Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1973296

Summary: RFE: Support TLS-E deployment using an external DNS server with novajoin
Product: Red Hat OpenStack Reporter: Ade Lee <alee>
Component: python-novajoinAssignee: Ade Lee <alee>
Status: CLOSED NOTABUG QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: dcaspin, elicohen, ggrasza, hrybacki, rcritten, rheslop
Target Milestone: zstreamKeywords: FutureFeature, Triaged, ZStream
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1977458 1983112 (view as bug list) Environment:
Last Closed: 2022-02-25 18:10:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ade Lee 2021-06-17 15:18:04 UTC
Description of problem:

Up to now, we have recommended that IdM be used as the DNS server on the undercloud and overcloud nodes when deploying TLS Everywhere.  The idea is to use IdM locally and then have IdM act as a forwarder to the customer's real DNS servers to get any other addresses.

This allows novajoin and other processes to find the relevant DNS entries to properly do kerberos authentication, and for the overcloud nodes to join IdM correctly.

There are some customers who would prefer not to do this.  Some for instance already have a highly available DNS architecture and do not want to set up a similar IdM architecture to prevent a single point of failure.

We've gotten things working on customer sites by adding missing entries ahead of time in the external DNS server.

This RFE is to make sure that this is a supported deployment model - which means that we need to test and document what is required - and make sure its part of our downstream CI.

It is likely that the entries needed will be different for novajoin vs. tripleo-ipa.  We need to note the differences between the two cases (and test both cases).

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2021-06-17 15:21:28 UTC
To be clear, we expect most (if not all) of this work to be on the testing and documentation side.