Bug 2017849

Summary: FreeIPA isn't cleaned upon overcloud deletion
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: ansible-tripleo-ipaAssignee: Andre <afariasa>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: afariasa, alee, millevy
Target Milestone: rcKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-tripleoclient-16.4.1-0.20211111002004.914709d.el8ost ansible-tripleo-ipa-0.2.3-0.20211110181908.a05078d.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:17:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1698957    

Description Cédric Jeanneret 2021-10-27 14:29:49 UTC 
Description of problem:
When deploying with TLS-e and FreeIPA, a fair amount of hosts and services are added to the IPA - but they aren't cleaned anymore upon overcloud deletion.

It seems the involved playbook[1] is looking for a host group[2] that doesn't exist anymore.
This "certmonger_user" was created when certmonger was still managed by puppet[3], but it seems to be now managed by ansible only. So this "service" isn't created anymore.

Note: since OSP-17 is based on Wallaby, I'm not 100% sure this release is affected by the issue - I thought the move to ansible for certmonger was an OSP-17 RFE... ?


[1] https://opendev.org/x/tripleo-ipa/src/branch/master/tripleo_ipa/playbooks/cli-cleanup-ipa.yml
[2] https://opendev.org/x/tripleo-ipa/src/branch/master/tripleo_ipa/playbooks/cli-cleanup-ipa.yml#L61
[3] https://opendev.org/openstack/tripleo-heat-templates/src/commit/d58efb58e0c39b2ca1585d87fe6d542484b33ad0/deployment/certs/certmonger-user-baremetal-puppet.yaml#L63

How reproducible:
Always (on master)

Steps to Reproduce:
1. deploy an overcloud with TLS-e and FreeIPA
2. delete the overcloud
3. check freeIPA content

Actual results:
All the hosts and services are still present

Expected results:
They should be removed
Comment 1 Cédric Jeanneret 2021-10-28 06:35:50 UTC 
A solution would be to use the "overcloud" group. This should cover everything, while keeping the Undercloud node in IPA.

The only "cons" I can think of:
if an operator deploys some hybrid tls-e/non-tls-e OC, it may try to remove unregistered nodes. But I don't really think this is advised nor even possible.

I'll do a quick test on my lab.
Comment 2 Cédric Jeanneret 2021-10-29 06:29:34 UTC 
This issue actually blocks the RFE (just found it) moving Certmonger management from puppet to ansible. Adding the link for a better tracking.

RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1698957 (check flags, it's for 17.0 - so we'll need to see some backports to wallaby.
Comment 4 Cédric Jeanneret 2021-11-09 06:56:18 UTC 
Note:
there are actually 2 issues here. One is, indeed, the "wrong" inventory group, corrected in tripleo-ipa. The other one is a bug in tripleoclient, where we forgot to pass the stackname when linking to the inventory.

Both patches are being actively backported.
Comment 10 errata-xmlrpc 2022-09-21 12:17:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543