Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1777605

Summary: Unable to deploy with TLS Everywhere with management network
Product: Red Hat OpenStack Reporter: Andrew Austin <aaustin>
Component: openstack-tripleo-heat-templatesAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: alee, amoralej, ariveral, augol, dwilde, ggrasza, mburns, rmascena
Target Milestone: z3Keywords: TestOnly, Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20200914170156.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 18:35:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ansible-errors.json from deployment none

Description Andrew Austin 2019-11-27 23:22:56 UTC 
Created attachment 1640242 [details]
ansible-errors.json from deployment

Description of problem:
I was unable to deploy an overcloud using TLS Everywhere and certmonger-managed public TLS when I enabled the Management network without a VIP being present. The Apache puppet configuration attempts to generate a certificate for that network; however, the service principal is not created due to VIP being set to false in network_data.yaml.

Version-Release number of selected component (if applicable):
OSP15.0.1 using CDN packages

How reproducible:
Attempt to deploy an overcloud using TLS everywhere, certmonger-managed public TLS, and network isolation. Enable the management network on the Controller role.


Actual results:

Ansilbe error during deployment from Puppet failure (on each controller node):

          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]/ensure: created",
          "<13>Nov 27 02:02:38 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I httpd-management -f /etc/pki/tls/certs/httpd/httpd-management.crt -c IPA -N CN=hub-controller-2.management.dcnlab.signal9.gg -K HTTP/hub-controller-2.management.dcnlab.signal9.gg -D hub-controller-2.management.dcnlab.signal9.gg -C pkill -USR1 httpd -w -k /etc/pki/tls/private/httpd/httpd-management.key' returned 3: New signing request \"httpd-management\" added.",
          "<13>Nov 27 02:02:38 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]: Could not evaluate: Could not get certificate: Server at https://hub-idm-2.dcnlab.signal9.gg/ipa/xml failed request, will retry: 4001 (RPC failed at server.  The host 'hub-controller-2.management.dcnlab.signal9.gg' does not exist to add a service to.).",
          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-storage]/Certmonger_certificate[httpd-storage]/ensure: created",

Expected results:

Deployment should succeed

Additional info:

Patching apache-baremetal-puppet.j2.yaml to ignore networks with VIP set to false allows deployment to succeed.
Comment 3 Lon Hohberger 2020-11-13 11:54:38 UTC 
According to our records, this should be resolved by openstack-tripleo-heat-templates-11.3.2-1.20200914170156.el8ost.  This build is available now.
Comment 12 errata-xmlrpc 2020-12-15 18:35:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.3 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:5413