tripleo

TLS everywhere: Compute nodes request neutron cert and fail

Bug #1754363 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Tim Rozet
tripleo rocky-1

Bug Description

While trying to deploy TLS everywhere, given that we set the neutron cert specs in the neutron-base yaml, every node tries to request a certificate for neutron. However, not all neutron services output metadata_settings that would actually create a service principal that enables the usage of that cert. Hence, when we deploy, we get the following error:

            "Error: /Stage[main]/Tripleo::Certmonger::Neutron/Certmonger_certificate[neutron]: Could not evaluate: Could not get certificate: Server at https://freeipa-0.redhat.local/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry '<email address hidden>,cn=services,cn=accounts,dc=redhat,dc=local'.).",
            "Warning: /Stage[main]/Tripleo::Certmonger::Neutron/File[/etc/pki/tls/certs/neutron.crt]: Skipping because of failed dependencies",
            "Warning: /Stage[main]/Tripleo::Certmonger::Neutron/File[/etc/pki/tls/private/neutron.key]: Skipping because of failed dependencies",
            "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/File[tripleo-ca-crl]: Skipping because of failed dependencies",
            "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Exec[tripleo-ca-crl-process-command]: Skipping because of failed dependencies",
            "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Cron[tripleo-refresh-crl-file]: Skipping because of failed dependencies"

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
status: New → Triaged
importance: Undecided → Critical
milestone: none → rocky-1
Tim Rozet (trozet)
Changed in tripleo:
assignee: nobody → Tim Rozet (trozet)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/550882

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/550882
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=df31016a9af5003533f80989bcb8d3da42099953
Submitter: Zuul
Branch: master

commit df31016a9af5003533f80989bcb8d3da42099953
Author: Tim Rozet <email address hidden>
Date: Thu Mar 8 10:59:14 2018 -0500

    Fixes certificate generation error for Neutron agents

    TLS certificates were introduced for the Neutron Base service in order
    for Neutron to securely communicate with OVS via SSL/TLS. However, the
    implementation only required Neutron DHCP agent (ODL deployment) to use
    the certificates. The other OVS agents are not used in ODL deployments
    and SSL/TLS use there may be added in the future. However, since other
    services inherit NeutronBase config_settings, they will attempt to
    generate certs. This certificate generation will fail because these
    services do not inherit metadata settings.

    This patch fixes the above issue by adding the metadata settings
    inheritance to every service derived from NeutronBase.

    Closes-Bug: 1754363

    Change-Id: I87afc3a11efeefc1cfd768dfe817fbb3b2422694
    Signed-off-by: Tim Rozet <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/551433

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/551433
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fa83eb1b86085d16af19f2ddcdfa085302c3e108
Submitter: Zuul
Branch: stable/queens

commit fa83eb1b86085d16af19f2ddcdfa085302c3e108
Author: Tim Rozet <email address hidden>
Date: Thu Mar 8 10:59:14 2018 -0500

    Fixes certificate generation error for Neutron agents

    TLS certificates were introduced for the Neutron Base service in order
    for Neutron to securely communicate with OVS via SSL/TLS. However, the
    implementation only required Neutron DHCP agent (ODL deployment) to use
    the certificates. The other OVS agents are not used in ODL deployments
    and SSL/TLS use there may be added in the future. However, since other
    services inherit NeutronBase config_settings, they will attempt to
    generate certs. This certificate generation will fail because these
    services do not inherit metadata settings.

    This patch fixes the above issue by adding the metadata settings
    inheritance to every service derived from NeutronBase.

    Closes-Bug: 1754363

    Change-Id: I87afc3a11efeefc1cfd768dfe817fbb3b2422694
    Signed-off-by: Tim Rozet <email address hidden>
    (cherry picked from commit df31016a9af5003533f80989bcb8d3da42099953)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.0.0.0b2

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.