HTTPS is enabled on subclouds by installing a ssl_ca certificate on System Controller

Bug #1980769 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
In a DC system with (at least) one ssl_ca certificate installed, https on subclouds are enabled by default.

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
- Install a DC system with at least one subclouds
- Install a ssl_ca certificate on system controller
- Wait until the subclouds are in "in-sync" state
- Check https_enabled on subclouds

Expected Behavior
------------------
https on subclouds is disabled.

Actual Behavior
----------------
https on subclouds is enabled.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
DC with at least one subcloud.

Branch/Pull Time/Commit
-----------------------
STX master latest.

Last Pass
---------
Unknown

Timestamp/Logs
--------------
dcorch.log:

  469 2022-06-17 15:51:21.550 117503 INFO dccommon.drivers.openstack.sysinv_v1 [-] region=subcloud1 enabled https system=64c0873e-3b62-4b51-aef2-207f468ab93b
  470 2022-06-17 15:51:26.254 117503 INFO dccommon.drivers.openstack.sysinv_v1 [-] update_certificate region=subcloud1 signature=ssl_ca_10076021394652733954
  471 2022-06-17 15:51:26.259 117503 INFO dcorch.engine.sync_thread [-] subcloud1/platform: 1 not found in subcloud 1 resource table
  472 2022-06-17 15:51:26.264 117503 INFO dcorch.engine.sync_services.sysinv [-] subcloud1/platform: certificate 1 ssl_ca_10076021394652733954 [ssl_ca_10076021394652733954] updated with subcloud certificates: []

Test Activity
-------------
Developer Testing

Workaround
----------
NA

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to distcloud (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/distcloud/+/848779

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to distcloud (master)

Reviewed: https://review.opendev.org/c/starlingx/distcloud/+/848779
Committed: https://opendev.org/starlingx/distcloud/commit/1dedb8aba4482dd2b749464d2d9446f2e02dd472
Submitter: "Zuul (22348)"
Branch: master

commit 1dedb8aba4482dd2b749464d2d9446f2e02dd472
Author: Andy Ning <email address hidden>
Date: Tue Jul 5 15:05:49 2022 -0400

    Don't enable https on subcloud when ca cert is installed

    Currently in a DC system, when a ssl_ca certificate is installed,
    an incorrect checking in DC sysinv driver triggers https enabling
    on subcloud. This change updated the checking so that the CA
    certificate is installed but https remains unchanged on subcloud.

    Test Plan:
    PASS: In DC system with ssl_ca certificate, disable https and uninstall
          ssl_ca certificate on a subcloud. Wait until the ssl_ca
          certificate is synced to the subcloud again. Observe that https
          remains disabled on the subcloud.

    Closes-Bug: 1980769
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I136319c8d93eb39d97818924cb07d0d2a013adec

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.7.0 stx.distcloud stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.