Description
===========
The documentation in neutron_plugin.pp[1] states that ca_file and cert_file are by default set from contrail::service_certificate hiera value, however, later in the implementation, tripleo::haproxy::service_certificate is used.
This certificate shouldn't be used in the [keystone*] configuration block, because it contains a private key with which the service is encrypted. The value defaults to /etc/pki/tls/private/overcloud_endpoint.pem, which is not mounted into the neutron_api container, which fails to start.
[1] https://github.com/openstack/puppet-tripleo/blob/stable/queens/manifests/network/contrail/neutron_plugin.pp
Steps to reproduce
==================
Configure the contrail plugin with auth_protocol set to https
Expected result
===============
Contrail connects to keystone
Actual result
=============
INFO neutron.manager [-] Loading core plugin: neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2
ERROR neutron.service [-] Unrecoverable error: please check log for details.: OSError: [Errno 2] No such file or directory: '/etc/pki/tls/private/overcloud_endpoint.pem'
ERROR neutron.service Traceback (most recent call last):
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/service.py", line 86, in serve_wsgi
ERROR neutron.service service.start()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/service.py", line 62, in start
ERROR neutron.service self.wsgi_app = _run_wsgi(self.app_name)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/service.py", line 289, in _run_wsgi
ERROR neutron.service app = config.load_paste_app(app_name)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/common/config.py", line 122, in load_paste_app
ERROR neutron.service app = loader.load_app(app_name)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/oslo_service/wsgi.py", line 353, in load_app
ERROR neutron.service return deploy.loadapp("config:%s" % self.config_path, name=name)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 247, in loadapp
ERROR neutron.service return loadobj(APP, uri, name=name, **kw)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 272, in loadobj
ERROR neutron.service return context.create()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
ERROR neutron.service return self.object_type.invoke(self)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 144, in invoke
ERROR neutron.service **context.local_conf)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
ERROR neutron.service val = callable(*args, **kw)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/urlmap.py", line 25, in urlmap_factory
ERROR neutron.service app = loader.get_app(app_name, global_conf=global_conf)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 350, in get_app
ERROR neutron.service name=name, global_conf=global_conf).create()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
ERROR neutron.service return self.object_type.invoke(self)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 144, in invoke
ERROR neutron.service **context.local_conf)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
ERROR neutron.service val = callable(*args, **kw)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/auth.py", line 47, in pipeline_factory
ERROR neutron.service app = loader.get_app(pipeline[-1])
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 350, in get_app
ERROR neutron.service name=name, global_conf=global_conf).create()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
ERROR neutron.service return self.object_type.invoke(self)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 146, in invoke
ERROR neutron.service return fix_call(context.object, context.global_conf, **context.local_conf)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
ERROR neutron.service val = callable(*args, **kw)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/api/v2/router.py", line 25, in _factory
ERROR neutron.service return pecan_app.v2_factory(global_config, **local_config)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/pecan_wsgi/app.py", line 47, in v2_factory
ERROR neutron.service startup.initialize_all()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/pecan_wsgi/startup.py", line 39, in initialize_all
ERROR neutron.service manager.init()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/manager.py", line 296, in init
ERROR neutron.service NeutronManager.get_instance()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/manager.py", line 247, in get_instance
ERROR neutron.service cls._create_instance()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 274, in inner
ERROR neutron.service return f(*args, **kwargs)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/manager.py", line 233, in _create_instance
ERROR neutron.service cls._instance = cls()
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/manager.py", line 132, in __init__
ERROR neutron.service plugin_provider)
ERROR neutron.service File "/usr/lib/python2.7/site-packages/neutron/manager.py", line 166, in _get_plugin_instance
ERROR neutron.service return plugin_class()
ERROR neutron.service File "/opt/plugin/site-packages/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin_base.py", line 232, in __init__
ERROR neutron.service self._parse_class_args()
ERROR neutron.service File "/opt/plugin/site-packages/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin_base.py", line 222, in _parse_class_args
ERROR neutron.service self._build_auth_details()
ERROR neutron.service File "/opt/plugin/site-packages/neutron_plugin_contrail/plugins/opencontrail/contrail_plugin.py", line 96, in _build_auth_details
ERROR neutron.service _DEFAULT_KS_CERT_BUNDLE,certs)
ERROR neutron.service File "/opt/plugin/site-packages/vnc_api/utils.py", line 59, in getCertKeyCaBundle
ERROR neutron.service if os.path.getmtime(cert) > bundle_mod_time:
ERROR neutron.service File "/usr/lib64/python2.7/genericpath.py", line 54, in getmtime
ERROR neutron.service return os.stat(filename).st_mtime
ERROR neutron.service OSError: [Errno 2] No such file or directory: '/etc/pki/tls/private/overcloud_endpoint.pem'
ERROR neutron.service
Environment
===========
Queens/OSP13
Fix proposed to branch: master
Review: https:/