TLS everywhere fails with keystone admin API in the external network

Bug #1732443 reported by Juan Antonio Osorio Robles on 2017-11-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

It's a common scenario that deployers change the keystone admin API from the ctlplane to the external network. They tend to do so by setting the appropriate value in the ServiceNetMap. With an environment that looks as follows:

parameter_defaults:
  ServiceNetMap:
    KeystoneAdminApiNetwork: external

When trying to do so, we get the following error:

overcloud.AllNodesDeploySteps.ControllerDeployment_Step1.0:
  resource_type: OS::Heat::StructuredDeployment
  physical_resource_id: 8a1a8376-07ba-43f8-8dba-8016176fd212
  status: CREATE_FAILED
  status_reason: |
    Error: resources[0]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
  deploy_stdout: |

    PLAY [localhost] ***************************************************************

    TASK [Gathering Facts] *********************************************************
    ok: [localhost]

    TASK [Set host puppet debugging fact string] ***********************************
    ok: [localhost]

    TASK [Write the config_step hieradata] *****************************************
    changed: [localhost]

    TASK [Run puppet host configuration for step 1] ********************************
    ok: [localhost]

    TASK [debug] *******************************************************************
    fatal: [localhost]: FAILED! => {
        "(outputs.stderr|default('')).split('\n')|union(outputs.stdout_lines|default([]))": [
            "exception: connect failed",
            "erlexec: HOME must be set",
            "Warning: Facter: Fact resolution fact='systemd_internal_services', resolution='<anonymous>' resolved to an invalid value: Expected disabled to be one of [Integer, Float, TrueClass, FalseClass, NilCl
ass, String, Array, Hash], but was Symbol",
            "Warning: Undefined variable 'deploy_config_name'; ",
            " (file & line not available)",
            "Warning: ModuleLoader: module 'haproxy' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules",
            "Warning: ModuleLoader: module 'mysql' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules",
            "Error: Evaluation Error: Operator '[]' is not applicable to an Undef Value. at /etc/puppet/modules/tripleo/manifests/profile/base/keystone.pp:187:27 on node overcloud-controller-0.walrusdomain",
             ...

Changed in tripleo:
status: New → Triaged
milestone: none → queens-2
tags: added: pike-backport-potential
Changed in tripleo:
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/520081

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/520081
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=451020b72e7b27b2615e770f5bbce490258b18be
Submitter: Zuul
Branch: master

commit 451020b72e7b27b2615e770f5bbce490258b18be
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Nov 15 13:58:25 2017 +0000

    Enable httpd to request certificates for the "external" network

    Deployers can change the network that a service is running on through
    the ServiceNetMap. A common change is to switch the keystone admin API
    to run in the external network instead of the ctlplane network. Doing
    this in a TLS everywhere environment breaks, since we were explicitly
    skipping the external network.

    This no longer skips that network, thus enabling this use-case.

    Change-Id: I488517528a77a257dede2f59488bb95ffc77743b
    Closes-Bug: #1732443

Changed in tripleo:
status: In Progress → Fix Released

Change abandoned by Alex Schultz (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/520893
Reason: this patch is hung in the gate. will restore shortly.

Reviewed: https://review.openstack.org/520893
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=871b625a7bccd52e33741e9f8cbfad96affa12df
Submitter: Zuul
Branch: stable/pike

commit 871b625a7bccd52e33741e9f8cbfad96affa12df
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Nov 15 13:58:25 2017 +0000

    Enable httpd to request certificates for the "external" network

    Deployers can change the network that a service is running on through
    the ServiceNetMap. A common change is to switch the keystone admin API
    to run in the external network instead of the ctlplane network. Doing
    this in a TLS everywhere environment breaks, since we were explicitly
    skipping the external network.

    This no longer skips that network, thus enabling this use-case.

    Change-Id: I488517528a77a257dede2f59488bb95ffc77743b
    Closes-Bug: #1732443
    (cherry picked from commit 451020b72e7b27b2615e770f5bbce490258b18be)

tags: added: in-stable-pike

This issue was fixed in the openstack/tripleo-heat-templates 7.0.5 release.

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers