OpenStack Masakari Charm

Masakari endpoint not using HTTPS even with vault:certificates relation enabled

Bug #1935986 reported by Hybrid512 on 2021-07-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Masakari Charm	Fix Released	Undecided	Chris MacNaughton	OpenStack Masakari Charm 21.04

Bug Description

Hi,

It seems SSL is not enabled on Masakari endpoint even though vault:certificates relation is added.

Here is my Masakari configuration :

=======================================================
series: focal
applications:

  masakari:
    charm: cs:masakari-11
    channel: stable
    num_units: 3
    to:
    - lxd:3
    - lxd:4
    - lxd:5
    options:
      debug: false
      evacuation-delay: 10
      openstack-origin: distro
      use-internal-endpoints: false
      use-syslog: false
      verbose: false
      vip: 192.168.111.225
      worker-multiplier: 0.25

  masakari-hacluster:
    charm: cs:hacluster-76
    channel: stable
    options:
      cluster_count: 3
      maas_credentials: <MAAS ADMIN CREDENTIALS>
      maas_url: http://<MAAS-IP>:5240/MAAS

  masakari-monitors:
    charm: cs:masakari-monitors-9
    channel: stable

  masakari-mysql-router:
    charm: cs:mysql-router-10
    channel: stable

  masakari-pacemaker-remote:
    charm: cs:pacemaker-remote-9
    channel: stable
    options:
      enable-resources: false
      enable-stonith: true

relations:
- - masakari:ha
  - masakari-hacluster:ha
- - nova-compute:juju-info
  - masakari-pacemaker-remote:juju-info
- - masakari-hacluster:pacemaker-remote
  - masakari-pacemaker-remote:pacemaker-remote
- - nova-compute:juju-info
  - masakari-monitors:container
- - keystone:identity-credentials
  - masakari-monitors:identity-credentials
- - masakari-monitors:certificates
  - vault:certificates
- - masakari:identity-service
  - keystone:identity-service
- - masakari:shared-db
  - masakari-mysql-router:shared-db
- - masakari-mysql-router:db-router
  - mysql-innodb-cluster:db-router
- - masakari:amqp
  - rabbitmq-server:amqp
- - masakari:certificates
  - vault:certificates
=======================================================

(as you can see, the relation for certificates is there)

and here is my endpoints list :

As you can see, Masakari endpoint is configured for HTTP and not HTTPS.

Revision history for this message

Vladimir Grevtsev (vlgrevtsev) wrote on 2021-08-17:

This bug is still actual, can someone take a look please?

+ field-high as the expected functionality doesn't work (TLS endpoint isn't updated in Keystone database).

Just have checked on freshly Masakari deployment: the endpoint in Keystone is http:// indeed, and:

# the certs are present:
root@juju-2d3b82-0-lxd-10:~# ls /etc/apache2/ssl/masakari/
cert_10.35.174.113 cert_10.35.84.244

# but https-related apache conf is empty
~# cat /etc/apache2/sites-enabled/openstack_https_frontend.conf
root@juju-2d3b82-0-lxd-10:~#

Changed in charm-masakari:
status:	New → Confirmed

Revision history for this message

Vladimir Grevtsev (vlgrevtsev) wrote on 2021-08-17:

masakari unit flags:

juju run --unit masakari/0 'charms.reactive get_flags' | pastebinit
https://paste.ubuntu.com/p/zbH2HSCT7p/

Revision history for this message

Vladimir Grevtsev (vlgrevtsev) wrote on 2021-08-17 (last edit on 2021-08-17):

overlay used for deploying masakari: https://paste.ubuntu.com/p/9NmmVS6M4Z/

# VIPs are also in-place
$ juju config masakari vip
10.35.84.213 10.35.174.113
$ juju config neutron-api vip
10.35.174.104 10.35.84.204
$ juju config keystone vip
10.35.174.100 10.35.84.200

