Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1693529

Summary: Octavia host set to IP_ADDRESS in tls-everywhere-endpoints-dns.yaml
Product: Red Hat OpenStack Reporter: Nick Satsia <nsatsia>
Component: openstack-tripleo-heat-templatesAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED ERRATA QA Contact: Bruna Bonguardo <bbonguar>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: asimonel, cgoncalves, chris.smart, josorior, mburns, pkundal, slinaber, sputhenp
Target Milestone: z6Keywords: Reopened, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.3.1-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1726207 (view as bug list) Environment:
Last Closed: 2019-06-24 21:33:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1726207    

Description Nick Satsia 2019-03-28 06:11:31 UTC 
Description of problem:

"/tls-everywhere-endpoints-dns.yaml" is setting Octavia endpoints to IP_ADDRESS which does not make sense since the IDM signed certificates cannot have an IP SAN entry to verify the certificate.

(cloud) [stack@director deployment]$ openstack endpoint list | egrep -i octavia
| 48250fe5373048e7bb11152bee2da6b3 | regionOne | octavia      | load-balancer  | True    | admin     | https://192.168.204.17:9876                                     |
| 565be13b3a814f89b2b764cbb98648da | regionOne | octavia      | load-balancer  | True    | public    | https://cloud.lab.diktio.net:13876                              |
| 711f215615a843068e749bf2d4b27776 | regionOne | octavia      | load-balancer  | True    | internal  | https://192.168.204.17:9876                                     |
(cloud) [stack@director deployment]$


(cloud) [stack@director deployment]$ egrep -i octavia /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml
    OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
(cloud) [stack@director deployment]$


[root@cloud-controller-0 ~]# curl https://192.168.204.17:9876
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
[root@cloud-controller-0 ~]#

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Configure TLS everywhere with Octavia enabled.
2.
3.

Actual results:


Expected results:


Additional info:
     Bug upstream:
        https://bugs.launchpad.net/tripleo/+bug/1822035

     Fix upstream: 
        https://review.openstack.org/648321
Comment 9 errata-xmlrpc 2019-04-30 17:27:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0939