Bug 1391421 - deployment fails on ssl templates with " 'tripleo::trusted_cas::ca_map': (<unknown>): mapping values are not allowed in this context"
Summary: deployment fails on ssl templates with " 'tripleo::trusted_cas::ca_map': (<un...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ga
: 10.0 (Newton)
Assignee: RHOS Maint
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-03 09:49 UTC by Jaison Raju
Modified: 2016-11-05 18:52 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-05 18:52:15 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jaison Raju 2016-11-03 09:49:21 UTC 
Description of problem:
When deploying ssl based environment & using the following environment variables , the deployment fails on all controllers & computes with error for ca_map:
Environment variables.
-e /home/stack/sriov_templates/enable-tls.yaml -e /home/stack/sriov_templates/cloudname.yaml -e /home/stack/sriov_templates/inject-trust-anchor.yaml 

deployment-show :
    "deploy_stderr": "exception: connect failed\n\u001b[1;31mError: Error from DataBinding 'hiera' while looking up 'tripleo::trusted_cas::ca_map': (<unknown>): mapping values are not allowed in this context at line 17 column 42 on node overcloud-compute-1.localdomain\u001b[0m\n\u001b[1;31mError: Error from DataBinding 'hiera' while looking up 'tripleo::trusted_cas::ca_map': (<unknown>): mapping values are not allowed in this context at line 17 column 42 on node overcloud-compute-1.localdomain\u001b[0m\n",

I crosschecked on the nodes & i found ca_map empty .
[root@overcloud-compute-1 ~]# grep ca_map -r /etc/puppet/
/etc/puppet/hieradata/service_configs.yaml:tripleo::trusted_cas::ca_map: {}

Version-Release number of selected component (if applicable):
OSP10-2016-10-21.3

How reproducible:
Always

Steps to Reproduce:
1. deploy overcloud using similar templates with inject-trust-anchor.yaml
2.
3.

Actual results:


Expected results:


Additional info:

/home/stack/sriov_templates/inject-trust-anchor.yaml contains 3 certificates on after another . This worked on rhos9 & rhos8 .
Comment 2 Jaison Raju 2016-11-03 10:28:33 UTC 
Even if i add CAMap , the deployment fails at same stage .
http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html
Comment 3 Marius Cornea 2016-11-03 10:51:54 UTC 
Hi Jaison,

In OSP10 the EndpointMap got split out of the enable-tls.yaml environment file and it is is placed in:

/usr/share/openstack-tripleo-heat-templates/environments/tls-endpoints-public-dns.yaml <- when using a DNS name, I think this is your case
/usr/share/openstack-tripleo-heat-templates/environments/tls-endpoints-public-ip.yaml <- when using an IP for the public endpoint 

The enable-tls.yaml environment should now contain only the certificates, you can check the example in /usr/share/openstack-tripleo-heat-templates/environments/enable-tls.yaml

Could you try passing both the enable-tls.yaml and the tls-endpoints-public-dns.yaml environment files and see if it improves the situation?

We're keeping track of the docs changes for SSL on OSP10 in bug 1357688
Comment 4 Juan Antonio Osorio 2016-11-04 14:16:31 UTC 
so, there is another environment file that shows how to use the ca map. https://github.com/openstack/tripleo-heat-templates/blob/master/environments/inject-trust-anchor-hiera.yaml

Setting the tripleo::trusted_cas::ca_map is not the way you want to do it. The upstream documentation also shows how to use it:

http://tripleo.org/advanced_deployment/ssl.html#getting-the-overcloud-to-trust-cas

But, in a nutshell, what you want to really set is the CAMap parameter with the format shown in the examples.
Comment 5 Jaison Raju 2016-11-05 18:52:15 UTC 
Hi Juan / Maruis ,

Thanks for the help . Issue is resolved .

I tried the following command this time .
I also noticed earlier that subsequent stack creation took hiera from the previous deleted stack & i realised i needed to delete the environment from mistral & object from swift .

I dont think i had made any mistakes in the CAMap configuration .
This time , i only used inject-trust-achor-hiera.yaml & not inject-trust-achor.yaml

openstack overcloud deploy --compute-scale 2 --control-scale 3 --ceph-storage-scale 2 --control-flavor control --compute-flavor compute --ceph-storage-flavor ceph-storage --ntp-server  clock.corp.redhat.com --neutron-bridge-mappings datacentre:br-ex --neutron-network-vlan-ranges datacentre:1:1000,sriov1:170:172 --templates -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml -e /home/stack/sriov_templates/network-environment.yaml -e /home/stack/sriov_templates/storage-environment.yaml -e /home/stack/sriov_templates/timezone.yaml -e /home/stack/sriov_templates/tls-endpoints-public-dns.yaml -e /home/stack/sriov_templates/enable-tls.yaml -e /home/stack/sriov_templates/cloudname.yaml  -e /home/stack/sriov_templates/inject-trust-anchor-hiera.yaml  -e /home/stack/sriov_templates/neutron-sriov.yaml

I think the issue i was facing was that i didnt delete the environment from mistral & hence i kept facing the original issue i noticed .
If thats so , then we should include that in our docs as a note that while re-creating stack/overcloud user needs to delete mistral environment & swift object .
Closing this bug as notabug .

Regards,
Jaison R
Note You need to log in before you can comment on or make changes to this bug.