1661635 – Enable TLS-Everywhere when IdM is not on the ctlplane network

Bug 1661635 - Enable TLS-Everywhere when IdM is not on the ctlplane network

Summary: Enable TLS-Everywhere when IdM is not on the ctlplane network

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	15.0 (Stein)
Assignee:	Emilien Macchi
QA Contact:	Pavan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1655185 1677001
TreeView+	depends on / blocked

Reported:	2018-12-21 20:16 UTC by Mark Jones
Modified:	2019-09-26 10:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-10.5.1-0.20190606110437.b9992d9.el8ost
Doc Type:	Bug Fix
Doc Text:	Previously, when using TLS Everywhere, your controller node was required to access IdM through the `ctlplane` network. As a result, if traffic was routed through a different network, then the overcloud deployment process would fail due to `getcert` errors. To address this, IdM enrolment has been moved into a composable service that runs within `host_prep_tasks`; this runs at the start of the deployment phase. Note that the script will simply exit if the instance has already been enrolled in IdM.
Clone Of:
Clones:	1677001 (view as bug list)
Environment:
Last Closed:	2019-09-21 11:19:41 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	636434	0	None	MERGED	Move ipa enrollment to host_prep_tasks	2020-08-25 08:49:31 UTC
Red Hat Product Errata	RHEA-2019:2811	0	None	None	None	2019-09-21 11:20:11 UTC

Description Mark Jones 2018-12-21 20:16:03 UTC

Description of problem:

Failures occur during an OSP13 deployment that has TLS Everywhere enabled where access to the IDM server is _not_ via the ctlplane network. 

For example, if access to the IDM server is routed through one of the other controller networks besides ctlplane, then an overcloud node that is being deployed will not be enrolled with IDM and the deployment process will subsequently fail with getcert requests returning errors.

Version-Release number of selected component (if applicable):
OSP13

How reproducible:
Consistently

Steps to Reproduce:
1. Design a configuration where the IDM server is accessible via a network other than ctlplane

2. Deploy an OSP13 configuration with TLS Everywhere enabled

Actual results:
Deployment fails

Expected results:
Deployment succeeds

Additional info:

Comment 10 Harry Rybacki 2019-02-28 16:29:12 UTC

Up and downstream changes have merged. Moving bug to POST.

Comment 13 Martin Lopes 2019-06-11 09:49:58 UTC

Raised BZ#1719194 for docs requirements.

Comment 17 errata-xmlrpc 2019-09-21 11:19:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811

Note You need to log in before you can comment on or make changes to this bug.