2126725 – Custom CA cert location breaks OVN in tls-e deployments

Bug 2126725 - Custom CA cert location breaks OVN in tls-e deployments [NEEDINFO]

Summary: Custom CA cert location breaks OVN in tls-e deployments

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	All
OS:	All
Priority:	medium
Severity:	low
Target Milestone:	z2
Target Release:	17.1
Assignee:	Brendan Shephard
QA Contact:	Maor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-14 10:54 UTC by Brendan Shephard
Modified:	2023-08-14 14:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-1.20221118011425.fc038b6.el9ost
Doc Type:	Known Issue
Doc Text:	Hard-coded certificate location operates independently of user-provided values. During deployment with custom certificate locations, services do not retrieve information from API endpoints because Transport Layer Security (TLS) verification fails.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Flags:	jamsmith: needinfo? (bshephar)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1989535	None	None	None	2022-09-14 10:54:56 UTC
OpenStack gerrit	857583	None	master: MERGED	tripleo-heat-templates: Fix tls-e CA cert declaration for OVN (I28a4d173505a194c8a735e8b2e1c6f2589338730)	2022-12-12 20:19:16 UTC
OpenStack gerrit	857586	None	master: MERGED	tripleo-heat-templates: Fix tls-e CA cert declaration for FRR (I3ac3f21fa8c460e56e02be940b237cb0737583f5)	2022-12-12 20:19:21 UTC
Red Hat Issue Tracker	OSP-18702	None	None	None	2022-09-14 11:08:09 UTC

Description Brendan Shephard 2022-09-14 10:54:57 UTC

Description of problem:
If the user provides a InternalTLSCAFile: path other than the default /etc/ipa/ca.crt file. It will break OVN and FRR as we don't pass this parameter to the Ansible roles used to deploy them.

See the related upstream Bug:
https://bugs.launchpad.net/tripleo/+bug/1989535

Version-Release number of selected component (if applicable):
17.0

How reproducible:
Easily

Steps to Reproduce:
1. Define a non-standard location for your IPA CA certificate
parameter_defaults:
  InternalTLSCAFile: /etc/ipa/test_ca.crt
2. Run the deployment
3. Observe the failure mentioned in the Launchpad within Neutron:


Actual results:
2022-09-14 04:37:15.168 2 ERROR neutron.service [None req-dd2e09b0-c8e3-44d8-acb9-9e540de833b1 - - - - - -] Unrecoverable error: please check log for details.: Exception: Could not retrieve schema from ssl:192.168.2.79:6642

Expected results:
The correct location for the CA certificate should be passed as a variable to the Ansible role when called.

Additional info:
Patched by:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857583

And for FRR:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857586

Note You need to log in before you can comment on or make changes to this bug.