Bug 1384334 - On an SSL enabled overcloud the Neutron api returns http URL
Summary: On an SSL enabled overcloud the Neutron api returns http URL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 10.0 (Newton)
Assignee: John Schwarz
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks: 1384340
TreeView+ depends on / blocked
 
Reported: 2016-10-13 06:54 UTC by Marius Cornea
Modified: 2023-02-22 23:02 UTC (History)
12 users (show)

Fixed In Version: openstack-neutron-9.0.0-1.7.el7ost
Doc Type: Bug Fix
Doc Text:
This release adds a HTTPProxyToWSGI middleware in front of the OpenStack Networking API to set up a request URL correctly in case a proxy (eg. HAProxy) is used between the client and server. This ensures that when a client uses SSL, the server recognizes this and responds using the correct protocol. Previously, using a proxy made it possible for the server to respond with HTTP (instead of HTTPS) even when a client used SSL.
Clone Of:
: 1384340 (view as bug list)
Environment:
Last Closed: 2016-12-14 16:18:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 384294 0 None None None 2016-10-13 06:54:00 UTC
OpenStack gerrit 387356 0 None None None 2016-10-21 17:08:46 UTC
Red Hat Product Errata RHEA-2016:2948 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC

Description Marius Cornea 2016-10-13 06:54:01 UTC 
Description of problem:
On an SSL enabled overcloud the Neutron api returns http URL

openstack catalog show neutron
+-----------+------------------------------------------------------+
| Field     | Value                                                |
+-----------+------------------------------------------------------+
| endpoints | regionOne                                            |
|           |   publicURL: https://[2001:db8:ca2:4::10]:13696      |
|           |   internalURL: http://[fd00:fd00:fd00:2000::14]:9696 |
|           |   adminURL: http://[fd00:fd00:fd00:2000::14]:9696    |
|           |                                                      |
| name      | neutron                                              |
| type      | network                                              |
+-----------+------------------------------------------------------+

curl -s -H "X-Auth-Token: $OS_TOKEN" https://172.16.18.25:13042  | python -m json.tool

{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "http://[2001:db8:ca2:4::10]:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}


Version-Release number of selected component (if applicable):
openstack-neutron-9.0.0-0.20160929051647.71f2d2b.el7ost.noarch
Comment 3 Marius Cornea 2016-11-28 16:01:00 UTC 
Testing fails with the current build. I believe in order to be able to verify this we also need a fix for BZ#1384340 which is still in NEW state. 

curl -s -H "X-Auth-Token: $OS_TOKEN" https://172.16.18.25:13696 | python -m json.tool
{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "http://172.16.18.25:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}
Comment 4 Ihar Hrachyshka 2016-11-28 16:16:18 UTC 
Marius, do you have a specific puppet patch on your mind?
Comment 5 Marius Cornea 2016-11-28 16:29:59 UTC 
(In reply to Ihar Hrachyshka from comment #4)
> Marius, do you have a specific puppet patch on your mind?

Yes, it looks that this one fixes addresses the issue:
https://review.openstack.org/#/c/400591/
Comment 6 John Schwarz 2016-11-28 16:33:02 UTC 
Marius, puppet-tripleo doesn't have a patches branch. In other words, patches are automatically synced from upstream. Putting a needinfo on Mike Burns who I hear deals with the syncs.
Comment 7 Marius Cornea 2016-11-29 11:53:32 UTC 
This has landed in the latest build and canbe verified:

{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "https://172.16.18.25:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}
Comment 10 errata-xmlrpc 2016-12-14 16:18:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html
Note You need to log in before you can comment on or make changes to this bug.