Bug #1877138 “DC system controller admin endpoint is http, not h...” : Bugs : StarlingX

Peng Peng (ppeng) on 2020-05-06

tags:

added: stx.retestneeded

Revision history for this message

Bin Qian (bqian20) wrote on 2020-05-06:

#1

Download full text (3.4 KiB)

the hieradata has the right admin_url, something after went wrong:
/opt/platform/puppet/20.04/hieradata/system.yaml:barbican::keystone::auth::admin_url: https://[fd01:1::2]:9312
/opt/platform/puppet/20.04/hieradata/system.yaml:dcdbsync::keystone::auth::admin_url: https://[fd01:1::2]:8220/v1.0
/opt/platform/puppet/20.04/hieradata/system.yaml:dcmanager::keystone::auth::admin_url: https://[fd01:1::2]:8120/v1.0
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::identity_proxy_admin_url: https://[fd01:1::2]:25001/v3
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::patching_proxy_admin_url: https://[fd01:1::2]:25492/
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::sysinv_proxy_admin_url: https://[fd01:1::2]:26386/v1
/opt/platform/puppet/20.04/hieradata/system.yaml:fm::keystone::auth::admin_url: https://[fd01:1::2]:18003
/opt/platform/puppet/20.04/hieradata/system.yaml:keystone::endpoint::admin_url: https://[fd01:1::2]:5001
/opt/platform/puppet/20.04/hieradata/system.yaml:nfv::keystone::auth::admin_url: https://[fd01:1::2]:4546
/opt/platform/puppet/20.04/hieradata/system.yaml:patching::keystone::auth::admin_url: https://[fd01:1::2]:5492
/opt/platform/puppet/20.04/hieradata/system.yaml:platform::smapi::params::admin_url: https://[fd01:1::2]:7778
/opt/platform/puppet/20.04/hieradata/system.yaml:smapi::keystone::auth::admin_url: https://[fd01:1::2]:7778
/opt/platform/puppet/20.04/hieradata/system.yaml:sysinv::keystone::auth::admin_url: https://[fd01:1::2]:6386/v1
Also /etc/haproxy/haproxy.cfg is configured correctly with admin endpoints as https
frontend barbican-restapi-admin
  bind fd01:1::2:9312 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend barbican-restapi-admin-internal
--
frontend dcdbsync-restapi-admin
  bind fd01:1::2:8220 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcdbsync-restapi-admin-internal
--
frontend dcmanager-restapi-admin
  bind fd01:1::2:8120 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcmanager-restapi-admin-internal
--
frontend dcorch-identity-api-proxy-admin
  bind fd01:1::2:25001 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-identity-api-proxy-admin-internal
--
frontend dcorch-patch-api-proxy-admin
  bind fd01:1::2:25492 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-patch-api-proxy-admin-internal
--
frontend dcorch-sysinv-api-proxy-admin
  bind fd01:1::2:26386 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-sysinv-api-proxy-admin-internal
--
frontend fm-api-admin
  bind fd01:1::2:18003 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend fm-api-admin-internal
--
frontend keystone-restapi-admin
  bind fd01:1::2:5001 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend keystone-restapi-admin-internal
--
frontend patching-restapi-admin
  bind fd01:1::2:5492 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend patching-restapi-admin-internal
--
frontend sm-api-admin
  bind fd01:1::2:7778 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend sm-api-admin-internal
--
frontend sysinv-restapi-admin
  bind fd01:1::2:6386 ssl c...

