containerized galera does not use SSL in gcomm when enable_internal_tls is set to true

Bug #1708135 reported by Damien Ciabrini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles

Bug Description

With the "TLS everywhere" work, galera can now use TLS for the gcomm group communication channel.
This works on non-containerized deployment, but containerized galera deployment do not get configured as expected, they keep using plain unencrypted sockets.

Tags: containers
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/489956

Changed in tripleo:
assignee: nobody → Damien Ciabrini (dciabrin)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/489963

Changed in tripleo:
milestone: none → pike-rc1
importance: Undecided → High
Changed in tripleo:
assignee: Damien Ciabrini (dciabrin) → Juan Antonio Osorio Robles (juan-osorio-robles)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/489956
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=07f9fa69fa145298a2b33bfed5481b5faccf3544
Submitter: Jenkins
Branch: master

commit 07f9fa69fa145298a2b33bfed5481b5faccf3544
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:07:51 2017 -0400

    Enable TLS configuration for containerized Galera

    In non-containerized deployments, Galera can be configured to use TLS
    for gcomm group communication when enable_internal_tls is set to true.

    Fix the creation of the mysql bundle resource to enable TLS when
    configured. The key and cert are passed as other configuration files
    and must be copied by Kolla at container startup.

    Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814
    Partial-Bug: #1708135

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/489963
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Submitter: Jenkins
Branch: master

commit ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:13:48 2017 -0400

    Enable TLS configuration for containerized Galera

    In non-containerized deployments, Galera can be configured to use TLS
    for gcomm group communication when enable_internal_tls is set to true.

    Fix the metadata service definition and update the Kolla configuration
    to make gcomm use TLS in containers, if configured.

    bp tls-via-certmonger-containers

    Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Closes-Bug: #1708135
    Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.