Bug 1999562

Summary: ceph ssl radosgw port is closed for tempest (undercloud node)
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-tripleo-heat-templatesAssignee: Giulio Fidente <gfidente>
Status: CLOSED ERRATA QA Contact: Attila Fazekas <afazekas>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: fpantano, gfidente, mburns
Target Milestone: betaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20210912021828.e7f8587.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2000582 (view as bug list) Environment:
Last Closed: 2022-09-21 12:16:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2000582    

Description Attila Fazekas 2021-08-31 10:44:29 UTC 
When ssl setup is requested with ceph object storage the firewall on the controller node does not opens the public ssl port for consumption from the undercloud (or other node).

Workaround:
[heat-admin@controller-0 ~]$ sudo iptables -I INPUT 12 -p tcp -m tcp --dport 13808 -m comment --comment "122X ceph rgw ipv4 ssl" -j ACCEPT

Addition info:
The internal is defined without ssl.

| swift     | object-store   | regionOne                                                                          |
|           |                |   internal: http://172.17.3.35:8080/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5 |
|           |                | regionOne                                                                          |
|           |                |   admin: http://172.17.3.35:8080/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5    |
|           |                | regionOne                                                                          |
|           |                |   public: https://10.0.0.124:13808/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5  |
|           |                |                                                                                    |

The internal port is exposed by:
-A INPUT -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -m comment --comment "122 ceph rgw ipv4" -j ACCEPT


Probably the public rgw port should be exposed on the firewall instead of the internal.

openstack-tripleo-heat-templates-14.2.1-0.20210809091810.185a41c.el8ost.noarch
Comment 10 errata-xmlrpc 2022-09-21 12:16:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543