containerized galera does not use SSL in gcomm when enable_internal_tls is set to true

Bug #1708135 reported by Damien Ciabrini on 2017-08-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

With the "TLS everywhere" work, galera can now use TLS for the gcomm group communication channel.
This works on non-containerized deployment, but containerized galera deployment do not get configured as expected, they keep using plain unencrypted sockets.

Fix proposed to branch: master
Review: https://review.openstack.org/489956

Changed in tripleo:
assignee: nobody → Damien Ciabrini (dciabrin)
status: New → In Progress
Changed in tripleo:
milestone: none → pike-rc1
importance: Undecided → High
Changed in tripleo:
assignee: Damien Ciabrini (dciabrin) → Juan Antonio Osorio Robles (juan-osorio-robles)

Reviewed: https://review.openstack.org/489956
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=07f9fa69fa145298a2b33bfed5481b5faccf3544
Submitter: Jenkins
Branch: master

commit 07f9fa69fa145298a2b33bfed5481b5faccf3544
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:07:51 2017 -0400

    Enable TLS configuration for containerized Galera

    In non-containerized deployments, Galera can be configured to use TLS
    for gcomm group communication when enable_internal_tls is set to true.

    Fix the creation of the mysql bundle resource to enable TLS when
    configured. The key and cert are passed as other configuration files
    and must be copied by Kolla at container startup.

    Change-Id: If845baa7b0a437c28148c817b7f94d540ca15814
    Partial-Bug: #1708135

Reviewed: https://review.openstack.org/489963
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Submitter: Jenkins
Branch: master

commit ac79bf92d05bf63a7e5a1075f7533c3b62f8e9e3
Author: Damien Ciabrini <email address hidden>
Date: Wed Aug 2 06:13:48 2017 -0400

    Enable TLS configuration for containerized Galera

    In non-containerized deployments, Galera can be configured to use TLS
    for gcomm group communication when enable_internal_tls is set to true.

    Fix the metadata service definition and update the Kolla configuration
    to make gcomm use TLS in containers, if configured.

    bp tls-via-certmonger-containers

    Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>
    Closes-Bug: #1708135
    Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers