Red Hat Bugzilla – Bug 1543638
httpd pod cannot forward requests to cloudforms pod when httpd-auth-configs is updated with AD auth settings
Last modified: 2018-07-12 10:51:57 EDT
Description of problem: httpd generator pod generates config map with new resolv.conf file. initialize-httpd-auth service of httpd pod replaces default resolve.conf with openshift's dns ip by new resolv.conf from httpd-auth-configs config map. As a result httpd pod cannot resolve cloudforms name and cannot forward requests to it. Version-Release number of selected component (if applicable): 5.9.0.18/upstream I have to use upstream httpd-config-generator because of blocker 1540641. But httpd pod and the rest is 5.9.0.18 How reproducible: 100% Steps to Reproduce: 1. generate AD auth configuration using httpd generator pod 2. replace default httpd-auth-configs config map 3. redeploy httpd pod 4. oc rsh to httpd pod and check initialize-httpd-auth service state if it is failed, then start service manually (this is necessary because of another bug) 5. try to connect to CloudForms in browser Actual results: Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /. Reason: DNS lookup failure for: cloudforms Expected results: resolv.conf should be correctly updated
Ievgen, Can post a PM in the BZ with the credentials for the environment where you are encountering this? Thank you. JoeV
This issue will be addressed by PR: https://github.com/ManageIQ/httpd_configmap_generator/pull/32
Ievgen, I have posted a PR that does remove the /etc/resolv.conf from the Active Directory config map, as you have pointed out should not be. I have also changed "--ad-server" name to be a required parameter. I have tested the fix on the QE OpenShift test bed but I used my Active Directory server/Realm. The Active Directory realm must be DNS resolvable and it is not in the QE Active Directory set up. So although this PR will allow for successful generation of active directory config maps doing so will not be possible until the active directory realm is DNS resolvable for the QE AD test setup.
Joe, nice, thank you! as for QE AD test setup we know about that and we add some workaround to make AD DNS resolvable.
https://github.com/ManageIQ/httpd_configmap_generator/pull/32 has been merged. Moving to "POST"
Verified in 5.9.3.2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2183