tripleo

haproxy.pp in puppet-tripleo generates wrong haproxy.cfg for SSL-protected rgw instances

Bug #1883296 reported by Martin Gerhard Loschwitz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Martin Gerhard Loschwitz

Bug Description

haproxy.pp assumes that Ceph rgw instances are always using plaintext and do not support SSL connectivity and hence explicitly ignore internal_tls_member_options even if EnableInternalTLS is active. In setups with SSL-protected rgw instances, this leads to a broken haproxy.cfg configuration file in which the Ceph rgw instances refuse to communicate to HAproxy, reporting an SSL handshake failure.

To the outside world, this leads to 503 errors when trying to communicate to the Ceph rgw instance, effectively making it impossible to use rgw for instance as storage for OpenShift deployments in TLS-everywhere setups.

Bug is present in HEAD as of today.

The attached patch fixes the issue and is tested.

Revision history for this message
Martin Gerhard Loschwitz (martin-loschwitz) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/735376

Changed in tripleo:
assignee: nobody → Martin Gerhard Loschwitz (martin-loschwitz)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/735561

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/735563

Giulio Fidente (gfidente)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/735376
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=436bfaa158d8ff48b9e499158f6edd00df22e0a4
Submitter: Zuul
Branch: master

commit 436bfaa158d8ff48b9e499158f6edd00df22e0a4
Author: Martin Loschwitz <email address hidden>
Date: Fri Jun 12 19:10:32 2020 +0200

    Make haproxy.pp honor EnableInternalTLS for rgw

    haproxy.pp assumes that Ceph rgw instances cannot be SSL
    encrypted and generates invalid haproxy configuration files
    in setups where EnableInternalTLS is set to true.

    This patch makes haproxy.pp honor EnableInternalTLS and
    include internal_tls_member_options in the member_options
    for Ceph rgw instances.

    Change-Id: If59a27b28eb61ab2c1ff84f5047261e8695234d4
    Closes-Bug: #1883296

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/735563
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=56e56b1511180abbe9c00b989035e7cd7872da1c
Submitter: Zuul
Branch: stable/train

commit 56e56b1511180abbe9c00b989035e7cd7872da1c
Author: Francesco Pantano <email address hidden>
Date: Mon Jun 15 13:40:23 2020 +0200

    Make haproxy.pp honor EnableInternalTLS for rgw

    haproxy.pp assumes that Ceph rgw instances cannot be SSL
    encrypted and generates invalid haproxy configuration files
    in setups where EnableInternalTLS is set to true.

    This patch makes haproxy.pp honor EnableInternalTLS and
    include internal_tls_member_options in the member_options
    for Ceph rgw instances.

    Change-Id: If59a27b28eb61ab2c1ff84f5047261e8695234d4
    Closes-Bug: #1883296
    (cherry picked from commit 436bfaa158d8ff48b9e499158f6edd00df22e0a4)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/735561
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=855bad9aad7a34327f421bf6f73000d0be67b6e0
Submitter: Zuul
Branch: stable/ussuri

commit 855bad9aad7a34327f421bf6f73000d0be67b6e0
Author: Francesco Pantano <email address hidden>
Date: Mon Jun 15 13:47:54 2020 +0200

    Make haproxy.pp honor EnableInternalTLS for rgw

    haproxy.pp assumes that Ceph rgw instances cannot be SSL
    encrypted and generates invalid haproxy configuration files
    in setups where EnableInternalTLS is set to true.

    This patch makes haproxy.pp honor EnableInternalTLS and
    include internal_tls_member_options in the member_options
    for Ceph rgw instances.

    Depends-On: I0350d5253571a2b0d12a0a2f25e5469c9d1fefe0
    Change-Id: If59a27b28eb61ab2c1ff84f5047261e8695234d4
    Closes-Bug: #1883296
    (cherry picked from commit 436bfaa158d8ff48b9e499158f6edd00df22e0a4)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.5.0

This issue was fixed in the openstack/puppet-tripleo 11.5.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.