Created attachment 1640242 [details] ansible-errors.json from deployment Description of problem: I was unable to deploy an overcloud using TLS Everywhere and certmonger-managed public TLS when I enabled the Management network without a VIP being present. The Apache puppet configuration attempts to generate a certificate for that network; however, the service principal is not created due to VIP being set to false in network_data.yaml. Version-Release number of selected component (if applicable): OSP15.0.1 using CDN packages How reproducible: Attempt to deploy an overcloud using TLS everywhere, certmonger-managed public TLS, and network isolation. Enable the management network on the Controller role. Actual results: Ansilbe error during deployment from Puppet failure (on each controller node): "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]/ensure: created", "<13>Nov 27 02:02:38 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I httpd-management -f /etc/pki/tls/certs/httpd/httpd-management.crt -c IPA -N CN=hub-controller-2.management.dcnlab.signal9.gg -K HTTP/hub-controller-2.management.dcnlab.signal9.gg -D hub-controller-2.management.dcnlab.signal9.gg -C pkill -USR1 httpd -w -k /etc/pki/tls/private/httpd/httpd-management.key' returned 3: New signing request \"httpd-management\" added.", "<13>Nov 27 02:02:38 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]: Could not evaluate: Could not get certificate: Server at https://hub-idm-2.dcnlab.signal9.gg/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'hub-controller-2.management.dcnlab.signal9.gg' does not exist to add a service to.).", "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-storage]/Certmonger_certificate[httpd-storage]/ensure: created", Expected results: Deployment should succeed Additional info: Patching apache-baremetal-puppet.j2.yaml to ignore networks with VIP set to false allows deployment to succeed.
According to our records, this should be resolved by openstack-tripleo-heat-templates-11.3.2-1.20200914170156.el8ost. This build is available now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.3 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:5413