Bug 2126725 - Custom CA cert location breaks OVN in tls-e deployments [NEEDINFO]
Summary: Custom CA cert location breaks OVN in tls-e deployments
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.1 (Wallaby)
Hardware: All
OS: All
medium
low
Target Milestone: z2
: 17.1
Assignee: Brendan Shephard
QA Contact: Maor
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-14 10:54 UTC by Brendan Shephard
Modified: 2023-08-14 14:01 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-1.20221118011425.fc038b6.el9ost
Doc Type: Known Issue
Doc Text:
Hard-coded certificate location operates independently of user-provided values. During deployment with custom certificate locations, services do not retrieve information from API endpoints because Transport Layer Security (TLS) verification fails.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
jamsmith: needinfo? (bshephar)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1989535 0 None None None 2022-09-14 10:54:56 UTC
OpenStack gerrit 857583 0 None master: MERGED tripleo-heat-templates: Fix tls-e CA cert declaration for OVN (I28a4d173505a194c8a735e8b2e1c6f2589338730) 2022-12-12 20:19:16 UTC
OpenStack gerrit 857586 0 None master: MERGED tripleo-heat-templates: Fix tls-e CA cert declaration for FRR (I3ac3f21fa8c460e56e02be940b237cb0737583f5) 2022-12-12 20:19:21 UTC
Red Hat Issue Tracker OSP-18702 0 None None None 2022-09-14 11:08:09 UTC

Description Brendan Shephard 2022-09-14 10:54:57 UTC
Description of problem:
If the user provides a InternalTLSCAFile: path other than the default /etc/ipa/ca.crt file. It will break OVN and FRR as we don't pass this parameter to the Ansible roles used to deploy them.

See the related upstream Bug:
https://bugs.launchpad.net/tripleo/+bug/1989535

Version-Release number of selected component (if applicable):
17.0

How reproducible:
Easily

Steps to Reproduce:
1. Define a non-standard location for your IPA CA certificate
parameter_defaults:
  InternalTLSCAFile: /etc/ipa/test_ca.crt
2. Run the deployment
3. Observe the failure mentioned in the Launchpad within Neutron:


Actual results:
2022-09-14 04:37:15.168 2 ERROR neutron.service [None req-dd2e09b0-c8e3-44d8-acb9-9e540de833b1 - - - - - -] Unrecoverable error: please check log for details.: Exception: Could not retrieve schema from ssl:192.168.2.79:6642

Expected results:
The correct location for the CA certificate should be passed as a variable to the Ansible role when called.

Additional info:
Patched by:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857583

And for FRR:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857586


Note You need to log in before you can comment on or make changes to this bug.