the hieradata has the right admin_url, something after went wrong:
/opt/platform/puppet/20.04/hieradata/system.yaml:barbican::keystone::auth::admin_url: https://[fd01:1::2]:9312
/opt/platform/puppet/20.04/hieradata/system.yaml:dcdbsync::keystone::auth::admin_url: https://[fd01:1::2]:8220/v1.0
/opt/platform/puppet/20.04/hieradata/system.yaml:dcmanager::keystone::auth::admin_url: https://[fd01:1::2]:8120/v1.0
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::identity_proxy_admin_url: https://[fd01:1::2]:25001/v3
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::patching_proxy_admin_url: https://[fd01:1::2]:25492/
/opt/platform/puppet/20.04/hieradata/system.yaml:dcorch::keystone::auth::sysinv_proxy_admin_url: https://[fd01:1::2]:26386/v1
/opt/platform/puppet/20.04/hieradata/system.yaml:fm::keystone::auth::admin_url: https://[fd01:1::2]:18003
/opt/platform/puppet/20.04/hieradata/system.yaml:keystone::endpoint::admin_url: https://[fd01:1::2]:5001
/opt/platform/puppet/20.04/hieradata/system.yaml:nfv::keystone::auth::admin_url: https://[fd01:1::2]:4546
/opt/platform/puppet/20.04/hieradata/system.yaml:patching::keystone::auth::admin_url: https://[fd01:1::2]:5492
/opt/platform/puppet/20.04/hieradata/system.yaml:platform::smapi::params::admin_url: https://[fd01:1::2]:7778
/opt/platform/puppet/20.04/hieradata/system.yaml:smapi::keystone::auth::admin_url: https://[fd01:1::2]:7778
/opt/platform/puppet/20.04/hieradata/system.yaml:sysinv::keystone::auth::admin_url: https://[fd01:1::2]:6386/v1
Also /etc/haproxy/haproxy.cfg is configured correctly with admin endpoints as https
frontend barbican-restapi-admin
  bind fd01:1::2:9312 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend barbican-restapi-admin-internal
--
frontend dcdbsync-restapi-admin
  bind fd01:1::2:8220 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcdbsync-restapi-admin-internal
--
frontend dcmanager-restapi-admin
  bind fd01:1::2:8120 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcmanager-restapi-admin-internal
--
frontend dcorch-identity-api-proxy-admin
  bind fd01:1::2:25001 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-identity-api-proxy-admin-internal
--
frontend dcorch-patch-api-proxy-admin
  bind fd01:1::2:25492 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-patch-api-proxy-admin-internal
--
frontend dcorch-sysinv-api-proxy-admin
  bind fd01:1::2:26386 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend dcorch-sysinv-api-proxy-admin-internal
--
frontend fm-api-admin
  bind fd01:1::2:18003 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend fm-api-admin-internal
--
frontend keystone-restapi-admin
  bind fd01:1::2:5001 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend keystone-restapi-admin-internal
--
frontend patching-restapi-admin
  bind fd01:1::2:5492 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend patching-restapi-admin-internal
--
frontend sm-api-admin
  bind fd01:1::2:7778 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend sm-api-admin-internal
--
frontend sysinv-restapi-admin
  bind fd01:1::2:6386 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend sysinv-restapi-admin-internal
--
frontend vim-restapi-admin
  bind fd01:1::2:4546 ssl crt /etc/ssl/private/admin-ep-cert.pem
  default_backend vim-restapi-admin-internal

No error was found in puppet.log

Revision history for this message

Peng Peng (ppeng) wrote on 2020-05-06:

#2

collect log failed by LP-1877142

tar /var/log/ logs and added at
https://files.starlingx.kube.cengn.ca/launchpad/1877138

Ghada Khalil (gkhalil) on 2020-05-06

Changed in starlingx:
importance:	Undecided → High
status:	New → Triaged
description:	updated
tags:	added: stx.4.02

Revision history for this message

Yang Liu (yliu12) wrote on 2020-05-06:

#3

Was working on 2020-05-01-20-00-00 load:

Ghada Khalil (gkhalil) on 2020-05-06

tags:	added: stx.4.0 stx.config stx.security removed: stx.4.02
Changed in starlingx:
assignee:	nobody → Bin Qian (bqian20)

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-05-06:

#4

This issue appears to be introduced/exposed by a recent code change:
https://review.opendev.org/#/c/724741/

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

Bin Qian (bqian20) wrote on 2020-05-06:

#5

As a side note, the admin endpoint are reconfigured to https after controller-0 1st unlock. This is triggered in sysinv conductor _controller_config_active_apply.

Ghada Khalil (gkhalil) on 2020-05-06

Changed in starlingx:
assignee:	Bin Qian (bqian20) → John Kung (john-kung)

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-05-06:

#6

The commit that introduced this issue has been reverted:
https://review.opendev.org/#/c/725950/

Merged on 2020-05-06

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2020-05-06

tags:

added: stx.distcloud

Revision history for this message

Peng Peng (ppeng) wrote on 2020-05-07:

#7

Verified on
BUILD_ID="2020-05-06_19-45-22"

tags:

removed: stx.retestneeded

StarlingX

DC system controller admin endpoint is http, not https by default

Bug Description

Other bug subscribers

Remote bug watches