1846812 – haproxy.pp in puppet-tripleo generates wrong haproxy.cfg for SSL-protected rgw instances

Bug 1846812 - haproxy.pp in puppet-tripleo generates wrong haproxy.cfg for SSL-protected rgw instances

Summary: haproxy.pp in puppet-tripleo generates wrong haproxy.cfg for SSL-protected rg...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	16.0 (Train)
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Francesco Pantano
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1856923 1866036 (view as bug list)
Depends On:
Blocks:	1701416
TreeView+	depends on / blocked

Reported:	2020-06-14 17:37 UTC by Shailesh Chhabdiya
Modified:	2023-10-06 20:36 UTC (History)
CC List:	17 users (show)
Fixed In Version:	puppet-tripleo-11.5.0-0.20200616033427.8ff1c6a.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-29 07:53:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	735376	None	MERGED	Make haproxy.pp honor EnableInternalTLS for rgw	2021-02-09 21:20:56 UTC
OpenStack gerrit	735561	None	MERGED	Make haproxy.pp honor EnableInternalTLS for rgw	2021-02-09 21:20:56 UTC
OpenStack gerrit	735563	None	MERGED	Make haproxy.pp honor EnableInternalTLS for rgw	2021-02-09 21:20:55 UTC
Red Hat Product Errata	RHBA-2020:3148	None	None	None	2020-07-29 07:53:32 UTC

Description Shailesh Chhabdiya 2020-06-14 17:37:42 UTC

Description of problem:
haproxy.pp assumes that Ceph rgw instances are always using plaintext and do not support SSL connectivity and hence explicitly ignore internal_tls_member_options even if EnableInternalTLS is active. In setups with SSL-protected rgw instances, this leads to a broken haproxy.cfg configuration file in which the Ceph rgw instances refuse to communicate to HAproxy, reporting an SSL handshake failure.

To the outside world, this leads to 503 errors when trying to communicate to the Ceph rgw instance, effectively making it impossible to use rgw for instance as storage for OpenShift deployments in TLS-everywhere setups.

Version-Release number of selected component (if applicable):
Red Hat OpenStack 16

Additional info:

Upstream Bug: https://bugs.launchpad.net/tripleo/+bug/1883296

Comment 8 Yogev Rabl 2020-06-26 19:12:52 UTC

verified on puppet-tripleo-11.5.0-0.20200616033427.8ff1c6a.el8ost.noarc

Comment 12 Francesco Pantano 2020-07-16 07:37:12 UTC

*** Bug 1856923 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2020-07-29 07:53:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148

Comment 15 John Fulton 2020-08-10 13:24:36 UTC

*** Bug 1866036 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.