enforce-ssl is ignored when getting certificates from vault

Bug #1818636 reported by Andrea Ieri
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Triaged
Medium
Unassigned

Bug Description

The openstack-dashboard charm is able to obtain certificates from vault via the tls-certificates relation, but enforce-ssl is not applied unless the local ssl options are set.

The following can be seen in the unit logs:
WARNING juju-log Enforce ssl redirect requested but ssl not configured - skipping redirect

A direct connection to the dashboard via https does however succeeds as certificates are correctly installed.

Tags: cpe-onsite
tags: added: cpe-onsite
James Page (james-page)
Changed in charm-openstack-dashboard:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Hybrid512 (walid-moghrabi) wrote :

There were changes in behavior with the 20.01 release.

As we can see in the config.yaml :

  enforce-ssl:
    type: boolean
    default: False

enforce-ssl should default to "False" unless it is explicitely set to "True" in your deployment.
I never set it and it worked as expected with a Vault provided cert.
To be clear, I never set it and did the relation for certificates with Vault and I always had Horizon working in HTTPS with a Vault certificate.

Since 21.01, "enforce-ssl" seemsto default to "True" (I can see the "WARNING juju-log Enforce ssl redirect requested but ssl not configured - skipping redirect" message in the logs which clearly says this configuration is set while I don't have it in my yaml file) *BUT* HTTPS is not working anymore with my Vault certificate.

The workaround to restore SSL with Vault is to explicitely set "enforce-ssl: False" in the deployment configuration but in that case, HTTPS is working again but HTTP is working too, there is no forced redirect.

So please, make sure "enforce-ssl" default is consistent with config.yaml and make it work with Vault certificates.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to charm-openstack-dashboard (master)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/844146
Committed: https://opendev.org/openstack/charm-openstack-dashboard/commit/85423b1f735f7e162cdb4111f5fe8cc0caafa1a9
Submitter: "Zuul (22348)"
Branch: master

commit 85423b1f735f7e162cdb4111f5fe8cc0caafa1a9
Author: Pedro Castillo <email address hidden>
Date: Tue May 31 17:51:24 2022 -0500

    Fix warning messages related to enforce-ssl

    When enforce-ssl is set to false, a warning message comes up saying it is
    set to true. This should stop the message from coming up when
    enforce-ssl is false.

    Related-Bug: #1818636
    Change-Id: I6afe116c0cd1e04b5c37413c7daf556a9b05dee4

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.