2017849 – FreeIPA isn't cleaned upon overcloud deletion

Bug 2017849 - FreeIPA isn't cleaned upon overcloud deletion

Summary: FreeIPA isn't cleaned upon overcloud deletion

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	ansible-tripleo-ipa
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	17.0
Assignee:	Andre
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1698957
TreeView+	depends on / blocked

Reported:	2021-10-27 14:29 UTC by Cédric Jeanneret
Modified:	2022-09-21 12:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:	python-tripleoclient-16.4.1-0.20211111002004.914709d.el8ost ansible-tripleo-ipa-0.2.3-0.20211110181908.a05078d.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-21 12:17:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	817100	None	NEW	Use allovercloud ansible group	2021-11-09 06:54:54 UTC
OpenStack gerrit	817101	None	NEW	Ensure we're using the stackname for the inventory	2021-11-09 06:54:54 UTC
Red Hat Issue Tracker	OSP-10574	None	None	None	2021-11-15 12:31:58 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:17:41 UTC

Description Cédric Jeanneret 2021-10-27 14:29:49 UTC

Description of problem:
When deploying with TLS-e and FreeIPA, a fair amount of hosts and services are added to the IPA - but they aren't cleaned anymore upon overcloud deletion.

It seems the involved playbook[1] is looking for a host group[2] that doesn't exist anymore.
This "certmonger_user" was created when certmonger was still managed by puppet[3], but it seems to be now managed by ansible only. So this "service" isn't created anymore.

Note: since OSP-17 is based on Wallaby, I'm not 100% sure this release is affected by the issue - I thought the move to ansible for certmonger was an OSP-17 RFE... ?


[1] https://opendev.org/x/tripleo-ipa/src/branch/master/tripleo_ipa/playbooks/cli-cleanup-ipa.yml
[2] https://opendev.org/x/tripleo-ipa/src/branch/master/tripleo_ipa/playbooks/cli-cleanup-ipa.yml#L61
[3] https://opendev.org/openstack/tripleo-heat-templates/src/commit/d58efb58e0c39b2ca1585d87fe6d542484b33ad0/deployment/certs/certmonger-user-baremetal-puppet.yaml#L63

How reproducible:
Always (on master)

Steps to Reproduce:
1. deploy an overcloud with TLS-e and FreeIPA
2. delete the overcloud
3. check freeIPA content

Actual results:
All the hosts and services are still present

Expected results:
They should be removed

Comment 1 Cédric Jeanneret 2021-10-28 06:35:50 UTC

A solution would be to use the "overcloud" group. This should cover everything, while keeping the Undercloud node in IPA.

The only "cons" I can think of:
if an operator deploys some hybrid tls-e/non-tls-e OC, it may try to remove unregistered nodes. But I don't really think this is advised nor even possible.

I'll do a quick test on my lab.

Comment 2 Cédric Jeanneret 2021-10-29 06:29:34 UTC

This issue actually blocks the RFE (just found it) moving Certmonger management from puppet to ansible. Adding the link for a better tracking.

RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1698957 (check flags, it's for 17.0 - so we'll need to see some backports to wallaby.

Comment 4 Cédric Jeanneret 2021-11-09 06:56:18 UTC

Note:
there are actually 2 issues here. One is, indeed, the "wrong" inventory group, corrected in tripleo-ipa. The other one is a bug in tripleoclient, where we forgot to pass the stackname when linking to the inventory.

Both patches are being actively backported.

Comment 10 errata-xmlrpc 2022-09-21 12:17:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.