Bug 1693529 - Octavia host set to IP_ADDRESS in tls-everywhere-endpoints-dns.yaml
Summary: Octavia host set to IP_ADDRESS in tls-everywhere-endpoints-dns.yaml
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z6
: 13.0 (Queens)
Assignee: Carlos Goncalves
QA Contact: Bruna Bonguardo
URL:
Whiteboard:
Depends On:
Blocks: 1726207
TreeView+ depends on / blocked
 
Reported: 2019-03-28 06:11 UTC by Nick Satsia
Modified: 2019-07-02 10:31 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.3.1-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1726207 (view as bug list)
Environment:
Last Closed: 2019-06-24 21:33:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1822035 0 None None None 2019-03-28 06:13:58 UTC
OpenStack gerrit 648321 0 None MERGED TLS everywhere: switch Octavia to use DNS entries 2020-06-23 12:43:01 UTC
OpenStack gerrit 649334 0 None MERGED TLS everywhere: switch Octavia to use DNS entries 2020-06-23 12:43:01 UTC
Red Hat Product Errata RHBA-2019:0939 0 None None None 2019-04-30 17:27:59 UTC

Description Nick Satsia 2019-03-28 06:11:31 UTC 
Description of problem:

"/tls-everywhere-endpoints-dns.yaml" is setting Octavia endpoints to IP_ADDRESS which does not make sense since the IDM signed certificates cannot have an IP SAN entry to verify the certificate.

(cloud) [stack@director deployment]$ openstack endpoint list | egrep -i octavia
| 48250fe5373048e7bb11152bee2da6b3 | regionOne | octavia      | load-balancer  | True    | admin     | https://192.168.204.17:9876                                     |
| 565be13b3a814f89b2b764cbb98648da | regionOne | octavia      | load-balancer  | True    | public    | https://cloud.lab.diktio.net:13876                              |
| 711f215615a843068e749bf2d4b27776 | regionOne | octavia      | load-balancer  | True    | internal  | https://192.168.204.17:9876                                     |
(cloud) [stack@director deployment]$


(cloud) [stack@director deployment]$ egrep -i octavia /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml
    OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
(cloud) [stack@director deployment]$


[root@cloud-controller-0 ~]# curl https://192.168.204.17:9876
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
[root@cloud-controller-0 ~]#

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Configure TLS everywhere with Octavia enabled.
2.
3.

Actual results:


Expected results:


Additional info:
     Bug upstream:
        https://bugs.launchpad.net/tripleo/+bug/1822035

     Fix upstream: 
        https://review.openstack.org/648321
Comment 9 errata-xmlrpc 2019-04-30 17:27:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0939
Note You need to log in before you can comment on or make changes to this bug.