Bug 1949168 - Potential SSL issues after qdrouterd image update
Summary: Potential SSL issues after qdrouterd image update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: z8
: 16.1 (Train on RHEL 8.2)
Assignee: OSP Team
QA Contact: Leonid Natapov
URL:
Whiteboard:
Depends On: 1934440
Blocks: 1949169 1982764 2040605
TreeView+ depends on / blocked
 
Reported: 2021-04-13 15:15 UTC by Martin Magr
Modified: 2022-03-24 10:59 UTC (History)
12 users (show)

Fixed In Version: puppet-tripleo-11.5.0-1.20211215173613.el8ost
Doc Type: Enhancement
Doc Text:
This enhancement prepares your environment for update of the metrics_qdr service to a newer AMQ Interconnect release, which requires import of the CA certificate contents from the Service Telemetry Framework (STF) deployment. Changes are not yet required by administrators when deploying or updating Red Hat OpenStack Service Platform (RHOSP) as the metrics_qdr service has not yet been updated. This functionality is in preparation of the metrics_qdr service update in a future release. + The following procedure will be required once https://bugzilla.redhat.com/show_bug.cgi?id=1949169 has shipped. + This update corrects this problem by providing a new Orchestration service (heat) parameter, `MetricsQdrSSLProfiles`. + To obtain a Red Hat OpenShift TLS certificate, run the following commands: + ---- $ oc get secrets $ oc get secret/default-interconnect-selfsigned -o jsonpath='{.data.ca\.crt}' | base64 -d ---- + Add the `MetricsQdrSSLProfiles` parameter with the contents of your Red Hat OpenShift TLS certificate to a custom environment file: + ---- MetricsQdrSSLProfiles: - name: sslProfile caCertFileContent: | -----BEGIN CERTIFICATE----- ... TOpbgNlPcz0sIoNK3Be0jUcYHVMPKGMR2kk= -----END CERTIFICATE----- ---- + Then, redeploy your overcloud with the `openstack overcloud deploy` command.
Clone Of: 1934440
: 1982764 (view as bug list)
Environment:
Last Closed: 2022-03-24 10:59:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 798662 0 None NEW Create SSL certificates from sslProfiles 2021-07-14 14:18:44 UTC
Red Hat Issue Tracker OSP-2610 0 None None None 2022-01-14 08:38:13 UTC
Red Hat Product Errata RHBA-2022:0986 0 None None None 2022-03-24 10:59:50 UTC

Description Martin Magr 2021-04-13 15:15:47 UTC 
+++ This bug was initially created as a clone of Bug #1934440 +++

When qdrouterd image will be updated to recent version we will end up in state where client side will not be able to connect to server side.

We need to make sure the same changes done for OSP13 land to OSP16.
Comment 4 Leif Madsen 2021-05-20 17:32:04 UTC 
@joflynn if you can add this to your tracking list that would be great. The changes made at https://github.com/infrawatch/documentation/pull/187 will need to be unwrapped for OSP16.1 once this is live in 16.1.7 (and 16.2?).

@mmagr can you link the upstream changes for Train (or the downstream backport) that will fix this in 16.1.7? I want to make sure we don't miss this.
Comment 13 Martin Magr 2022-03-08 11:03:38 UTC 
Missing patch in 16.1 is https://github.com/openstack/puppet-tripleo/commit/42bcb193488dcd464a267105b384bf963405895f
Comment 20 Leonid Natapov 2022-03-16 15:12:56 UTC 
fixed.
Comment 25 errata-xmlrpc 2022-03-24 10:59:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986
Note You need to log in before you can comment on or make changes to this bug.