tripleo

service principal not created

Bug #1861097 reported by Grzegorz Grasza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Grzegorz Grasza

Bug Description

Description
===========

The service principal is not created due to VIP being set to false in network_data.yaml

Because of this it is not possible to deploy TLS Everywhere with management network.

Steps to reproduce
==================

Attempt to deploy an overcloud using TLS everywhere, certmonger-managed public TLS, and network isolation. Enable the management network on the Controller role.

Expected result
===============

Deployment succeeds.

Actual result
=============

Deploymennt failed with Ansilbe error during deployment from Puppet failure (on each controller node):

          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]/ensure: created",
          "<13>Nov 27 02:02:38 puppet-user: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I httpd-management -f /etc/pki/tls/certs/httpd/httpd-management.crt -c IPA -N CN=hub-controller-2.management.dcnlab.signal9.gg -K HTTP/hub-controller-2.management.dcnlab.signal9.gg -D hub-controller-2.management.dcnlab.signal9.gg -C pkill -USR1 httpd -w -k /etc/pki/tls/private/httpd/httpd-management.key' returned 3: New signing request \"httpd-management\" added.",
          "<13>Nov 27 02:02:38 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-management]/Certmonger_certificate[httpd-management]: Could not evaluate: Could not get certificate: Server at https://hub-idm-2.dcnlab.signal9.gg/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'hub-controller-2.management.dcnlab.signal9.gg' does not exist to add a service to.).",
          "<13>Nov 27 02:02:38 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-storage]/Certmonger_certificate[httpd-storage]/ensure: created",

Environment
===========

OpenStack Stein

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: nobody → Grzegorz Grasza (xek)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/696842
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a22c04c576ce6956d4ca526b60b482501228f47e
Submitter: Zuul
Branch: master

commit a22c04c576ce6956d4ca526b60b482501228f47e
Author: Grzegorz Grasza <email address hidden>
Date: Mon Dec 2 10:47:29 2019 +0100

    Skip both tenant and management networks when generating certs

    Without this change we were unable to deploy TLS Everywhere with
    management network. This is because the service principal is not
    created due to VIP being set to false in network_data.yaml

    Closes-Bug: #1861097
    Resolves: rhbz#1777605
    Change-Id: I43fd5f67c1a0be6eaa1752575349e64329cada4a

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/718756

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/718757

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/718756
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5b5780c1542b90363adce73cbe40635e4868806f
Submitter: Zuul
Branch: stable/train

commit 5b5780c1542b90363adce73cbe40635e4868806f
Author: Grzegorz Grasza <email address hidden>
Date: Mon Dec 2 10:47:29 2019 +0100

    Skip both tenant and management networks when generating certs

    Without this change we were unable to deploy TLS Everywhere with
    management network. This is because the service principal is not
    created due to VIP being set to false in network_data.yaml

    Closes-Bug: #1861097
    Resolves: rhbz#1777605
    Change-Id: I43fd5f67c1a0be6eaa1752575349e64329cada4a
    (cherry picked from commit a22c04c576ce6956d4ca526b60b482501228f47e)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/718757
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=50ecaf5f7831ed32b27769036ffe4e1c756b12d5
Submitter: Zuul
Branch: stable/stein

commit 50ecaf5f7831ed32b27769036ffe4e1c756b12d5
Author: Grzegorz Grasza <email address hidden>
Date: Mon Dec 2 10:47:29 2019 +0100

    Skip both tenant and management networks when generating certs

    Without this change we were unable to deploy TLS Everywhere with
    management network. This is because the service principal is not
    created due to VIP being set to false in network_data.yaml

    Closes-Bug: #1861097
    Resolves: rhbz#1777605
    Change-Id: I43fd5f67c1a0be6eaa1752575349e64329cada4a
    (cherry picked from commit a22c04c576ce6956d4ca526b60b482501228f47e)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.4.0

This issue was fixed in the openstack/tripleo-heat-templates 11.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates stein-eol

This issue was fixed in the openstack/tripleo-heat-templates stein-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.