tripleo

Need to be able to retrofit tls everywhere on an existing deployment

Bug #1830235 reported by Ade Lee on 2019-05-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Ade Lee	tripleo train-1

Bug Description

Description
===========

We need to be able to retrofit existing overcloud deployments with TLS everywhere to improve security.
Ideally, the undercloud would be prepped by deploying novajoin and enrolling with FreeIPA. Then the overcloud can be re-deployed with the correct templates to generate the required certs and secure the internal endpoints.

Need to have this backported back to Queens.

Tags:

Ade Lee (alee-3) on 2019-05-23

Changed in tripleo:
status:	New → In Progress
assignee:	nobody → Ade Lee (alee-3)
summary:	- Need to ba able to retrofit tls everywhere on an existing deployment + Need to be able to retrofit tls everywhere on an existing deployment

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-23: Related fix proposed to tripleo-heat-templates (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/661019

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-23: Related fix proposed to tripleo-heat-templates (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/661103

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Related fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/661019
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=952511f65036b20be71e3760f5d7389794e06f10
Submitter: Zuul
Branch: stable/stein

commit 952511f65036b20be71e3760f5d7389794e06f10
Author: Grzegorz Grasza <email address hidden>
Date: Tue Apr 23 17:43:32 2019 +0200

Fix IPA client when doing brownfield deployment of internal TLS

* Always use the FQDN supplied in the metadata.
* Read the metadata from network if hostname could not be determined.

These changes fix issues with deploying internal TLS after initialy
deploying without it (also known as a "brownfield deployment").

    Related-Bug: 1830235
    Change-Id: I9d1b4174dd349c29dc92079202176a11d3f85fe3
    Co-Authored-By: Ade Lee <email address hidden>
    (Cherry-picked from 05f650d5da5f5e4b5d0e836a09e9cd7617be02a7)

tags:

added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Related fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/661103
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bfd44566185a9b31493ebe360f4d62420b0de562
Submitter: Zuul
Branch: stable/rocky

commit bfd44566185a9b31493ebe360f4d62420b0de562
Author: Grzegorz Grasza <email address hidden>
Date: Tue Apr 23 17:43:32 2019 +0200

Fix IPA client when doing brownfield deployment of internal TLS

* Always use the FQDN supplied in the metadata.
* Read the metadata from network if hostname could not be determined.

These changes fix issues with deploying internal TLS after initialy
deploying without it (also known as a "brownfield deployment").

    Related-Bug: 1830235
    Change-Id: I9d1b4174dd349c29dc92079202176a11d3f85fe3
    Co-Authored-By: Ade Lee <email address hidden>
    (cherry-picked from commit 05f650d5da5f5e4b5d0e836a09e9cd7617be02a7)

tags:

added: in-stable-rocky

chandan kumar (chkumar246) on 2019-05-27

Changed in tripleo:
milestone:	none → train-1

Rafael Folco (rafaelfolco) on 2019-05-27

Changed in tripleo:
importance:	Undecided → Medium
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-11: Related fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/664386
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=45ab7d963a34da101154a48fd27d3f8695416253
Submitter: Zuul
Branch: stable/queens

commit 45ab7d963a34da101154a48fd27d3f8695416253
Author: Ade Lee <email address hidden>
Date: Mon Jun 10 11:54:25 2019 -0400

Fix undefined variable python_interpreter

In a backport, an undefined variable was accidentally introduced.
This patch corrects this by removing that variable.

The review that introduced this was
https://review.opendev.org/#/c/661105

Related-Bug: 1830235
Change-Id: Ife925c7d659592364b98ff05aded515bc9461351

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-11: Related fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/664272
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a8f5bb11d56c15f9cd2d9ee440b153a2b8b0a619
Submitter: Zuul
Branch: stable/rocky

commit a8f5bb11d56c15f9cd2d9ee440b153a2b8b0a619
Author: Ade Lee <email address hidden>
Date: Mon Jun 10 11:25:19 2019 -0400

Fix undefined variable python_interpreter

In a backport, an undefined variable was accidentally introduced.
This patch corrects this by removing that variable.

The review that introduced this was
https://review.opendev.org/#/c/661103/

Related-Bug: 1830235
Change-Id: Ia1254b07d385803bf2216a6a1b17bafbbc6e8edf

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.