tripleo

Memcached TLS certificate is created for fqdns, while the clients connect with IP addresses

Bug #1929574 reported by Grzegorz Grasza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Unassigned

Bug Description

Description
===========

Memcached deploys just fine, but the generated config in memcache uses IPs for endpoints instead of FQDNs, so TLS connections to memcache cannot be verified by pymemcache.

Steps to reproduce
==================

Deploy with TLS-Everywhere and Memcached TLS enabled by including the env files:

 * tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
 * tripleo-heat-templates/environments/ssl/enable-memcached-tls.yaml

Expected result
===============

Services are able to connect to Memcached

Actual result
=============

Some services using pymemcached fail validating the certificate

Environment
===========

This will need separate patches for the master branch and Train.

The latest release configures certificates in a new way, using requesting them from certmonger via ansible linux-system-roles

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792994

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/793003

Revision history for this message
Grzegorz Grasza (xek) wrote :

As a workaround, the memcached server list could be set via the memcached_node_ips hiera variable.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/train)

Change abandoned by "Grzegorz Grasza <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792994
Reason: Abandoning in favor of https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792131 backport

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/train)

Change abandoned by "Grzegorz Grasza <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/793003
Reason: Abandoning in favor of https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792131 backport

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/796829

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/train)

Change abandoned by "Grzegorz Grasza <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/796829
Reason: will propose this on master branch

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/796832

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "Grzegorz Grasza <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792131
Reason: I'm abandoning this for https://review.opendev.org/c/openstack/puppet-tripleo/+/796832

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/796832
Committed: https://opendev.org/openstack/puppet-tripleo/commit/49921d57f5753dffe032b9501d1101707ce8cc1e
Submitter: "Zuul (22348)"
Branch: master

commit 49921d57f5753dffe032b9501d1101707ce8cc1e
Author: Grzegorz Grasza <email address hidden>
Date: Thu Jun 17 14:35:52 2021 +0200

    Set memcached server list from memcached_node_names

    This follows other clustered services (like RabbitMQ) and
    uses *_node_names (which contain FQDNs), instead of *_node_ips.

    Certificate for Memcached TLS is also created using FQDN.
    Because of this, validation failed when using pymemcache.
    This patch fixes this issue.

    Closes-Bug: #1929574
    Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/802883

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/803199

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/803201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/803205

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/802883
Committed: https://opendev.org/openstack/puppet-tripleo/commit/c56c26dfc6cc00e2d9e17d2845c48d6f044eda77
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit c56c26dfc6cc00e2d9e17d2845c48d6f044eda77
Author: Grzegorz Grasza <email address hidden>
Date: Thu Jun 17 14:35:52 2021 +0200

    Set memcached server list from memcached_node_names

    This follows other clustered services (like RabbitMQ) and
    uses *_node_names (which contain FQDNs), instead of *_node_ips.

    Certificate for Memcached TLS is also created using FQDN.
    Because of this, validation failed when using pymemcache.
    This patch fixes this issue.

    Closes-Bug: #1929574
    Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15
    (cherry picked from commit 49921d57f5753dffe032b9501d1101707ce8cc1e)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 14.2.2

This issue was fixed in the openstack/puppet-tripleo 14.2.2 release.

Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/803199
Committed: https://opendev.org/openstack/puppet-tripleo/commit/74b5ba27b71ee9a66d29ff89e14851bf19985ca7
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 74b5ba27b71ee9a66d29ff89e14851bf19985ca7
Author: Grzegorz Grasza <email address hidden>
Date: Thu Jun 17 14:35:52 2021 +0200

    Set memcached server list from memcached_node_names

    This follows other clustered services (like RabbitMQ) and
    uses *_node_names (which contain FQDNs), instead of *_node_ips.

    Certificate for Memcached TLS is also created using FQDN.
    Because of this, validation failed when using pymemcache.
    This patch fixes this issue.

    Closes-Bug: #1929574
    Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15
    (cherry picked from commit 49921d57f5753dffe032b9501d1101707ce8cc1e)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/803201
Committed: https://opendev.org/openstack/puppet-tripleo/commit/89fc3e6b0c3caeafe70b415917dc435c4e938676
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 89fc3e6b0c3caeafe70b415917dc435c4e938676
Author: Grzegorz Grasza <email address hidden>
Date: Thu Jun 17 14:35:52 2021 +0200

    Set memcached server list from memcached_node_names

    This follows other clustered services (like RabbitMQ) and
    uses *_node_names (which contain FQDNs), instead of *_node_ips.

    Certificate for Memcached TLS is also created using FQDN.
    Because of this, validation failed when using pymemcache.
    This patch fixes this issue.

    Closes-Bug: #1929574
    Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15
    (cherry picked from commit 49921d57f5753dffe032b9501d1101707ce8cc1e)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/803205
Committed: https://opendev.org/openstack/puppet-tripleo/commit/057fbbdb90f9f4a5472f4be2a8c892a1c4551b35
Submitter: "Zuul (22348)"
Branch: stable/train

commit 057fbbdb90f9f4a5472f4be2a8c892a1c4551b35
Author: Grzegorz Grasza <email address hidden>
Date: Thu Jun 17 14:35:52 2021 +0200

    Set memcached server list from memcached_node_names

    This follows other clustered services (like RabbitMQ) and
    uses *_node_names (which contain FQDNs), instead of *_node_ips.

    Certificate for Memcached TLS is also created using FQDN.
    Because of this, validation failed when using pymemcache.
    This patch fixes this issue.

    Closes-Bug: #1929574
    Change-Id: I9d0ddcc88098a5b891829192f1ce656842d0aa15
    (cherry picked from commit 49921d57f5753dffe032b9501d1101707ce8cc1e)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 16.0.0

This issue was fixed in the openstack/puppet-tripleo 16.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 12.7.1

This issue was fixed in the openstack/puppet-tripleo 12.7.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 13.7.0

This issue was fixed in the openstack/puppet-tripleo 13.7.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo train-eol

This issue was fixed in the openstack/puppet-tripleo train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.