tripleo

Octavia gets IP address with TLS everywhere endpoints

Bug #1822035 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Juan Antonio Osorio Robles
tripleo stein-rc1

Bug Description

When configuring TLS everywhere, even if the environment file environments/ssl/tls-everywhere-endpoints-dns.yaml explicitly says it should be DNS, octavia gets configured with IPs. This is wrong, as the certificates get assigned to FQDNs.

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
milestone: none → stein-rc1
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/648321

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/648321
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a0e262e20ce5a111d9c097d9b6c7a7549207aebd
Submitter: Zuul
Branch: master

commit a0e262e20ce5a111d9c097d9b6c7a7549207aebd
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 28 07:52:11 2019 +0200

    TLS everywhere: switch Octavia to use DNS entries

    The entries in the tls-everywhere-endpoints-dns.yaml was wrong for
    octavia; pointing to IPs instead of DNS. This made the TLS everywhere
    deployment fail, since it assigns certificates for DNS subjectAltNames.

    Change-Id: Ic6f0f26c03c443edf1715927a4542245e08567f4
    Closes-Bug: #1822035

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/649333

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/649334

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.openstack.org/649333
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8aff87b8a9b473a1c1c7433111d1fe2eb370a1ad
Submitter: Zuul
Branch: stable/rocky

commit 8aff87b8a9b473a1c1c7433111d1fe2eb370a1ad
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 28 07:52:11 2019 +0200

    TLS everywhere: switch Octavia to use DNS entries

    The entries in the tls-everywhere-endpoints-dns.yaml was wrong for
    octavia; pointing to IPs instead of DNS. This made the TLS everywhere
    deployment fail, since it assigns certificates for DNS subjectAltNames.

    Change-Id: Ic6f0f26c03c443edf1715927a4542245e08567f4
    Closes-Bug: #1822035
    (cherry picked from commit a0e262e20ce5a111d9c097d9b6c7a7549207aebd)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.5.0

This issue was fixed in the openstack/tripleo-heat-templates 10.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/649334
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=9b78d4eff4a0106ef92864f276878c13046df342
Submitter: Zuul
Branch: stable/queens

commit 9b78d4eff4a0106ef92864f276878c13046df342
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 28 07:52:11 2019 +0200

    TLS everywhere: switch Octavia to use DNS entries

    The entries in the tls-everywhere-endpoints-dns.yaml was wrong for
    octavia; pointing to IPs instead of DNS. This made the TLS everywhere
    deployment fail, since it assigns certificates for DNS subjectAltNames.

    Change-Id: Ic6f0f26c03c443edf1715927a4542245e08567f4
    Closes-Bug: #1822035
    (cherry picked from commit a0e262e20ce5a111d9c097d9b6c7a7549207aebd)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.4.0

This issue was fixed in the openstack/tripleo-heat-templates 9.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.0

This issue was fixed in the openstack/tripleo-heat-templates 8.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.