Bug 1875508 - THT fails to deploy Spine and Leaf architecture if TLS everywhere is enabled
Summary: THT fails to deploy Spine and Leaf architecture if TLS everywhere is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: All
OS: All
high
low
Target Milestone: z16
: 13.0 (Queens)
Assignee: Harald Jensås
QA Contact: David Rosenfeld
URL:
Whiteboard:
Depends On:
Blocks: 1918585
TreeView+ depends on / blocked
 
Reported: 2020-09-03 16:06 UTC by Alex Stupnikov
Modified: 2024-10-01 16:50 UTC (History)
9 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.4.1-82.el7ost
Doc Type: Enhancement
Doc Text:
This enhancement enables you to override the Orchestration service (heat) parameter, `ServiceNetMap`, for a role when you deploy the overcloud. + On spine-and-leaf (edge) deployments that use TLS-everywhere, hiera interpolation has been problematic when used to map networks on roles. Overriding the ServiceNetMap per role fixes the issues seen in some TLS-everywhere deployments, provides an easier interface, and replaces the need for the more complex hiera interpolation.
Clone Of:
: 1918585 (view as bug list)
Environment:
Last Closed: 2021-06-16 10:58:54 UTC
Target Upstream Version:
Embargoed:
pweeks: needinfo-
pweeks: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1904482 0 None None None 2020-11-17 00:41:45 UTC
OpenStack gerrit 762934 0 None MERGED Make it possible to override ServiceNetMap per-role 2021-02-16 19:11:19 UTC
Red Hat Issue Tracker OSP-386 0 None None None 2022-01-26 02:50:51 UTC
Red Hat Product Errata RHBA-2021:2385 0 None None None 2021-06-16 10:59:26 UTC

Comment 2 Alex Stupnikov 2020-09-03 16:09:29 UTC 
Description of problem:

My troubleshooting may be wrong, please correct me if I miss something.

Customer reported that he is unable to build spine and leaf RHOSP 13 deployment with TLS everywhere:

Aug 31 10:04:24 compute-0 os-collect-config: "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I libvirt-client-cert -f /etc/pki/libvirt/clientcert.pem -c IPA -N CN= -K libvirt/ -D  -C systemctl reload libvirtd -w -k /etc/pki/libvirt/private/clientkey.pem' returned 2: New signing request \"libvirt-client-cert\" added.",
Aug 31 10:04:24 compute-0 os-collect-config: "Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt[libvirt-client-cert]/Certmonger_certificate[libvirt-client-cert]: Could not evaluate: Could not get certificate: Server at https://idm.example.com/ipa/xml denied our request, giving up: 3007 (RPC failed at server.  'fqdn' is required).",

From what I see there are 3 problems with getcert command: subjectname, principal name and dnsname are not provided.

From THT and puppet-tripleo [1] I can see that NovaLibvirtNetwork is used to define those parameters. Obviously, this wouldn't work if there are a number of compute types with different internal API networks.

There are multiple compute settings generated using NovaLibvirtNetwork from service net mapping, but our documentation recommends to adjust other hieradata parameters [2]. It is not the case for libvirt_certificates_specs.

I kindly ask you to:

1. Help with a workaround (to define role-specific libvirt_certificates_specs)
2. Figure out permanent solution (adjust documentation, modify THT, etc)

P.S. I tried to understand if other *certificates_specs definitions are broken. It looks like apache and haproxy are using dynamic lists of networks and are not affected by this issue. I ask to double-check this anyway.

Thanks in advance.

[1]
https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/puppet/services/nova-libvirt.yaml#L270
https://github.com/openstack/puppet-tripleo/blob/stable/queens/manifests/certmonger/libvirt.pp#L58

[2]
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/spine_leaf_networking/index#assigning-routes-for-roles
Comment 8 Harald Jensås 2020-09-21 17:24:04 UTC 
@Ade, It seems we don't document the libvirt_certificates_specs and libvirt_vnc_certificates_specs, since the spine_leaf_networking book in doc's don't example TLS.

We should enchance the docs.



[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/spine_leaf_networking/index
Comment 47 Harald Jensås 2021-03-16 15:58:46 UTC 
I think one way to verify would be to use the role-based parameter to map some service to a non-default network. If we deploy Compute and Controller roles, we can for example re-map some Nova stuff that is default on 'internal_api' to the 'storage' network.

Ie:

parameter_defaults:
  ControllerServiceNetMap:
    NovaMetadataNetwork: storage
    NovaVncProxyNetwork: storage
    NovaLibvirtNetwork: storage
  ComputeServiceNetMap:
    NovaMetadataNetwork: storage
    NovaVncProxyNetwork: storage
    NovaLibvirtNetwork: storage


Then check that etc/nova.conf ``[vnc]/server_listen`` is set to the node's ip address on the storage network.



Unless we have a spine-and-leaf OSP13 job with TLSe enabled?

Then we should switch that to use the per-role ServiceNetMap functionaly this fix adds, and remove the hiera interpolation overrides.
i.e replace the hiera interpolation overrides as exampled in the doc[1]:


This
----

  Compute1ServiceNetMap:
    NeutronTenantNetwork: tenant1
    NovaApiNetwork: internal_api1
    NovaLibvirtNetwork: internal_api1
    NovaVncProxyNetwork: internal_api1

Not-this
--------

  Compute1ExtraConfig:
    nova::compute::libvirt::vncserver_listen: "%{hiera('internal_api1')}"
    nova::compute::vncserver_proxyclient_address: "%{hiera('internal_api1')}"
    neutron::agents::ml2::ovs::local_ip: "%{hiera('tenant1')}"
    cold_migration_ssh_inbound_addr: "%{hiera('internal_api1')}"
    live_migration_ssh_inbound_addr: "%{hiera('internal_api1')}"
    nova::migration::libvirt::live_migration_inbound_addr: "%{hiera('internal_api1')}"
    nova::my_ip: "%{hiera('internal_api1')}"
    tripleo::profile::base::database::mysql::client::mysql_client_bind_address: "%{hiera('internal_api1')}"




https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/spine_leaf_networking/index#assigning-routes-for-roles (step 4.)
Comment 70 errata-xmlrpc 2021-06-16 10:58:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 13.0 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2385
Note You need to log in before you can comment on or make changes to this bug.