StarlingX

Sm-api public endpoint unreachable after install a certificate

Bug #1893235 reported by Yuxing
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Yuxing

Bug Description

Brief Description
-----------------
Sm-api public endpoint unreachable after enabling https and installing a new certificate

Severity
--------
Major

Steps to Reproduce
------------------
2020-08-21T00:19:24.000 system modify --https_enabled true
2020-08-21T00:22:02.000 system certificate-install aiosx.pem
2020-08-21T00:53:17.000 curl -vi https://10.10.40.2:7777

Expected Behavior
------------------
Connecting to the sm-api, get information about the new cert

Actual Behavior
----------------
Connecting to sm-api public endpoint failed

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
AIO-SX

Branch/Pull Time/Commit
-----------------------
Build date: 2020-08-07_20-00-00

Last Pass
---------
na

Timestamp/Logs
--------------
na

Test Activity
-------------
Developer Testing

Workaround
----------
Lock the controller and unlock it, curl -vi https://10.10.40.2:7777 again.

* About to connect() to 10.10.40.2 port 7777 (#0)
* Trying 10.10.40.2...
* Connected to 10.10.40.2 (10.10.40.2) port 7777 (#0)

Yuxing (yuxing)
Changed in starlingx:
assignee: nobody → Yuxing (yuxing)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748735

Changed in starlingx:
status: New → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.5.0 / medium - issue w/ specific scenario; workaround exists, so no need to fix in previous releases. Should fix in stx master for the next release.

Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.5.0 stx.config
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/748735
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=f8b9339fb97a887c1f48c18e9efec7eb3dc7452b
Submitter: Zuul
Branch: master

commit f8b9339fb97a887c1f48c18e9efec7eb3dc7452b
Author: Yuxing Jiang <email address hidden>
Date: Fri Aug 28 14:20:17 2020 -0400

    Maintain sm-api in haproxy runtime on all controllers

    The sm-api configuration in /etc/haproxy/haproxy.cfg will be lost in an
    AIOSX setting after enabling https and installing a new certificate,
    in this case, haproxy is expected to reload. This commit modifies the
    haproxy runtime monitor the sm-api for all roles rather than the dc
    roles.

    Test:
    1. Install a fresh AIOSX
    2. system modify --https_enabled true
       system certificate-install aiosx.pem
    3. Check the sm-api public endpoint with:
         curl -vi https://10.10.10.2:7777.
       Connected to the endpoint and get the cert info.
    4. Check the sm-api configuration by:
         grep -e 7777 -e sm-api /etc/haproxy/haproxy.cfg.
       Configuration about public/internal endpoints of sm-api are in this
    file.

    Closes-Bug: 1893235
    Change-Id: Ia47c83df705f1143a5a6ec0cdbf9772f1dbd4283
    Signed-off-by: Yuxing Jiang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.