Scaling out Octavia service nodes has an lb cert issue

Bug #1849550 reported by Brent Eagles on 2019-10-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Brent Eagles

Bug Description

This only affects octavia deployments that use autogenerated certificates.

The regression introduced by trying to resolve certificates being unintentionally overwritten (see https://bugs.launchpad.net/tripleo/+bug/1849548) highlights a kind of catch 22 in the octavia deployment. It does not maintain a persistent store of the certificate data distributed across the nodes on initial deployment. This creates a problem with scaling out nodes. Previously we just always generated new certs so scaling out would *work* but the old nodes would be "broken" and the new ones would be okay. Now the old ones will still work, but the new ones will not get cert data.

Brent Eagles (beagles) on 2019-10-23
Changed in tripleo:
status: New → Triaged
importance: Undecided → High
milestone: none → ussuri-1
assignee: nobody → Brent Eagles (beagles)
summary: - Scaling out Octavia service nodes has an intrinsic lb cert issue
+ Scaling out Octavia service nodes has an lb cert issue
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin) on 2020-02-10
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
wes hayutin (weshayutin) on 2020-04-13
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin) on 2020-05-26
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/692599
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=d3e7a42cdad6a12d63afd23906cffe081f036745
Submitter: Zuul
Branch: master

commit d3e7a42cdad6a12d63afd23906cffe081f036745
Author: Brent Eagles <email address hidden>
Date: Fri Nov 1 15:36:37 2019 -0230

    Scan existing controllers on update to pick up existing certs/private keys

    Adds an octavia related role to pick up CA (cert and private key pairs)
    and client certificate from controllers and modifies existing roles to
    use them instead of generating new ones.

    Depends-On: https://review.opendev.org/714982

    Change-Id: I5c18a59bf11e3915ef5f88c1eb2af1b4713af35b
    Co-Authored-By: Gregory Thiemonge <email address hidden>
    Related-Bug: #1849548
    Related-Bug: #1849550

Changed in tripleo:
milestone: victoria-1 → victoria-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/744184

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/744184
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=2e5be7b96859d1eff7c2680c6780e3ac27c6dd63
Submitter: Zuul
Branch: stable/ussuri

commit 2e5be7b96859d1eff7c2680c6780e3ac27c6dd63
Author: Brent Eagles <email address hidden>
Date: Fri Nov 1 15:36:37 2019 -0230

    Scan existing controllers on update to pick up existing certs/private keys

    Adds an octavia related role to pick up CA (cert and private key pairs)
    and client certificate from controllers and modifies existing roles to
    use them instead of generating new ones.

    Depends-On: https://review.opendev.org/744183

    Change-Id: I5c18a59bf11e3915ef5f88c1eb2af1b4713af35b
    Co-Authored-By: Gregory Thiemonge <email address hidden>
    Related-Bug: #1849548
    Related-Bug: #1849550
    (cherry picked from commit d3e7a42cdad6a12d63afd23906cffe081f036745)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/745530

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/746912

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/745530
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=b94fb8e9d85939e4942bc0d77222e2118552de71
Submitter: Zuul
Branch: stable/train

commit b94fb8e9d85939e4942bc0d77222e2118552de71
Author: Brent Eagles <email address hidden>
Date: Fri Nov 1 15:36:37 2019 -0230

    Scan existing controllers on update to pick up existing certs/private keys

    Adds an octavia related role to pick up CA (cert and private key pairs)
    and client certificate from controllers and modifies existing roles to
    use them instead of generating new ones.

    Depends-On: https://review.opendev.org/745529

    Change-Id: I5c18a59bf11e3915ef5f88c1eb2af1b4713af35b
    Co-Authored-By: Gregory Thiemonge <email address hidden>
    Related-Bug: #1849548
    Related-Bug: #1849550
    (cherry picked from commit d3e7a42cdad6a12d63afd23906cffe081f036745)
    (cherry picked from commit 2e5be7b96859d1eff7c2680c6780e3ac27c6dd63)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/queens)

Reviewed: https://review.opendev.org/746912
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=6b14e3f6d3b7a8ea72c04971c0c9c73e592592a2
Submitter: Zuul
Branch: stable/queens

commit 6b14e3f6d3b7a8ea72c04971c0c9c73e592592a2
Author: Brent Eagles <email address hidden>
Date: Mon Aug 17 14:02:04 2020 +0200

    Scan existing controllers on update to pick up existing certs/private keys

    Adds an octavia related role to pick up CA (cert and private key pairs)
    and client certificate from controllers and modifies existing roles to
    use them instead of generating new ones.

    Depends-On: https://review.opendev.org/746911

    Change-Id: I5c18a59bf11e3915ef5f88c1eb2af1b4713af35b
    Co-Authored-By: Gregory Thiemonge <email address hidden>
    Related-Bug: #1849548
    Related-Bug: #1849550
    (cherry picked from commit d3e7a42cdad6a12d63afd23906cffe081f036745)
    (cherry picked from commit 2e5be7b96859d1eff7c2680c6780e3ac27c6dd63)
    Note-Queens: cherry picked from tripleo-ansible stein
    (cherry picked from commit b94fb8e9d85939e4942bc0d77222e2118552de71)

tags: added: in-stable-queens
Changed in tripleo:
milestone: victoria-3 → wallaby-1
Revision history for this message
Brent Eagles (beagles) wrote :

Pretty sure this has been resolved by Gregory's work.

Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers