Bug 1419669 - [Director] No discussion of public VIP in SSL docs
Summary: [Director] No discussion of public VIP in SSL docs
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Dan Macpherson
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-06 17:27 UTC by Ben Nemec
Modified: 2017-04-03 21:59 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-03 21:59:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ben Nemec 2017-02-06 17:27:49 UTC 
Description of problem: When deploying an overcloud with SSL endpoints, the public VIP of the resulting cloud is very important.  Either the certificate needs to be generated with the exact IP of the public VIP (when IP-based endpoints are used) or the IP needs to be known ahead of time so the DNS server can be configured appropriately (when DNS-based endpoints are used).

The current SSL docs for OSP 10 [1] make no mention of this, nor do they provide details on how to ensure the public VIP is predictable.  To further complicate things, the method for predicting the public VIP has changed from OSP 9.  By default it's no longer the first IP in the public allocation pool, but is instead assigned randomly from the pool.  This means it needs to be set explicitly by the user now.

This is documented upstream at [2], and similar information will need to be added to the product docs for SSL deployments to succeed.

1: https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/paged/advanced-overcloud-customization/chapter-9-enabling-ssl-tls-on-the-overcloud

2: http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html#certificate-and-public-vip-configuration


Version-Release number of selected component (if applicable): OSP 10
Comment 1 Dan Macpherson 2017-02-21 06:04:04 UTC 
Hi Ben,

So the information on the Public API VIP was in the SSL/TLS cert generation instructions in the Director Guide, but I felt they belongs in the Adv Overcloud Guide. So I made a split between the Undercloud and Overcloud SSL/TLS config, and moved the Overcloud cert generation to the Adv Overcloud Guide into the chapter you linked.

The section relevant to this BZ is here:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-enabling_ssltls_on_the_overcloud#Creating_an_SSL_TLS_Certificate_Signing_Request

 Set the commonName_default to one of the following:

    If using an IP to access over SSL/TLS, use the Virtual IP for the Public API. Set this VIP using the PublicVirtualFixedIPs parameter in an environment file. For more information, see Section 8.4, “Assigning Predictable Virtual IPs”.
    If using a fully qualified domain name to access over SSL/TLS, use the domain name instead. 

Section 8.4 is here: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-controlling_node_placement#sect-Predictable_VIPs

Was this what you were after? Any further requirements for this BZ?
Comment 2 Ben Nemec 2017-04-03 21:59:58 UTC 
Okay, I'm not sure what I was looking at when I opened this.  I thought I had searched the page for the parameter name, but clearly I didn't since it's there.  The existing docs do look fine.

This bug came out of a discussion I had with someone in the field where they had tried to do an ssl deployment without setting the public vip.  I thought we determined that it was missing from the docs, but maybe we were looking at the wrong version or something?

Anyway, docs are correct so closing the bug.
Note You need to log in before you can comment on or make changes to this bug.