Description of problem: The old enable-tls.yaml in THT/environments has the setting, however, it states that the file is deprecated and points users to use THT/environments/ssl/enable-tls.yaml instead. The new file is missing HorizonSecureCookies settings in it. Version-Release number of selected component (if applicable): 13.0 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: HorizonSecureCookies missing from THT/environments/ssl/enable-tls.yaml Expected results: HorizonSecureCookies should be in THT/environments/ssl/enable-tls.yaml Additional info:
Upon further analysis, there's another parameter in the deprecated file that is not in the new one. GnocchiIncomingStorageDriver is in the deprecated one but not in the new file. Do we still need to do this?
Darin, can you give us reproduction steps for this? I'm not sure if you encountered this while reviewing the templates themselves or during deployment. Either way, any info would be great for our QE. WRT the GnocchiIncomingStorageDriver parameter -- I can't speak to this.
Hi Harry, Another customer was asking me almost the same question. # grep -v ^$ /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml | grep -v \# > /tmp/new_tls # grep -v ^$ /usr/share/openstack-tripleo-heat-templates/environments/enable-tls.yaml | grep -v \# > /tmp/old_tls # diff /tmp/old_tls /tmp/new_tls -u --- /tmp/old_tls 2018-06-26 03:52:47.018834222 -0400 +++ /tmp/new_tls 2018-06-26 03:52:34.613798136 -0400 @@ -1,9 +1,9 @@ parameter_defaults: - HorizonSecureCookies: True SSLCertificate: | The contents of your certificate go here SSLIntermediateCertificate: '' SSLKey: | The contents of the private key go here + DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem resource_registry: - OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml + OS::TripleO::NodeTLSData: ../../puppet/extraconfig/tls/tls-cert-inject.yaml Our new enable-tls.yaml doesn't contain HorizonSecureCookies and this will lead Horizon lack of CSRF_COOKIE_SECURE + SESSION_COOKIE_SECURE option in a SSL/TLS enabled environment. Best Regards, Chen
Re-assigning needinfo against Darin. May you (and Chen) please provide me with the specifics about how your Cu. deployed and hit this issue?
I found this while reviewing the THT when I was enabling TLS in the overcloud. I originally went to use ./environments/enable-tls.yaml, however in that file it says it is deprecated and instructs me to use ./environments/ssl/enable-tls.yaml instead. When I noticed that the setting was absent, I looked for it's utilization in the deplyment and examined (./puppet/services/horizon.yaml) that actually does the configuration and noted that the default is "false" which is not what we want for TLS.
Downstream build complete. Updating FIV and moving bug to MODIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0448