Juniper Openstack

SSL on multi interface deployments - Keystone requests through external VIP fails

Bug #1663076 reported by Ignatious Johnson Christopher
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r3.0.4.0
R3.0.3.x
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r3.0.3.3
R3.1
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r3.1.3.0
R3.1.1.x
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r3.1.1.1
R3.2
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r3.2.1.0
Trunk
Fix Committed
Low
Ignatious Johnson Christopher
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

Incase of clusters with both internal and external VIPs, if the keystone requests are tried through external VIPs (this is the case with docker based sanity), the requests fails with connection error as the certificates are configured for internal VIP only during provisioning.

Tags: provisioning
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/28641
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/28642
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
Jeba Paulaiyan (jebap) wrote :

Pre-Requisites for execution of Docker test suite:
1. All the contrail controller hosts and openstack controller hosts should be reachable from the Docker
2. Unreachable computes will be skipped
3. Without the right testbed.py matching the actual contrail cluster, the DCTS scripts will fail.
4. Environment files ‘astute.yaml’ and ‘openrc’ are mandatory files to generate ‘testbed.py’
5. All the service endpoints, both contrail and openstack, should be reachable from the Docker (In case of REST services via VIP)
6. If keystone endpoints are name based, then the names should be resolvable from the Docker
neutron_username specified in testbed.py is the same as found in /etc/contrail/contrail-keystone-auth.conf admin_user

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/28732
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28733
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/28735
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28736
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/28737
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28738
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/28739
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28740
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1.1.x

Review in progress for https://review.opencontrail.org/28741
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28742
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0.3.x

Review in progress for https://review.opencontrail.org/28744
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28745
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/28732
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/7afdaa8522b58009c9e8b9ebdc8db17961137980
Submitter: Zuul (<email address hidden>)
Branch: master

commit 7afdaa8522b58009c9e8b9ebdc8db17961137980
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

This reverts commit b6befdc09ec7031ec9e989d656212c8f9c1e711a.
Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28735
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/915730a416b631593c4eec36448379a1bb9676a8
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 915730a416b631593c4eec36448379a1bb9676a8
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

This reverts commit 142743ad0b3d3ad62e8c42a74a5ebe3a9475d40c.
Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28733
Committed: http://github.org/Juniper/contrail-provisioning/commit/4041f2420e232c5eb582ad9bc520dd302890fbbe
Submitter: Zuul (<email address hidden>)
Branch: master

commit 4041f2420e232c5eb582ad9bc520dd302890fbbe
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28736
Committed: http://github.org/Juniper/contrail-provisioning/commit/f082064ab1ef277fcb787928b7eb937aefb4bdcd
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit f082064ab1ef277fcb787928b7eb937aefb4bdcd
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28744
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/4fe4d5add53219b3db62e0a0c3ab4e600e3422c7
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit 4fe4d5add53219b3db62e0a0c3ab4e600e3422c7
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

This reverts commit 61da0a0089324b326748d6adcd8a84e58fdc9e92.
Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28745
Committed: http://github.org/Juniper/contrail-provisioning/commit/5c463c23da4f2821bd5eda6195aba7b8c8ee46db
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit 5c463c23da4f2821bd5eda6195aba7b8c8ee46db
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/28737
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/28739
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1.1.x

Review in progress for https://review.opencontrail.org/28741
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/28742
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/28740
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/28738
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/28738
Committed: http://github.org/Juniper/contrail-provisioning/commit/d9a1cbdd6679ba24a5cf1217458dbb0b587d336a
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit d9a1cbdd6679ba24a5cf1217458dbb0b587d336a
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28740
Committed: http://github.org/Juniper/contrail-provisioning/commit/889ab506ba582acb1b81de8287e239c88f59139f
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit 889ab506ba582acb1b81de8287e239c88f59139f
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28737
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/700c1f36a54814a82ead2a3294dc1477d907a159
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit 700c1f36a54814a82ead2a3294dc1477d907a159
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

This reverts commit ee4823f07d966f854cbe8286999bb95fddb783ee.
Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28739
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/e094beeb4dea8937890b587a69d288512d99ac9d
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit e094beeb4dea8937890b587a69d288512d99ac9d
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

This reverts commit 8acfa25fec7c0abd8ed6625947c8c6ad4ebfcfd4.
Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28742
Committed: http://github.org/Juniper/contrail-provisioning/commit/1d23ba0647268f846b573d8d07953358661112bb
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit 1d23ba0647268f846b573d8d07953358661112bb
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:50:23 2017 -0800

Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/28741
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/18633853b1abfe34db02e6f6cce113c25b84f4d9
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit 18633853b1abfe34db02e6f6cce113c25b84f4d9
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Feb 14 00:40:15 2017 -0800

Revert "In multi interface setup, ssl certs are created with"

Also have added subject alternative names with list of
physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
and their vip's.

Change-Id: I098f5a4cb1fcb10c18d65b9d6b65b8e8930393b1
Closes-Bug: 1663076

Ashish Ranjan (aranjan-n)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.