1571990 – [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node

Bug 1571990 - [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node

Summary: [Deployment] [TLS] ODL OVS needs to add certificates to every ODL node

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-neutron
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assignee:	Tim Rozet
QA Contact:	Itzik Brown
Docs Contact:
URL:
Whiteboard:	odl_deployment, odl_tls
Depends On:
Blocks:	1488826
TreeView+	depends on / blocked

Reported:	2018-04-25 21:42 UTC by Tim Rozet
Modified:	2018-10-18 07:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	puppet-neutron-12.4.1-0.20180412211913
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:	N/A
Last Closed:	2018-06-27 13:53:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1766989	None	None	None	2018-04-25 21:54:40 UTC
OpenStack gerrit	565281	None	stable/queens: MERGED	puppet-neutron: Fixes ODL OVS to add certs to every node (Ifd8401e2facdad07ccda4ec6f885a82bc0a16421)	2018-05-01 16:41:41 UTC
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 13:55:07 UTC

Description Tim Rozet 2018-04-25 21:42:24 UTC

Description of problem:
In the current behavior, the OVS configuration for ODL adds a certificate to ODL via the VIP.  This works fine in no-ha deployments, but in HA it only results in 1 ODL instance adding the certificate, so only 1 ODL accepts an OVSDB connection. This is because of issues with using MD-SAL trust store type (see https://bugzilla.redhat.com/show_bug.cgi?id=1571985).  Since MD-SAL trust store doesn't work, we have to use a file based trust store.  In that case the file is not highly available, so we need to add the certificate to every ODL node.

How reproducible:
Always in SSL/TLS HA ODL deployment

Comment 6 Itzik Brown 2018-05-03 13:52:54 UTC

Checked with:
puppet-neutron-12.4.1-0.20180412211913.el7ost.noarch

Comment 10 errata-xmlrpc 2018-06-27 13:53:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.