Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2167524

Summary: overcloud keystone container fails with openidc auth type
Product: Red Hat OpenStack Reporter: Jeremy Agee <jagee>
Component: puppet-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: dwilde, jjoyce, jschluet, mgarciac, oblaut, slinaber, tkajinam, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-keystone-18.6.1-1.20230218001345.67ff287.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 01:13:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Agee 2023-02-06 22:08:51 UTC 
Description of problem:
[stack@undercloud-0 ~]$ cat core_puddle_version
RHOS-17.1-RHEL-9-20230131.n.2

Controller error in keystone pod:
+ exec /usr/sbin/httpd -DFOREGROUND
AH00526: Syntax error on line 55 of /etc/httpd/conf.d/10-keystone_wsgi.conf:
Invalid command 'AuthType', perhaps misspelled or defined by a module not included in the server configuration

Controller config in keystone pod for line 55:
conf.d/10-keystone_wsgi.conf
  <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType openid-connect
      Require valid-user
  </LocationMatch>

The openidc modules is loaded before the line 55 error.
  ## WSGI configuration
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess keystone display-name=keystone group=keystone processes=8 threads=1 user=keystone
  WSGIProcessGroup keystone
  WSGIScriptAlias / "/var/www/cgi-bin/keystone/keystone"
  WSGIPassAuthorization On
  LoadModule auth_openidc_module modules/mod_auth_openidc.so

apache inside the keystone pod has the following versions:
httpd-core-2.4.53-10.el9.x86_64
httpd-2.4.53-10.el9.x86_64
mod_auth_openidc-2.4.9.4-1.el9.x86_64


How reproducible:
Always

Steps to Reproduce:
1. deploy overcloud with keystone openidc tripleo template

Actual results:
Deploy fails when the keystone container fails

Expected results:
deploy succeeds
Comment 20 errata-xmlrpc 2023-08-16 01:13:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577