1651697 – haproxy-bundle needs to be updated with the certificates volume when adding encrypted endpoints on existing overcloud

Bug 1651697 - haproxy-bundle needs to be updated with the certificates volume when adding encrypted endpoints on existing overcloud

Summary: haproxy-bundle needs to be updated with the certificates volume when adding e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-pacemaker
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z5
Target Release:	13.0 (Queens)
Assignee:	RHOS Maint
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1679413 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-20 15:36 UTC by Boris Deschenes
Modified:	2021-03-21 09:07 UTC (History)
CC List:	12 users (show)
Fixed In Version:	puppet-pacemaker-0.7.2-0.20180423212257.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-04 15:00:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0448	0	None	None	None	2019-03-14 13:55:01 UTC

Description Boris Deschenes 2018-11-20 15:36:25 UTC

Description of problem:
On a deployed, working, OSP 13 non-SSL overcloud: deploying with new SSL templates to encrypt public endpoints will fail because the haproxy pacemaker bundle does not get properly updated with the docker volume to read the certificate from.

Version-Release number of selected component (if applicable):
RHOSP 13

How reproducible:
easily, any addition of SSL endpoint encryption on an already deployed cloud will fail

Steps to Reproduce:
1. deploy a classic non-SSL RHOSP 13 overcloud
2. add templates to encrypt endpoints (following official doc) and re-deploy
3. the deployment will fail simply because the haproxy-bundle PCS resource does not get properly updated with the new volume necessary to read the certificate.

Actual results:
deployment will fail at step 3, and looking at the pacemaker status you will see that the haproxy-bundles are down on all controllers as well as the VIPs.

Expected results:
the deployment should finish and enable the encryption of SSL endpoints

Additional info:
We know the problem is directly related to the fact the the haproxy-bundle pcs resource is not able to start, since there is no haproxy running, the deployment fail.  We were able to successfully debug this and add the missing volume to the haproxy-bundle and successfully complete the deployment, this needs to be done automatically.

here is the command we used to fix the haproxy bundle:

pcs resource bundle update haproxy-bundle \
  storage-map add id=haproxy-cert options=ro \
  source-dir=/etc/pki/tls/private/overcloud_endpoint.pem  \
  target-dir=/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/overcloud_endpoint.pem

simply adding the missing volume to the haproxy bundle allowed it to start and the deployment to continue.  It looks like the addition of the etc/pki/tls/private/overcloud_endpoint.pem volume to the haproxy-bundle volumes is done properly when deploying SSL encrypted public endpoints on a new deployment but the existing haproxy-bundle resource is not updated when we do an overcloud deploy on an existing overcloud.

Comment 20 PURANDHAR SAIRAM MANNIDI 2019-02-26 01:51:11 UTC

*** Bug 1679413 has been marked as a duplicate of this bug. ***

Comment 23 errata-xmlrpc 2019-03-14 13:54:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0448

Note You need to log in before you can comment on or make changes to this bug.