Bug 2120474

Summary: Handle multiple internal subnets when adding iptable rules for SSL/TLS connection in the OVN multi-active cluster role
Product: Red Hat OpenStack Reporter: Miro Tomaska <mtomaska>
Component: openstack-tripleo-heat-templatesAssignee: OSP Team <rhos-maint>
Status: CLOSED ERRATA QA Contact: Maor <mblue>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: akatz, bcafarel, chrisw, ekuris, elicohen, hjensas, jamsmith, jparoly, jschluet, mblue, mburns, mkrcmari, rheslop, scohen, skaplons, spower, ykarel
Target Milestone: gaKeywords: AutomationBlocker, Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20220719171727.feca772.el9ost Doc Type: Bug Fix
Doc Text:
This update fixes a bug that caused blockage of OVS databases on Spine/Leaf and Distributed Compute Node/edge deployments when mulliptle OVN service firwall rules for routed subnets were merged.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:24:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miro Tomaska 2022-08-23 03:29:47 UTC 
Background:
This bug was discovered while validating BZ2114617 in conjunction with additional patches:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/851889/
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/853101/

See BZ2114617comment13:
https://bugzilla.redhat.com/show_bug.cgi?id=2114617#c13


Description of problem:
It looks like THT for ovn-dbs-cluster-ansible.yaml[1] does not handle creating ip rules when there are multiple subnets defined in a network data yaml, e.i. [2]. We only create iptable rule for one subnet but not all. This results in traffic block for the subnets that are not defined (we block all by default for TLS/SSL environments)

[1] https://code.engineering.redhat.com/gerrit/c/openstack-tripleo-heat-templates/+/425236/3/deployment/ovn/ovn-dbs-cluster-ansible.yaml#96
[2] https://code.engineering.redhat.com/gerrit/plugins/gitiles/rhos-infrared/+/refs/heads/master/settings/installer/ospd/deployment/edge/osp-17-spine-leaf-ovn-dmbs-ipv6/central/network/network_data_v2.yaml#77
Comment 7 Jason Paroly 2022-09-09 14:34:36 UTC 
*** Bug 2123404 has been marked as a duplicate of this bug. ***
Comment 9 Jason Paroly 2022-09-09 20:20:08 UTC 
*** Bug 2123166 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2022-09-21 12:24:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543