Fuel for OpenStack

Horizon ssl support error. Unable to connect after deploy.

  1. Series 8.0.x
  2. Bug #1544109
Bug #1544109 reported by Mikhail Samoylov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
High
Stanislaw Bogatkin
Fuel for OpenStack 9.0
8.0.x
Triaged
High
Stanislaw Bogatkin
Fuel for OpenStack 8.0-updates
Mitaka
Fix Released
High
Stanislaw Bogatkin
Fuel for OpenStack 9.0

Bug Description

If we choose ssl support for horizon your cannot connect it by ssl, only http, because while deploying was chosen wrong haproxy horizon config.
Steps for reproduce:
1. Create new cluster wirh 3 controllers and 2 compute nodes
2. Go to settings tab
3. Enable checkbox "HTTPS for Horizon"
Select source for certificate: Self-signed
4. Deploy cluster
5. After deploy will pass, navigate to the Horizon url: https://<horizon_ip:443>
6. Add to your /etc/hosts horizon ip and domain from certificate from step 3
7. Confirm exception and add cert to the browser

Actual result:
Unable to connect to server
Expected result:
Horizon Login screen should appear

Horizon haproxy conf from primary_controller node:
http://paste.openstack.org/show/486577/

After discuss with Stas Bogatkin it seems that problem here:
https://github.com/openstack/fuel-library/blob/stable/8.0/deployment%2Fpuppet%2Fosnailyfacter%2Flib%2Fpuppet%2Fparser%2Ffunctions%2Fget_ssl_property.rb#L32

Snapshot link:
https://drive.google.com/a/mirantis.com/file/d/0B2SenDuhfXPlSy1UY1lTcGxCRjQ

Fuel VERSION:
 feature_groups:
   - mirantis
 production: "docker"
 release: "8.0"
 api: "1.0"
 build_number: "529"
 build_id: "529"
 fuel-nailgun_sha: "baec8643ca624e52b37873f2dbd511c135d236d9"
 python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
 fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
 fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
 astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
 fuel-library_sha: "e2d79330d5d708796330fac67722c21f85569b87"
 fuel-ostf_sha: "3bc76a63a9e7d195ff34eadc29552f4235fa6c52"
 fuel-mirror_sha: "fb45b80d7bee5899d931f926e5c9512e2b442749"
 fuelmenu_sha: "e071216cb214e34b4d861478033425ee6a54a3be"
 shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
 network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
 fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
 fuelmain_sha: "a365f05b903368225da3fea9aa42afc1d50dc9b4

Tags: area-library
Stanislaw Bogatkin (sbogatkin)
Changed in fuel:
status: New → Triaged
Dmitry Pyzhov (dpyzhov)
no longer affects: fuel/mitaka
Dmitry Pyzhov (dpyzhov)
tags: added: area-library
removed: area-python
Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

I think that this bug is critical, cause case when we enable just horizon ssl is not working at all now. But after speaking with Dmitry P. we save it as high due to not merge it into 8.0 in HCF.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/279063

Changed in fuel:
status: Triaged → In Progress
Revision history for this message
Mike Scherbakov (mihgen) wrote :

> I think that this bug is critical, cause case when we enable just horizon ssl is not working at all now.
Stas, what if we enable SSL for REST API of OpenStack along with SSL for Horizon, is this configuration works fine?

I'm asking as this would be configuration which we would recommend anyway, and we could then keep this issue as of High priority (workaround is easy), and even provide a lock in Fuel UI that if Horizon SSL enabled, enable REST API SSL too.

Revision history for this message
Eugene Bogdanov (ebogdanov) wrote :

Promoting to critical because of high user impact.

Changed in fuel:
importance: High → Critical
Revision history for this message
Mike Scherbakov (mihgen) wrote :

My comment #3 got confirmation from nurla.
It is Critical bug unless we lock a vendor-specific feature group to use both SSL for Horizon & REST API. That's why assigning to UI to estimate if we can do such an easy fix in the UI.

With the fix, importance of the issue can be downgraded to High, and we can live with it in 8.0.

My personal perspective is that https://review.openstack.org/279063 risky enough in such a late time in the cycle, and I'd target this fix to 9.0 only.

Changed in fuel:
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel UI Team (fuel-ui)
Revision history for this message
Vitaly Kramskikh (vkramskikh) wrote :

The least ugly option to fix it from UI side is to disable Horizon SSL checkbox unless REST API SSL checkbox is not set. Are you ok with it?

Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

It has nothing with UI, sorry Mike. We should fix it in library side.

Revision history for this message
Julia Aranovich (jkirnosova) wrote :

There is a diff in UI code to add a Horizon SSL dependency on REST API SSL:
http://paste.openstack.org/show/BELyuSd6OO23Z3mpE54L/

OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Fuel UI Team (fuel-ui) → Stanislaw Bogatkin (sbogatkin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to fuel-web (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/279486

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to fuel-web (stable/8.0)

Related fix proposed to branch: stable/8.0
Review: https://review.openstack.org/279554

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/279486
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=bd7aff1b10272e11969f7d8aac9c30f0feb9d7f0
Submitter: Jenkins
Branch: master

commit bd7aff1b10272e11969f7d8aac9c30f0feb9d7f0
Author: Vitaly Kramskikh <email address hidden>
Date: Fri Feb 12 18:40:23 2016 +0700

    Only allow to enable SSL for Horizon with SSL for OSt endpoints

    Change-Id: Iad75e6a5172c291212b301afaf99db850c3b425f
    Related-Bug: #1544109

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to fuel-web (stable/8.0)

Reviewed: https://review.openstack.org/279554
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=558ca91a854cf29e395940c232911ffb851899c1
Submitter: Jenkins
Branch: stable/8.0

commit 558ca91a854cf29e395940c232911ffb851899c1
Author: Vitaly Kramskikh <email address hidden>
Date: Fri Feb 12 18:40:23 2016 +0700

    Only allow to enable SSL for Horizon with SSL for OSt endpoints

    Change-Id: Iad75e6a5172c291212b301afaf99db850c3b425f
    Related-Bug: #1544109

Revision history for this message
Dmitry Pyzhov (dpyzhov) wrote :

We've blocked this use case on UI until we got the fix merged. Unavailability of this use case has High priority

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/279063
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=8e0eee44a89f2c84e21fa42cc775cf79aab2a62e
Submitter: Jenkins
Branch: master

commit 8e0eee44a89f2c84e21fa42cc775cf79aab2a62e
Author: Stanislaw Bogatkin <email address hidden>
Date: Thu Feb 11 16:38:40 2016 +0300

    Change logic for get_ssl_property function

    We didn't use case when only public horizon was selected for TLS,
    so rewrite some logic to fix it.

    Change-Id: I889dd233f52a1c789ba8eab2c1492eceef1391d3
    Closes-Bug: #1544109

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
Mikhail Samoylov (msamoylov) wrote :

verified in fuel-9.0-mos-352

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.