OpenStack Designate Charm

Use of direct designate CLI calls (<= Ocata) with SSL fails

Bug #1839019 reported by David Ames on 2019-08-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Designate Charm	Confirmed	High	Unassigned

Bug Description

The designate charm <= Ocata uses direct calls to the CLI client designate. This leverages an RC file /root/novarc. The template for novarc [0] is not SSL aware.

The charm will need to wait for keystone's identity-service.available.ssl and render with OS_CACERT set as well as the correct URL for keystone.

This only affects <= Ocata and can be re-created using the openstack-mojo-specs full designate_ha spec.

There is also a potential race with rabbitmq's SSL settings.

If the charm is running the certificates-relation-* hooks it should unset flags that suggest it is ready and wait for keystone and rabbit to be SSL complete.

[0] https://github.com/openstack/charm-designate/blob/c3b888c07b90ddf08b671857db04855207d09444/src/templates/novarc

David Ames (thedac) on 2019-08-05

Changed in charm-designate:
importance:	Undecided → High
milestone:	none → 19.10
status:	New → Confirmed

David Ames (thedac) on 2019-10-24

Changed in charm-designate:
milestone:	19.10 → 20.01

James Page (james-page) on 2020-03-02

Changed in charm-designate:
milestone:	20.01 → 20.05

David Ames (thedac) on 2020-05-21

Changed in charm-designate:
milestone:	20.05 → 20.08

James Page (james-page) on 2020-08-03

Changed in charm-designate:
milestone:	20.08 → none

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.