Bug 1571990 - [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node
Summary: [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-neutron
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 13.0 (Queens)
Assignee: Tim Rozet
QA Contact: Itzik Brown
Whiteboard: odl_deployment, odl_tls
Depends On:
Blocks: 1488826
TreeView+ depends on / blocked
Reported: 2018-04-25 21:42 UTC by Tim Rozet
Modified: 2018-10-18 07:21 UTC (History)
6 users (show)

Fixed In Version: puppet-neutron-12.4.1-0.20180412211913
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-27 13:53:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1766989 0 None None None 2018-04-25 21:54:40 UTC
OpenStack gerrit 565281 0 None stable/queens: MERGED puppet-neutron: Fixes ODL OVS to add certs to every node (Ifd8401e2facdad07ccda4ec6f885a82bc0a16421) 2018-05-01 16:41:41 UTC
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:55:07 UTC

Description Tim Rozet 2018-04-25 21:42:24 UTC
Description of problem:
In the current behavior, the OVS configuration for ODL adds a certificate to ODL via the VIP.  This works fine in no-ha deployments, but in HA it only results in 1 ODL instance adding the certificate, so only 1 ODL accepts an OVSDB connection. This is because of issues with using MD-SAL trust store type (see https://bugzilla.redhat.com/show_bug.cgi?id=1571985).  Since MD-SAL trust store doesn't work, we have to use a file based trust store.  In that case the file is not highly available, so we need to add the certificate to every ODL node.

How reproducible:
Always in SSL/TLS HA ODL deployment

Comment 6 Itzik Brown 2018-05-03 13:52:54 UTC
Checked with:

Comment 10 errata-xmlrpc 2018-06-27 13:53:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.