Bug 1513437 - Enable TLS for ec2api service
Summary: Enable TLS for ec2api service
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 12.0 (Pike)
Assignee: Rajesh Tailor
QA Contact: Archit Modi
Depends On:
Blocks: 1336504 1484481
TreeView+ depends on / blocked
Reported: 2017-11-15 12:08 UTC by Lee Yarwood
Modified: 2018-02-05 19:15 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-common-7.6.3-6.el7ost, puppet-tripleo-7.4.3-11.el7ost, openstack-tripleo-heat-templates-7.0.3-17.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 22:20:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 519610 0 None stable/pike: MERGED puppet-tripleo: Add TLS for ec2api service (I24d990eccf7affd5f3899338ac96d02d2d47460e) 2017-11-28 21:51:20 UTC
OpenStack gerrit 519611 0 None stable/pike: MERGED tripleo-heat-templates: Enable TLS for ec2api service (Ibe5e781e628462fe9b8d9d412c5c7c475a4c82ee) 2017-11-28 21:51:16 UTC
OpenStack gerrit 520273 0 None stable/pike: MERGED tripleo-heat-templates: Enable TLS for ec2api metadata service (Ibc1340f276409dc8d71fb57dc71bae6a40263a5c) 2017-11-28 21:51:11 UTC
OpenStack gerrit 520274 0 None stable/pike: MERGED puppet-tripleo: Add TLS for ec2api metadata service (Id7d487abb65cf17cd65626e582bf4ff950b4395c) 2017-11-28 21:51:08 UTC
OpenStack gerrit 522060 0 None stable/pike: MERGED tripleo-common: Add httpd packages to ec2api image (I214fe20e12487395e1c6e247e92b2f53ba158ff9) 2017-11-28 21:51:04 UTC
OpenStack gerrit 522772 0 None stable/pike: MERGED puppet-tripleo: Set ProxyPreserveHost in ec2api TLS proxy (Iae8e61cb5be4faeea8861296629dd6a5f3ed4f01) 2017-11-28 21:51:00 UTC
OpenStack gerrit 522835 0 None stable/pike: MERGED tripleo-heat-templates: docker/internal TLS: spawn extra container for ec2api TLS proxy (I847e13c22354aab7759364e04e009f... 2017-11-28 21:50:56 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Lee Yarwood 2017-11-15 12:08:04 UTC
Description of problem:

ec2api support for TLS was previously missed by RHBZ#1336504

Comment 2 Rajesh Tailor 2017-11-21 13:30:26 UTC

I am working on enabling TLS for ec2api and ec2api-metadata
service in tripleo.

Task summery and status: 
Some of the changes for the same are merged in upstream
as well as in stable/pike.

The current status of the work is as follow:
1) The changes required for non-containerized deployment is
merged in master as well as stable/pike.
Here is the list of patches for the same.
Patches merged against master branch:
i) https://review.openstack.org/#/c/509392/ 
ii) https://review.openstack.org/#/c/509393/  
iii) https://review.openstack.org/#/c/511772/  
iv) https://review.openstack.org/#/c/511773/ 

The above patches are backported to stable/pike branch and are merged now.

2) The additional changes required for containerized deployment are submitted
against master branch and are under review.
i) https://review.openstack.org/#/c/520547/ 
ii) https://review.openstack.org/#/c/520581/

The current status is that the containerization bits is remaining to be merged
in master as well as pike.

Issues faced while working on this task:

I had faced some issue while I was working on it.
i) Initially I was getting issues while creation of FreeIPA deployment script during undercloud installation.

Since the bug was assigned to Harry, I discussed with him and he mentioned
that he was working on it.

ii) After getting resolution for the above issue, I could successfully install undercloud, but while deploying overcloud, I was getting error "No valid host found".
 Which I debug and found that the issue is with novajoin and I updated about the same on below launchpad bug.

Since the newer version of novajoin was not available for master release (that time there was promotion issue for master),
the deployment with master release was failing during overcloud deployment with No valid host found error.

After that I switched my testing env from master to stable/pike, because of promotion issue on master.
While testing my changes on pike env, I faced these issues:
iii) I could deploy TLS enabled stable/pike setup, but whenever I tried to test my changes, everytime the overcloud-deployment
failed after Step3 during AllNodesDeploySteps with timed out.

The reason for this was that the puppet-tripleo started using a parameter, which was not available with
certmonger pacakge in RDO for pike, so a patch was submitted to update the hash of certmonger package in RDO against pike.

This was the hardest issue, which I faced while working on this task, as it was difficult to debug and it was not giving
any proper error message on console except getting timedout everytime.

After that recently, when the master promotion issue got resolved, I switched my testing env to master.
I got following issue, which was result of a regression and I have submitted a fix for that which is already merged.

iv) https://review.openstack.org/#/c/518941/

As of now, I am testing to get my changes work on containerized deployment with TLS enabled for ec2api.

Comment 9 errata-xmlrpc 2017-12-13 22:20:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.