Description of problem: When using existing IPA environment which acts as Intermediate CA then not able to access instances console via VNC. We saw that this issue is fixed in BZ[1] and to overcome the issue we have updated the templates by setting the following and re-run the deploy command: ~~~ parameter_defaults: LibvirtVncCACert: /etc/ipa/ca.crt ~~~ While going through the official doc[2], It does not even mention to use: LibvirtVncCACert: /etc/ipa/ca.crt The docs says: "This specifies the CA certificate to use for VNC TLS. This file will be symlinked to the default CA path, which is /etc/pki/libvirt-vnc/ca-cert.pem. This parameter should be used if the default (which comes from the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO’s default CA, which is FreeIPA. It will only be used if internal TLS is enabled." To configure TLS everywhere refered doc[3]. This chapter only says that it integrates with IPA (which is the only supported way currently by the way and could also be mentioned). A direct hint to this necessary configuration parameter at this point in the documentation would be very helpful!!! And this chapter does not even mention about taking care about further Nova config params in. Extend the OSP 13 docs and give a hint that you need to set, ~~~ parameter_defaults: LibvirtVncCACert: /etc/ipa/ca.crt ~~~ [1] https://access.redhat.com/solutions/4180891 [2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/overcloud_parameters/index#compute-nova-parameters [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#sect-Enabling_Internal_SSLTLS_on_the_Overcloud Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hey Andy, can you set cee_docs_prio on this one?
No response received; Closing with insufficient data.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days