Bug 2073607

Summary: Certificate DN is not expanding in the Octavia tenant flow logs
Product: Red Hat OpenStack Reporter: Michael Johnson <michjohn>
Component: openstack-tripleo-heat-templatesAssignee: Tom Weininger <tweining>
Status: CLOSED ERRATA QA Contact: Bruna Bonguardo <bbonguar>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: gthiemon, lpeer, majopela, mburns, scohen, tweining
Target Milestone: z9Keywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20220818163240.29a02c1.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2117296 (view as bug list) Environment:
Last Closed: 2022-12-07 20:29:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2117296    

Description Michael Johnson 2022-04-08 22:07:55 UTC 
Description of problem:
The HAProxy tenant flow logs are showing "[ssl_c_s_dn]" instead of the client certificate DN string OSP.

Version-Release number of selected component (if applicable):
16.1.6

How reproducible:
Always

Steps to Reproduce:
1. Create an Octavia amphora load balancer.
2. Create a TLS terminated listener with client authentication enabled.
3. Connect to the load balancer listener with a client authentication certificate.
4. Note that the log entry for the connection shows "[ssl_c_s_dn]" instead of the expect client certificate DN.

Actual results:

Apr  8 13:19:32 amphora-157dcaeb-128b-40f1-9a76-cd76a4b7ec2a haproxy[18066]: 9d53b4ef01874ac9b6f09fee91146b84 3218bf8c-e02f-4f80-af4c-9a28db495d4b cc2be110-8c99-41da-83bd-e3b0ce394129 10.5.26.80 53848 08/Apr/2022:13:19:30.760 r 200 300121 680 0 [ssl_c_s_dn] 78206dd1-c9af-44b3-a92f-5cd1aba53a3e:cc2be110-8c99-41da-83bd-e3b0ce394129 f70a857b-2348-40f3-b4b6-1625eed0efdb 1329 ----

Expected results:
Apr  8 16:26:57 amphora-d5c2b324-12be-4eee-a7b8-7ace88cc55d6 haproxy[3011]: ce3e7b2eeb494c49a7ecfb5af17d1ec8 6cc6421d-bd1d-4478-9f65-03b94dc1ebae 082218d8-aca4-4777-8866-2e5c96999b24 172.24.5.1 57742 08/Apr/2022:16:26:57.544 "GET / HTTP/1.1" 200 147 122 0 "/C=US/ST=Denial/L=Corvallis/O=OpenStack/OU=Octavia/CN=c7fe9b78-c6ae-4af7-a097-c35c20480745" 63f66456-c40e-41a3-9d9c-0e32f59c5357:082218d8-aca4-4777-8866-2e5c96999b24 8d721d43-acfd-496a-88b9-30fc6edbc641 10 ----

Additional info:

This appears to be a downstream only (tripleo?) issue as the upstream barbican gate jobs show the correct output (captured below as the expected result).
Comment 14 errata-xmlrpc 2022-12-07 20:29:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8796