containerized haproxy fail to deploy when enable_internal_tls is set to true

Bug #1709563 reported by Damien Ciabrini on 2017-08-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Damien Ciabrini

Bug Description

With the "TLS everywhere" work, HAProxy can now proxy internal endpoints such as galera over TLS.

This works on non-containerized deployment, but containerized HAProxy deployments do not bind-mount all the expected certs and so they fail to be configured properly.

Changed in tripleo:
assignee: nobody → Damien Ciabrini (dciabrin)
status: New → In Progress
Changed in tripleo:
importance: Undecided → Critical
milestone: none → pike-rc1
Changed in tripleo:
importance: Critical → High

Reviewed: https://review.openstack.org/491599
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1f695f183ae114650d222ab7434bdeb2587a82aa
Submitter: Jenkins
Branch: master

commit 1f695f183ae114650d222ab7434bdeb2587a82aa
Author: Damien Ciabrini <email address hidden>
Date: Mon Aug 7 20:26:33 2017 +0000

    Enable TLS configuration for containerized HAProxy

    In non-containerized deployments, HAProxy can be configured to use TLS
    for proxying internal services.

    Fix the creation of the of the haproxy bundle resource to enable TLS
    when configured. The keys and certs files, as well as the crl file are
    all passed as configuration files and must be copied by Kolla at
    container startup.

    Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255
    Partial-Bug: #1709563

Reviewed: https://review.openstack.org/491602
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e41139aab0f10062a26c4acc591d32288729df20
Submitter: Jenkins
Branch: master

commit e41139aab0f10062a26c4acc591d32288729df20
Author: Damien Ciabrini <email address hidden>
Date: Mon Aug 7 20:38:19 2017 +0000

    Enable TLS configuration for containerized HAProxy

    In non-containerized deployments, HAProxy can be configured to use TLS for
    proxying internal services.

    Fix the creation of the of the haproxy bundle resource to enable TLS when
    configured. The keys and certs files are all passed as configuration files and
    must be copied by Kolla at container startup.

    For the time being, disable the use of the CRL file until we find a means
    of restarting the containerized HAProxy service when that file expires.

    Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd
    Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255
    Closes-Bug: #1709563

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers