Description of problem:
ec2api support for TLS was previously missed by RHBZ#1336504
I am working on enabling TLS for ec2api and ec2api-metadata
service in tripleo.
Task summery and status:
Some of the changes for the same are merged in upstream
as well as in stable/pike.
The current status of the work is as follow:
1) The changes required for non-containerized deployment is
merged in master as well as stable/pike.
Here is the list of patches for the same.
Patches merged against master branch:
The above patches are backported to stable/pike branch and are merged now.
2) The additional changes required for containerized deployment are submitted
against master branch and are under review.
The current status is that the containerization bits is remaining to be merged
in master as well as pike.
Issues faced while working on this task:
I had faced some issue while I was working on it.
i) Initially I was getting issues while creation of FreeIPA deployment script during undercloud installation.
Since the bug was assigned to Harry, I discussed with him and he mentioned
that he was working on it.
ii) After getting resolution for the above issue, I could successfully install undercloud, but while deploying overcloud, I was getting error "No valid host found".
Which I debug and found that the issue is with novajoin and I updated about the same on below launchpad bug.
Since the newer version of novajoin was not available for master release (that time there was promotion issue for master),
the deployment with master release was failing during overcloud deployment with No valid host found error.
After that I switched my testing env from master to stable/pike, because of promotion issue on master.
While testing my changes on pike env, I faced these issues:
iii) I could deploy TLS enabled stable/pike setup, but whenever I tried to test my changes, everytime the overcloud-deployment
failed after Step3 during AllNodesDeploySteps with timed out.
The reason for this was that the puppet-tripleo started using a parameter, which was not available with
certmonger pacakge in RDO for pike, so a patch was submitted to update the hash of certmonger package in RDO against pike.
This was the hardest issue, which I faced while working on this task, as it was difficult to debug and it was not giving
any proper error message on console except getting timedout everytime.
After that recently, when the master promotion issue got resolved, I switched my testing env to master.
I got following issue, which was result of a regression and I have submitted a fix for that which is already merged.
As of now, I am testing to get my changes work on containerized deployment with TLS enabled for ec2api.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.