Bug 1608450 - TLS everywhere deployment fails - missing TLS bits in T-H-T
Summary: TLS everywhere deployment fails - missing TLS bits in T-H-T
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z3
: 12.0 (Pike)
Assignee: Damien Ciabrini
QA Contact: Marian Krcmarik
URL:
Whiteboard:
Depends On:
Blocks: 1513502 1566598 1573583 1579023
TreeView+ depends on / blocked
 
Reported: 2018-07-25 14:45 UTC by Pavan
Modified: 2022-07-09 10:00 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.12-8.el7ost puppet-tripleo-7.4.12-8.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-20 13:02:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1784205 0 None None None 2018-07-29 07:39:53 UTC
OpenStack gerrit 586862 0 None MERGED Do not target Redis over TLS when using HA Redis profile 2020-02-14 05:34:45 UTC
OpenStack gerrit 586863 0 None MERGED Do not target Redis over TLS when using HA Redis profile 2020-02-14 05:34:45 UTC
Red Hat Product Errata RHSA-2018:2331 0 None None None 2018-08-20 13:04:03 UTC

Description Pavan 2018-07-25 14:45:15 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
RHOSP-12 with TLS everywhere enabled
Topology: Compute:1,Controller:1,freeipa:1

Additional info:

The puppet code has TLS Bits, however the TripleO-Heat-Templates(T-H-T) does not have TLS bits

Debugging logs:
[root@controller-0 heat-admin]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@controller-0 heat-admin]# docker ps -a
CONTAINER ID        IMAGE                                                    COMMAND                  CREATED             STATUS                      PORTS               NAMES
8ac903f6903a        192.168.24.1:8787/rhosp12/openstack-redis:2018-07-19.1   "/var/lib/docker-p..."   17 minutes ago      Exited (1) 17 minutes ago                       docker-puppet-redis
[root@controller-0 heat-admin]# docker logs -f docker-puppet-redis
+ mkdir -p /etc/puppet
+ cp -a /tmp/puppet-etc/auth.conf /tmp/puppet-etc/hiera.yaml /tmp/puppet-etc/hieradata /tmp/puppet-etc/modules /tmp/puppet-etc/puppet.conf /tmp/puppet-etc/ssl /etc/puppet
+ rm -Rf /etc/puppet/ssl
+ echo '{"step": 6}'
+ TAGS=
+ '[' -n file,file_line,concat,augeas,cron,exec ']'
+ TAGS='--tags file,file_line,concat,augeas,cron,exec'
+ origin_of_time=/var/lib/config-data/redis.origin_of_time
+ touch /var/lib/config-data/redis.origin_of_time
+ sync
+ set +e
+ FACTER_hostname=controller-0
+ FACTER_uuid=docker
+ /usr/bin/puppet apply --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,exec /etc/config.pp
Failed to get D-Bus connection: Operation not permitted
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Warning: Undefined variable 'deploy_config_name';
   (file & line not available)
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Error: Evaluation Error: Error while evaluating a Function Call, tls_proxy_bind_ip is not set in the hieradata. at /etc/puppet/modules/tripleo/manifests/profile/base/database/redis.pp:86:9 on node controller-0.redhat.local
+ rc=1
+ set -e
+ '[' 1 -ne 2 -a 1 -ne 0 ']'
+ exit 1
Comment 2 Damien Ciabrini 2018-07-25 14:50:12 UTC 
Is this a failure introduced in recent puddles? I remember we explicitely disabled TLS for Redis in OSP12, so we need to figure out what triggers the TLS path in the puppet-code for redis.
Comment 8 Damien Ciabrini 2018-07-29 07:42:37 UTC 
Proposed patches upstream in puppet-tripleo and tripleo-heat-templates
Comment 16 errata-xmlrpc 2018-08-20 13:02:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2331
Note You need to log in before you can comment on or make changes to this bug.