kolla-ansible

etcd protocol incorrectly configured with internal TLS enabled

Bug #1884137 reported by James Kirsch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Radosław Piliszek
kolla-ansible 11.0.0 "victoria"
Train
Fix Released
Medium
Mark Goddard
kolla-ansible 9.2.0 "Train"
Ussuri
Fix Released
Medium
Mark Goddard
kolla-ansible 10.1.0 "ussuri"
Victoria
Fix Released
Medium
Radosław Piliszek
kolla-ansible 11.0.0 "victoria"

Bug Description

Currently, the etcd protocol is incorrectly configured using internal_protocol. The etcd service is not load balanced by a HAProxy container, so there is no proxy layer to do TLS termination when internal_protocol is configured to be "https".

Until the etcd service is configured to deploy with native TLS termination, the protocol etcd uses should be independent of internal_protocol.

James Kirsch (generalfuzz)
Changed in kolla-ansible:
assignee: nobody → James Kirsch (generalfuzz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/736809

Changed in kolla-ansible:
status: New → In Progress
Mark Goddard (mgoddard)
summary: - etcd protocol incorrectly configured
+ etcd protocol incorrectly configured with internal TLS enabled
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: James Kirsch (generalfuzz) → Radosław Piliszek (yoctozepto)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/736809
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=a15843222316dc64cc820318ce14151368331beb
Submitter: Zuul
Branch: master

commit a15843222316dc64cc820318ce14151368331beb
Author: James Kirsch <email address hidden>
Date: Thu Jun 18 12:25:19 2020 -0700

    Fix etcd protocol configuration

    The etcd service protocol is currently configured with internal_protocol.
    The etcd service is not load balanced by a HAProxy container, so
    there is no proxy layer to do TLS termination when internal_protocol
    is configured to be "https".

    Until the etcd service is configured to deploy with native TLS
    termination, the etcd uses should be independent of
    internal_protocol, and "http" by default.

    Change-Id: I730c02331514244e44004aa06e9399c01264c65d
    Closes-Bug: 1884137

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/738466

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/738467

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/738467
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=953702532ef095e0af727614a8f49a5dd14ba50b
Submitter: Zuul
Branch: stable/train

commit 953702532ef095e0af727614a8f49a5dd14ba50b
Author: James Kirsch <email address hidden>
Date: Thu Jun 18 12:25:19 2020 -0700

    Fix etcd protocol configuration

    The etcd service protocol is currently configured with internal_protocol.
    The etcd service is not load balanced by a HAProxy container, so
    there is no proxy layer to do TLS termination when internal_protocol
    is configured to be "https".

    Until the etcd service is configured to deploy with native TLS
    termination, the etcd uses should be independent of
    internal_protocol, and "http" by default.

    Change-Id: I730c02331514244e44004aa06e9399c01264c65d
    Closes-Bug: 1884137
    (cherry picked from commit a15843222316dc64cc820318ce14151368331beb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/738466
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=81e9565edf427131b2cf9b6246c0bd08d2cc6d44
Submitter: Zuul
Branch: stable/ussuri

commit 81e9565edf427131b2cf9b6246c0bd08d2cc6d44
Author: James Kirsch <email address hidden>
Date: Thu Jun 18 12:25:19 2020 -0700

    Fix etcd protocol configuration

    The etcd service protocol is currently configured with internal_protocol.
    The etcd service is not load balanced by a HAProxy container, so
    there is no proxy layer to do TLS termination when internal_protocol
    is configured to be "https".

    Until the etcd service is configured to deploy with native TLS
    termination, the etcd uses should be independent of
    internal_protocol, and "http" by default.

    Change-Id: I730c02331514244e44004aa06e9399c01264c65d
    Closes-Bug: 1884137
    (cherry picked from commit a15843222316dc64cc820318ce14151368331beb)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.