clouds.yaml is inconsistent with stackrc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Incomplete
|
Medium
|
Lance Bragstad |
Bug Description
I noticed that the undercloud profile in clouds.yaml doesn't contain the cacert when TLS is used in the undercloud (which appears to be on by default?). I compared clouds.yaml to stackrc and noticed stackrc contains the OS_CACERT, allowing me to interact with the undercloud without SSL verification errors. If I attempt the same openstack CLI commands using `export OS_CLOUD=
Here is an example comparing the two files:
(undercloud) [stack@undercloud ~]$ sudo cat /etc/openstack/
clouds:
overcloud:
auth:
auth_url: https:/
password: mIFntoBkPFNogPv
project_
project_name: admin
user_
username: admin
identity_
region_name: regionOne
undercloud:
auth:
auth_url: https:/
password: n7n8jzaehC19Q7J
project_
project_name: admin
user_
username: admin
identity_
region_name: regionOne
(undercloud) [stack@undercloud ~]$ cat /home/stack/
clouds:
undercloud:
auth:
auth_url: https:/
password: n7n8jzaehC19Q7J
project_
project_name: admin
user_
username: admin
identity_
# I needed to add this
cacert: "/etc/pki/
region_name: regionOne
(undercloud) [stack@undercloud ~]$ cat stackrc
# Clear any old environment that may conflict.
for key in $( set | awk -F= '/^OS_/ {print $1}' ); do unset "${key}" ; done
export OS_AUTH_
export OS_PASSWORD=
export OS_AUTH_URL=https:/
export OS_USERNAME=admin
export OS_PROJECT_
export COMPUTE_
export NOVA_VERSION=1.1
export OS_NO_CACHE=True
export OS_CLOUDNAME=
export OS_IDENTITY_
export OS_PROJECT_
export OS_USER_
export OS_CACERT=
# Add OS_CLOUDNAME to PS1
if [ -z "${CLOUDPROMPT_
export PS1=${PS1:-""}
export PS1=\${
export CLOUDPROMPT_
fi
Note, once I added cacert: "/etc/pki/
Steps to reproduce
==================
1.) Deploy an undercloud
2.) Execute `export OS_CLOUD=
Expected result
===============
I should get back a list of baremetal servers
Actual result
=============
I get an SSL verification issue because python-
Environment
===========
I was able to reproduce this with master (ussuri).
[stack@undercloud ~]$ rpm -qa | grep tripleo
openstack-
openstack-
python2-
python2-
tripleo-
openstack-
openstack-
python2-
python2-
openstack-
ansible-
openstack-
puppet-
ansible-
[DEFAULT]
undercloud_hostname = undercloud.ooo.test
overcloud_
local_mtu = 1350
local_interface = eth1
container_
undercloud_
[ctlplane-subnet]
masquerade = true
Changed in tripleo: | |
importance: | Undecided → Medium |
milestone: | none → ussuri-3 |
tags: | added: queens-backport-potential train-backport-potential |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
Changed in tripleo: | |
milestone: | victoria-3 → wallaby-1 |
Changed in tripleo: | |
milestone: | wallaby-1 → wallaby-2 |
Changed in tripleo: | |
milestone: | wallaby-2 → wallaby-3 |
Changed in tripleo: | |
milestone: | wallaby-3 → wallaby-rc1 |
Changed in tripleo: | |
milestone: | wallaby-rc1 → xena-1 |
It doesn't look like tripleo- heat-templates is detecting the certificate and populating it here [0], but it does when generating the stackrc file in post-deployment steps [1].
[0] https:/ /opendev. org/openstack/ tripleo- heat-templates/ src/commit/ b5ef03c9c939db5 51b03e9490edc69 81ff582035/ deployment/ keystone/ keystone- container- puppet. yaml#L711- L720 /opendev. org/openstack/ tripleo- heat-templates/ src/commit/ b5ef03c9c939db5 51b03e9490edc69 81ff582035/ extraconfig/ post_deploy/ undercloud_ post.yaml# L121
[1] https:/