/etc/pki/tls/private/overcloud_endpoint.pem is generated at each undercloud/standalone deploy
Bug #1871663 reported by
Emilien Macchi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Emilien Macchi |
Bug Description
/etc/pki/
How to reproduce:
1) Deploy an undercloud, observe content in /etc/pki/
2) run the "openstack undercloud install" again
/etc/pki/
It makes HAproxy container not idempotent and can cause servuce disruptions on the Undercloud.
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → ussuri-rc1 |
Changed in tripleo: | |
assignee: | nobody → David Wilde (dave-wilde) |
tags: | added: train-backport-potential |
tags: | added: idempotency |
Changed in tripleo: | |
milestone: | ussuri-rc1 → ussuri-rc3 |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
assignee: | David Wilde (dave-wilde) → Emilien Macchi (emilienm) |
Changed in tripleo: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
Yes - this does in fact, happen. puppet-certmonger will do a getcert resubmit if the request already exists. This will generate a new cert with the same key.
We could work around this -- maybe by adding code to puppet-certmonger to not do the resubmit unless explicitly requested -- but maybe what this points to is a bug in the code that restarts/reloads haproxy. After all, haproxy should be restarted if the cert is updated -- for example, if the cert was renewed by certmonger.
The advantage of replacing the cert each time is that the cert doesn't get too old.