undercloud deploy fails with keystone token issue error

So i took a look at the logs, and I don't see apache actually listening on port 13000. It seems that the undercloud is listening on 5000 instead.

It seems that https://github.com/openstack/instack-undercloud/blob/master/elements/puppet-stack-config/puppet-stack-config.pp#L328-L334 is being configured but ssl is not actually enabled.

So ssl is supposed to be handled by haproxy, but i don't see haproxy listening on 13000 so something appears to be up with the haproxy. There's a bunch of defunct instack-haproxy processes in the process list. Still investigating but it looks to be related to haproxy

Wonder if it's related to these AVCs. The upstream CI doesn't run with selinux enabled which may be why we don't see it:

./auditd/ausearch_--input-logs_-m_avc_user_avc_-ts_today:type=USER_AVC msg=audit(1498240010.178:1979): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" cmdline="systemctl reload haproxy" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
./auditd/ausearch_--input-logs_-m_avc_user_avc_-ts_today:type=USER_AVC msg=audit(1498240011.424:1980): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" cmdline="systemctl reload haproxy" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Closing this as the actual error was an selinux problem and the reported error message generally appears if something else goes wrong during the deployment.