Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1655185

Summary: RFE: TLS Everywhere on non-ctlplane networks
Product: Red Hat OpenStack Reporter: Mircea Vutcovici <mircea.vutcovici>
Component: openstack-tripleoAssignee: Ade Lee <alee>
Status: CLOSED DUPLICATE QA Contact: Arik Chernetsky <achernet>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aschultz, hrybacki, marjones, mburns, nkinder
Target Milestone: ---Keywords: FutureFeature, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 12:31:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1661635, 1677001, 1677003    
Bug Blocks:    

Description Mircea Vutcovici 2018-11-30 21:47:17 UTC 
Description of request:
Currently in order for TLS Everywhere to work properly, it requires setting the IDM server as the DNS server on the ctlplane network in tripleo. This is very limiting in two ways. One it restricts the IDM server to requiring IPv4, since the ctlplane network requires IPv4. Secondly, and more importantly, since the ctlplane network is isolated in many environments, this means that openstack needs to reach out via a masquerade on the ctlplane network in order to reach IDM. This means that all auth traffic and CA renewals must now masquerade through the undercloud. This not only introduces additional load, but also a bottleneck.

Business requirements: The customer needs to be able to use the external/management network to reach the IDM server, those are IPv6, and are routable. Having support for IDM on any network for TLS Everywhere would be a good generic version of the change. The customer also has the requirement that nothing on the overcloud must use the ctlplane masquerade for anything. Additionally, they have the requirement that if the Undercloud goes down, it should not disrupt the overcloud.

Functional requirements:  TLS Everywhere should be able to use a server accessible by any network, not just the ctlplane. This should work with IPv4 and IPv6

Test plan: Can test that without the ctlplane masquerade set, and without the DNS server set in the ctlplane network, that we can still successfully deploy TLS Everywhere

Timeline dependencies: This is needed for their planned production rollout of OSP13. Hopefully someone from the customer can chime in with the timeline, all we know is that it's soonish

Affected packages: something in tripleo, maybe novajoin

Yes, we can assist in testing this functionality
Comment 2 Harry Rybacki 2019-06-10 12:31:52 UTC 
Required changes for this have already merged. Closing this as DUPLICATE of RHBZ#1661635 -- we have moved the respective Cu. case to that bug for continuity.

*** This bug has been marked as a duplicate of bug 1677003 ***