$ juju spaces
Name Space ID Subnets
alpha 0
infra-vms 4 10.34.94.0/23
10.35.85.192/26
internal-space 3 10.35.174.0/25
oam-space 1 10.35.81.0/24
overlay-space 5 10.35.83.128/25
public-space 2 10.35.84.128/25

Comparing the network bindings between Masakari and any other app:

[endpoint is http in keystone]
$ juju show-application masakari
masakari:
  charm: masakari
  series: focal
  channel: stable
  principal: true
  exposed: false
  remote: false
  endpoint-bindings:
    "": oam-space
    admin: internal-space
    amqp: internal-space
    certificates: internal-space
    cluster: oam-space
    ha: oam-space
    identity-service: internal-space
    internal: internal-space
    public: public-space
    shared-db: internal-space

[endpoint is https in keystone]
$ juju show-application neutron-api
neutron-api:
  charm: neutron-api
  series: focal
  channel: stable
  principal: true
  exposed: false
  remote: false
  endpoint-bindings:
    "": oam-space
    admin: internal-space
    amqp: oam-space
    certificates: internal-space
    cluster: oam-space
    etcd-proxy: oam-space
    external-dns: oam-space
    ha: oam-space
    identity-service: oam-space
    infoblox-neutron: oam-space
    internal: internal-space
    midonet: oam-space
    neutron-api: oam-space
    neutron-load-balancer: oam-space
    neutron-plugin-api: oam-space
    neutron-plugin-api-subordinate: oam-space
    nrpe-external-master: oam-space
    public: public-space
    shared-db: internal-space
    vsd-rest-api: oam-space

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-18: Fix proposed to charm-masakari (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-masakari/+/805079

Changed in charm-masakari:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-19: Fix merged to charm-masakari (master)

Reviewed: https://review.opendev.org/c/openstack/charm-masakari/+/805079
Committed: https://opendev.org/openstack/charm-masakari/commit/3760b7211f6428dfd7321d4adf8d7ddaed7535f2
Submitter: "Zuul (22348)"
Branch: master

commit 3760b7211f6428dfd7321d4adf8d7ddaed7535f2
Author: Chris MacNaughton <email address hidden>
Date: Wed Aug 18 11:14:26 2021 -0500

Specify certificates relation to update endpoints.

    When the certificates relation is unspecified with the
    configure_tls method invocation, the masakari endpoints
    seem to ignore the update to TLS. This change specifies
    the relation which causes the endpoints to update correctly.

Closes-Bug: #1935986
Change-Id: Ib1a6ca1ddf64950ff13cf3a8904d9848710d96a5

Changed in charm-masakari:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-19: Fix proposed to charm-masakari (stable/21.04)

Fix proposed to branch: stable/21.04
Review: https://review.opendev.org/c/openstack/charm-masakari/+/805142

Chris MacNaughton (chris.macnaughton) on 2021-08-19

Changed in charm-masakari:
assignee:	nobody → Chris MacNaughton (chris.macnaughton)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-19: Fix merged to charm-masakari (stable/21.04)

Reviewed: https://review.opendev.org/c/openstack/charm-masakari/+/805142
Committed: https://opendev.org/openstack/charm-masakari/commit/532ddc91f80084e731bf231fa591aee50fe8af38
Submitter: "Zuul (22348)"
Branch: stable/21.04

commit 532ddc91f80084e731bf231fa591aee50fe8af38
Author: Chris MacNaughton <email address hidden>
Date: Wed Aug 18 11:14:26 2021 -0500

Specify certificates relation to update endpoints.

    Closes-Bug: #1935986
    Change-Id: Ib1a6ca1ddf64950ff13cf3a8904d9848710d96a5
    (cherry picked from commit 3760b7211f6428dfd7321d4adf8d7ddaed7535f2)

Aurelien Lourot (aurelien-lourot) on 2021-10-08

Changed in charm-masakari:
status:	Fix Committed → Fix Released
milestone:	none → 21.04

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.