Description of problem: When deploying an overcloud with SSL endpoints, the public VIP of the resulting cloud is very important. Either the certificate needs to be generated with the exact IP of the public VIP (when IP-based endpoints are used) or the IP needs to be known ahead of time so the DNS server can be configured appropriately (when DNS-based endpoints are used). The current SSL docs for OSP 10 [1] make no mention of this, nor do they provide details on how to ensure the public VIP is predictable. To further complicate things, the method for predicting the public VIP has changed from OSP 9. By default it's no longer the first IP in the public allocation pool, but is instead assigned randomly from the pool. This means it needs to be set explicitly by the user now. This is documented upstream at [2], and similar information will need to be added to the product docs for SSL deployments to succeed. 1: https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/paged/advanced-overcloud-customization/chapter-9-enabling-ssl-tls-on-the-overcloud 2: http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html#certificate-and-public-vip-configuration Version-Release number of selected component (if applicable): OSP 10
Hi Ben, So the information on the Public API VIP was in the SSL/TLS cert generation instructions in the Director Guide, but I felt they belongs in the Adv Overcloud Guide. So I made a split between the Undercloud and Overcloud SSL/TLS config, and moved the Overcloud cert generation to the Adv Overcloud Guide into the chapter you linked. The section relevant to this BZ is here: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-enabling_ssltls_on_the_overcloud#Creating_an_SSL_TLS_Certificate_Signing_Request Set the commonName_default to one of the following: If using an IP to access over SSL/TLS, use the Virtual IP for the Public API. Set this VIP using the PublicVirtualFixedIPs parameter in an environment file. For more information, see Section 8.4, “Assigning Predictable Virtual IPs”. If using a fully qualified domain name to access over SSL/TLS, use the domain name instead. Section 8.4 is here: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-controlling_node_placement#sect-Predictable_VIPs Was this what you were after? Any further requirements for this BZ?
Okay, I'm not sure what I was looking at when I opened this. I thought I had searched the page for the parameter name, but clearly I didn't since it's there. The existing docs do look fine. This bug came out of a discussion I had with someone in the field where they had tried to do an ssl deployment without setting the public vip. I thought we determined that it was missing from the docs, but maybe we were looking at the wrong version or something? Anyway, docs are correct so closing the bug.