tripleo

containerized galera does not use SSL in gcomm when enable_internal_tls is set to true

Bug #1708135 reported by Damien Ciabrini on 2017-08-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Juan Antonio Osorio Robles	tripleo pike-rc1

Bug Description

With the "TLS everywhere" work, galera can now use TLS for the gcomm group communication channel.
This works on non-containerized deployment, but containerized galera deployment do not get configured as expected, they keep using plain unencrypted sockets.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-02: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/489956

Changed in tripleo:
assignee:	nobody → Damien Ciabrini (dciabrin)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-02: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/489963

Emilien Macchi (emilienm) on 2017-08-02

Changed in tripleo:
milestone:	none → pike-rc1
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2017-08-11

Changed in tripleo:
assignee:	Damien Ciabrini (dciabrin) → Juan Antonio Osorio Robles (juan-osorio-robles)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-12: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/489956
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=07f9fa69fa145298a2b33bfed5481b5faccf3544
Submitter: Jenkins
Branch: master

commit 07f9fa69fa145298a2b33bfed5481b5faccf3544
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:07:51 2017 -0400

Enable TLS configuration for containerized Galera

In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.

    Fix the creation of the mysql bundle resource to enable TLS when
    configured. The key and cert are passed as other configuration files
    and must be copied by Kolla at container startup.

Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814
Partial-Bug: #1708135

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-14: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/489963
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Submitter: Jenkins
Branch: master

commit ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:13:48 2017 -0400

Enable TLS configuration for containerized Galera

In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.

Fix the metadata service definition and update the Kolla configuration
to make gcomm use TLS in containers, if configured.

bp tls-via-certmonger-containers

    Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Closes-Bug: #1708135
    Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-24: Fix included in openstack/tripleo-heat-templates 7.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.