Created attachment 1474127 [details]
Internal TLS patch for Octavia
Description of problem:
After enabling internal TLS and Octavia, an octavia_api_tls_proxy container is created, but will continually restart because httpd cannot be found and won't work even after image dependencies are met due to missing related code involving Octavia and haproxy.
List of issues:
1) httpd and mod_ssl not installed in octavia-api image.
2) httpd conf file (25-octavia-api-proxy.conf) not generated by puppet. This is needed in order to proxy incoming requests to localhost.
3) Octavia API does not listen on localhost when Internal TLS is enabled.
4) haproxy does not communicate with Octavia API endpoints using SSL when Internal TLS is enabled.
5) Stack updates can block in Step 4 when trying to remove the octavia_api_tls_proxy container due to the octavia_api_tls_proxy container being stuck in a 'restarting' state.
Version-Release number of selected component (if applicable):
Easy to reproduce
Steps to Reproduce:
1. Enable Octavia
2. Enable Internal TLS
3. Deploy a stack/update the stack
An octavia_api_tls_proxy container is created and fails to start because httpd is missing.
octavia_api_tls_proxy runs without restarting, binds to the Octavia Network API port, and proxies successfully to a localhost Octavia API listener.
In order to fix, a new octavia-api image needs to be built with the httpd and mod_ssl packages installed.
In addition, the following files need to be updated to enable Internal TLS for Octavia.
Patch is attached for the above file updates.
Brent will look at this.
Patches up for review upstream, still requiring a deployment test.
Approval continues to be delayed due to upstream CI issues. I will update again in the morning.
It shouldn't matter for this deployment case because the Octavia API service is being deployed in the controller node, but for future reference: https://review.openstack.org/#/c/607617/
This bug is ON_QA, but it depends on bug https://bugzilla.redhat.com/show_bug.cgi?id=1661781
Should we proceed or wait?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.