Bug 1613576 - octavia_api_tls_proxy does not work due to missing code and dependencies
Summary: octavia_api_tls_proxy does not work due to missing code and dependencies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: z3
: 13.0 (Queens)
Assignee: Carlos Goncalves
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
Depends On: 1644747 1661781
Blocks: 1635341
TreeView+ depends on / blocked
 
Reported: 2018-08-07 23:25 UTC by Kellen Gattis
Modified: 2021-12-10 16:59 UTC (History)
24 users (show)

Fixed In Version: puppet-tripleo-8.3.4-10.el7ost openstack-tripleo-heat-templates-8.0.4-31.el7ost openstack-tripleo-common-8.6.3-15.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1635341 (view as bug list)
Environment:
Last Closed: 2019-03-14 13:54:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Internal TLS patch for Octavia (6.61 KB, patch)
2018-08-07 23:25 UTC, Kellen Gattis 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1789303 0 None None None 2018-08-27 21:12:41 UTC
OpenStack gerrit 597038 0 None MERGED Enable TLS in the internal network for Octavia API 2021-01-11 13:47:41 UTC
OpenStack gerrit 597039 0 None MERGED Pass parameters for TLS proxy in front of Octavia-API 2021-01-11 13:47:41 UTC
OpenStack gerrit 603220 0 None MERGED Add httpd and mod_ssl packages to octavia api image 2021-01-11 13:48:18 UTC
OpenStack gerrit 607322 0 None MERGED Enable TLS in the internal network for Octavia API 2021-01-11 13:48:18 UTC
OpenStack gerrit 607329 0 None MERGED Pass parameters for TLS proxy in front of Octavia-API 2021-01-11 13:47:41 UTC
Red Hat Bugzilla 1602891 0 high CLOSED Octavia and Barbican fail to deploy along with TLS Everywhere 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker OSP-11516 0 None None None 2021-12-10 16:59:09 UTC
Red Hat Product Errata RHBA-2019:0448 0 None None None 2019-03-14 13:55:04 UTC

Internal Links: 1602891

Description Kellen Gattis 2018-08-07 23:25:10 UTC 
Created attachment 1474127 [details]
Internal TLS patch for Octavia

Description of problem:

After enabling internal TLS and Octavia, an octavia_api_tls_proxy container is created, but will continually restart because httpd cannot be found and won't work even after image dependencies are met due to missing related code involving Octavia and haproxy.

List of issues:
1) httpd and mod_ssl not installed in octavia-api image.
2) httpd conf file (25-octavia-api-proxy.conf) not generated by puppet.  This is needed in order to proxy incoming requests to localhost.
3) Octavia API does not listen on localhost when Internal TLS is enabled.
4) haproxy does not communicate with Octavia API endpoints using SSL when Internal TLS is enabled.
5) Stack updates can block in Step 4 when trying to remove the octavia_api_tls_proxy container due to the octavia_api_tls_proxy container being stuck in a 'restarting' state.

Version-Release number of selected component (if applicable):


How reproducible:
Easy to reproduce

Steps to Reproduce:
1. Enable Octavia
2. Enable Internal TLS
3. Deploy a stack/update the stack

Actual results:
An octavia_api_tls_proxy container is created and fails to start because httpd is missing.

Expected results:
octavia_api_tls_proxy runs without restarting, binds to the Octavia Network API port, and proxies successfully to a localhost Octavia API listener.

Additional info:

In order to fix, a new octavia-api image needs to be built with the httpd and mod_ssl packages installed.

In addition, the following files need to be updated to enable Internal TLS for Octavia.

1) /usr/share/openstack-puppet/modules/tripleo/manifests/haproxy.pp
2) /usr/share/openstack-puppet/modules/tripleo/manifests/profile/base/octavia/api.pp
3) /usr/share/openstack-tripleo-heat-templates/puppet/services/octavia-api.yaml

Patch is attached for the above file updates.
Comment 1 Nir Magnezi 2018-08-08 13:39:43 UTC 
Brent will look at this.
Comment 8 Carlos Goncalves 2018-08-28 10:09:14 UTC 
Patches up for review upstream, still requiring a deployment test.
Comment 33 Brent Eagles 2018-09-24 22:10:23 UTC 
Approval continues to be delayed due to upstream CI issues. I will update again in the morning.
Comment 44 Carlos Goncalves 2018-10-03 15:51:17 UTC 
It shouldn't matter for this deployment case because the Octavia API service is being deployed in the controller node, but for future reference: https://review.openstack.org/#/c/607617/
Comment 59 Bruna Bonguardo 2019-02-19 09:26:01 UTC 
This bug is ON_QA, but it depends on bug https://bugzilla.redhat.com/show_bug.cgi?id=1661781

Should we proceed or wait?
Comment 62 errata-xmlrpc 2019-03-14 13:54:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0448
Note You need to log in before you can comment on or make changes to this bug.