tripleo

tripleo doesn't set the secure_proxy_ssl_header for nova.conf

Bug #1606863 reported by Marios Andreou on 2016-07-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Marios Andreou

Bug Description

As discussed at https://bugzilla.redhat.com/show_bug.cgi?id=1351255 we miss setting the secure_proxy_ssl_header option for nova [1]. We *are* setting it for keystone in the controller hieradata at [2].

On master this can go in to the nova-api service definition whilst in stable/mitaka (which is what the reference BZ is opened against) it would go into controller hiera I think.

Reviews incoming. One note is that I can't see secure_proxy_ssl_header in puppet-nova [3] so I will just use the nova::config::nova_config to set the value for now.

[1] http://docs.openstack.org/mitaka/config-reference/compute/config-options.html#nova-api

[2] https://github.com/openstack/tripleo-heat-templates/blob/5195d7f8910f7d1ce0895caa133b028a727f8622/puppet/hieradata/controller.yaml#L73

[3] https://github.com/openstack/puppet-nova

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-27: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/347749

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-27: Fix proposed to tripleo-heat-templates (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/347806

Revision history for this message

Marios Andreou (marios-b) wrote on 2016-07-28:

So:

the reason I couldn't see the secure_proxy_ssl_header option in puppet-nova was because I was looking in master. Thanks to bnemec, I now understand that in master this option has indeed been removed, in favor of using oslo middleware for the header parsing [1][2].

On master tripleo-heat-templates this has in fact been addressed already by https://review.openstack.org/#/c/323792/1 which makes it so nova uses the oslo middleware for the header parsing.

This header parsing module isn't available in mitaka, so we can have a mitaka only fixup which sets the secure_proxy_ssl_header option, which *is* in fact there if you look on mitaka branch ;) [3].

I will thus abandon the review to master and have just posted an update to the mitaka review. Extra comments to justify the 'mitaka only'.

thanks!

[1] https://github.com/openstack/puppet-nova/blob/0391f2c40d1bb9c062f4fd70dcfa3b77a440866e/manifests/api.pp#L107
[2] http://docs.openstack.org/developer/oslo.middleware/api.html#oslo_middleware.secure_proxy_ssl_header
[3] https://github.com/openstack/puppet-nova/blob/stable/mitaka/manifests/api.pp#L139

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-28: Change abandoned on tripleo-heat-templates (master)

Change abandoned by Marios Andreou (<email address hidden>) on branch: master
Review: https://review.openstack.org/347749
Reason: Abandoning - see previous comments from Ben Nemec and me. I have updated the Bug with more information too. This will be a mitaka-only fixup; the mitaka review at https://review.openstack.org/#/c/347806/ has just been updated, reviews appreciated.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-28: Fix merged to tripleo-heat-templates (stable/mitaka)

Reviewed: https://review.openstack.org/347806
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=175e52d3b02f91b0e67ffd3beef01d6d0312e9b2
Submitter: Jenkins
Branch: stable/mitaka

commit 175e52d3b02f91b0e67ffd3beef01d6d0312e9b2
Author: marios <email address hidden>
Date: Wed Jul 27 15:23:41 2016 +0300

Set secure_proxy_ssl_header 'HTTP_X_FORWARDED_PROTO' for nova-api

[mitaka-only] On master I3918f24c0c87cb626a28645b46e3df6360d5f924
makes it so nova uses the oslo middleware for the header parsing.

    That isn't available in mitaka, so we can set the
    secure_proxy_ssl_header explicitly via hieradata. Note this is
    added to mitaka puppet-nova as an option in change:
    I22deb886706fe71115a04fb52a7051be4783a5c4

Closes-Bug: 1606863

Change-Id: I9a5284869d3fca9615d7cbb84705a9cddd0df44a

tags:

added: in-stable-mitaka

Marios Andreou (marios-b) on 2016-07-29

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-08-30: Fix included in openstack/tripleo-heat-templates 2.1.0

This issue was fixed in the openstack/tripleo-heat-templates 2.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10:

This issue was fixed in the openstack/tripleo-heat-templates 2.1.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.