Bug 2126725

Summary: Custom CA cert location breaks OVN in tls-e deployments
Product: Red Hat OpenStack Reporter: Brendan Shephard <bshephar>
Component: openstack-tripleo-heat-templatesAssignee: Brendan Shephard <bshephar>
Status: ASSIGNED --- QA Contact: Maor <mblue>
Severity: low Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: ekuris, jamsmith, jschluet, mblue, mburns, mlavalle
Target Milestone: z2Keywords: Triaged
Target Release: 17.1Flags: jamsmith: needinfo? (bshephar)
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-1.20221118011425.fc038b6.el9ost Doc Type: Known Issue
Doc Text:
Hard-coded certificate location operates independently of user-provided values. During deployment with custom certificate locations, services do not retrieve information from API endpoints because Transport Layer Security (TLS) verification fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brendan Shephard 2022-09-14 10:54:57 UTC 
Description of problem:
If the user provides a InternalTLSCAFile: path other than the default /etc/ipa/ca.crt file. It will break OVN and FRR as we don't pass this parameter to the Ansible roles used to deploy them.

See the related upstream Bug:
https://bugs.launchpad.net/tripleo/+bug/1989535

Version-Release number of selected component (if applicable):
17.0

How reproducible:
Easily

Steps to Reproduce:
1. Define a non-standard location for your IPA CA certificate
parameter_defaults:
  InternalTLSCAFile: /etc/ipa/test_ca.crt
2. Run the deployment
3. Observe the failure mentioned in the Launchpad within Neutron:


Actual results:
2022-09-14 04:37:15.168 2 ERROR neutron.service [None req-dd2e09b0-c8e3-44d8-acb9-9e540de833b1 - - - - - -] Unrecoverable error: please check log for details.: Exception: Could not retrieve schema from ssl:192.168.2.79:6642

Expected results:
The correct location for the CA certificate should be passed as a variable to the Ansible role when called.

Additional info:
Patched by:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857583

And for FRR:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857586