Bug 1777605 - Unable to deploy with TLS Everywhere with management network
Summary: Unable to deploy with TLS Everywhere with management network
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z3
: 16.1 (Train on RHEL 8.2)
Assignee: RHOS Maint
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-27 23:22 UTC by Andrew Austin
Modified: 2020-12-15 18:36 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20200914170156.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-15 18:35:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
ansible-errors.json from deployment (145.89 KB, text/plain)
2019-11-27 23:22 UTC, Andrew Austin
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1861097 0 None None None 2020-01-28 12:00:52 UTC
OpenStack gerrit 696842 0 'None' MERGED Skip both tenant and management networks when generating certs 2020-12-08 20:06:42 UTC
OpenStack gerrit 718756 0 None MERGED Skip both tenant and management networks when generating certs 2020-12-08 20:06:42 UTC
OpenStack gerrit 718757 0 None MERGED Skip both tenant and management networks when generating certs 2020-12-08 20:07:10 UTC
Red Hat Product Errata RHEA-2020:5413 0 None None None 2020-12-15 18:36:45 UTC

Description Andrew Austin 2019-11-27 23:22:56 UTC
Created attachment 1640242 [details]
ansible-errors.json from deployment

Description of problem:
I was unable to deploy an overcloud using TLS Everywhere and certmonger-managed public TLS when I enabled the Management network without a VIP being present. The Apache puppet configuration attempts to generate a certificate for that network; however, the service principal is not created due to VIP being set to false in network_data.yaml.

Version-Release number of selected component (if applicable):
OSP15.0.1 using CDN packages

How reproducible:
Attempt to deploy an overcloud using TLS everywhere, certmonger-managed public TLS, and network isolation. Enable the management network on the Controller role.


Actual results:

Ansilbe error during deployment from Puppet failure (on each controller node):

          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]/ensure: created",
          "<13>Nov 27 02:02:38 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I httpd-management -f /etc/pki/tls/certs/httpd/httpd-management.crt -c IPA -N CN=hub-controller-2.management.dcnlab.signal9.gg -K HTTP/hub-controller-2.management.dcnlab.signal9.gg -D hub-controller-2.management.dcnlab.signal9.gg -C pkill -USR1 httpd -w -k /etc/pki/tls/private/httpd/httpd-management.key' returned 3: New signing request \"httpd-management\" added.",
          "<13>Nov 27 02:02:38 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]: Could not evaluate: Could not get certificate: Server at https://hub-idm-2.dcnlab.signal9.gg/ipa/xml failed request, will retry: 4001 (RPC failed at server.  The host 'hub-controller-2.management.dcnlab.signal9.gg' does not exist to add a service to.).",
          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-storage]/Certmonger_certificate[httpd-storage]/ensure: created",

Expected results:

Deployment should succeed

Additional info:

Patching apache-baremetal-puppet.j2.yaml to ignore networks with VIP set to false allows deployment to succeed.

Comment 3 Lon Hohberger 2020-11-13 11:54:38 UTC
According to our records, this should be resolved by openstack-tripleo-heat-templates-11.3.2-1.20200914170156.el8ost.  This build is available now.

Comment 12 errata-xmlrpc 2020-12-15 18:35:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.3 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:5413


Note You need to log in before you can comment on or make changes to this bug.