 
+++ This bug was initially created as a clone of Bug #1934440 +++

When qdrouterd image will be updated to recent version we will end up in state where client side will not be able to connect to server side.

We need to make sure the same changes done for OSP13 land to OSP16.
Comment 4 Leif Madsen 2021-05-20 17:32:04 UTC 
@joflynn if you can add this to your tracking list that would be great. The changes made at https://github.com/infrawatch/documentation/pull/187 will need to be unwrapped for OSP16.1 once this is live in 16.1.7 (and 16.2?).

@mmagr can you link the upstream changes for Train (or the downstream backport) that will fix this in 16.1.7? I want to make sure we don't miss this.
Comment 13 Martin Magr 2022-03-08 11:03:38 UTC 
Missing patch in 16.1 is https://github.com/openstack/puppet-tripleo/commit/42bcb193488dcd464a267105b384bf963405895f
Comment 20 Leonid Natapov 2022-03-16 15:12:56 UTC 
fixed.
Comment 25 errata-xmlrpc 2022-03-24 10:59:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986