2167524 – overcloud keystone container fails with openidc auth type

Bug 2167524 - overcloud keystone container fails with openidc auth type

Summary: overcloud keystone container fails with openidc auth type

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-keystone
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	17.1
Assignee:	Dave Wilde
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-06 22:08 UTC by Jeremy Agee
Modified:	2023-08-22 13:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	puppet-keystone-18.6.1-1.20230218001345.67ff287.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 01:13:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	873358	None	MERGED	OIDC: Make sure the dependent auth modules are loaded	2023-02-20 05:52:04 UTC
OpenStack gerrit	873779	None	MERGED	OIDC: Make sure the dependent auth modules are loaded	2023-02-20 05:51:50 UTC
Red Hat Issue Tracker	OSP-22101	None	None	None	2023-02-06 22:10:35 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:14:03 UTC

Description Jeremy Agee 2023-02-06 22:08:51 UTC

Description of problem:
[stack@undercloud-0 ~]$ cat core_puddle_version
RHOS-17.1-RHEL-9-20230131.n.2

Controller error in keystone pod:
+ exec /usr/sbin/httpd -DFOREGROUND
AH00526: Syntax error on line 55 of /etc/httpd/conf.d/10-keystone_wsgi.conf:
Invalid command 'AuthType', perhaps misspelled or defined by a module not included in the server configuration

Controller config in keystone pod for line 55:
conf.d/10-keystone_wsgi.conf
  <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType openid-connect
      Require valid-user
  </LocationMatch>

The openidc modules is loaded before the line 55 error.
  ## WSGI configuration
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess keystone display-name=keystone group=keystone processes=8 threads=1 user=keystone
  WSGIProcessGroup keystone
  WSGIScriptAlias / "/var/www/cgi-bin/keystone/keystone"
  WSGIPassAuthorization On
  LoadModule auth_openidc_module modules/mod_auth_openidc.so

apache inside the keystone pod has the following versions:
httpd-core-2.4.53-10.el9.x86_64
httpd-2.4.53-10.el9.x86_64
mod_auth_openidc-2.4.9.4-1.el9.x86_64


How reproducible:
Always

Steps to Reproduce:
1. deploy overcloud with keystone openidc tripleo template

Actual results:
Deploy fails when the keystone container fails

Expected results:
deploy succeeds

Comment 20 errata-xmlrpc 2023-08-16 01:13:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.