Use of direct designate CLI calls (<= Ocata) with SSL fails

Bug #1839019 reported by David Ames on 2019-08-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Designate Charm

Bug Description

The designate charm <= Ocata uses direct calls to the CLI client designate. This leverages an RC file /root/novarc. The template for novarc [0] is not SSL aware.

The charm will need to wait for keystone's identity-service.available.ssl and render with OS_CACERT set as well as the correct URL for keystone.

This only affects <= Ocata and can be re-created using the openstack-mojo-specs full designate_ha spec.

There is also a potential race with rabbitmq's SSL settings.

If the charm is running the certificates-relation-* hooks it should unset flags that suggest it is ready and wait for keystone and rabbit to be SSL complete.


David Ames (thedac) on 2019-08-05
Changed in charm-designate:
importance: Undecided → High
milestone: none → 19.10
status: New → Confirmed
David Ames (thedac) on 2019-10-24
Changed in charm-designate:
milestone: 19.10 → 20.01
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers