Use of direct designate CLI calls (<= Ocata) with SSL fails

Bug #1839019 reported by David Ames on 2019-08-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Designate Charm
High
Unassigned

Bug Description

The designate charm <= Ocata uses direct calls to the CLI client designate. This leverages an RC file /root/novarc. The template for novarc [0] is not SSL aware.

The charm will need to wait for keystone's identity-service.available.ssl and render with OS_CACERT set as well as the correct URL for keystone.

This only affects <= Ocata and can be re-created using the openstack-mojo-specs full designate_ha spec.

There is also a potential race with rabbitmq's SSL settings.

If the charm is running the certificates-relation-* hooks it should unset flags that suggest it is ready and wait for keystone and rabbit to be SSL complete.

[0] https://github.com/openstack/charm-designate/blob/c3b888c07b90ddf08b671857db04855207d09444/src/templates/novarc

David Ames (thedac) on 2019-08-05
Changed in charm-designate:
importance: Undecided → High
milestone: none → 19.10
status: New → Confirmed
David Ames (thedac) on 2019-10-24
Changed in charm-designate:
milestone: 19.10 → 20.01
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers