tripleo

unable to set up tls-everywhere with public tls certs

Bug #1883818 reported by Ade Lee on 2020-06-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Undecided	Harry Rybacki

Bug Description

Description:

There was an error in the fix that was committed in commit 42cfbbc8bfbaa401d6e774b58cb78f4bbaccc2d9 in THT. The relevant data that is written to clouds.yaml is constructed here:

https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/keystone/keystone-container-puppet.yaml#L746-L760

The problem here is that the auth_url refers to the public endpoint, whereas the CA cert defined there is for the internal endpoint. That is, the parameter InternalTLSCAFile is only supposed to be used to refer to the ca cert used for TLS on internal endpoints.

Now, you would not see a problem if you had a deployment with TLS-Everywhere where all the certs (both public and private) are issued by the IPA server.

Nor would you see a problem with just public TLS - although this is somewhat lucky because the parameter InternalTLSCAFile is really being used incorrectly to refer to where the public TLS CA cert is located. In this case, the deployment can work because the InternalTLSCAFile is not being used on the internal interfaces. It can however lead to weird upgrade problems and has in fact led to some infrared failures.

Where you will definitely see a problem though is when you try to set up an environment where the public interface cert is issued by a given cert ("public TLS") and the internal interfaces are protected by certs issued by IPA. This is essentially the environment that is set up when we try to do a brownfield deployment. That is , update a public TLS only system to have tls-everywhere but keep the public certs intact.

It won't work because what you need to insert to allow the undercloud to reach keystone in cloud.yaml (on the public interface) is not the same as what is needed to set up the internal interfaces correctly.

I tested this - and there is simply no way to make it work. You can't use the same parameter to make both public and private interfaces happy.

What I did test though, was adding a new parameter ExternalTLSCAFile - which I defaulted to "" to the keystone template. This is after all exactly what we are describing in clouds.yaml. With that change, I was able to get the brownfield deployment to work.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-17: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/736089

Changed in tripleo:
assignee:	nobody → Rabi Mishra (rabi)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2020-06-18

Changed in tripleo:
assignee:	Rabi Mishra (rabi) → wes hayutin (weshayutin)

OpenStack Infra (hudson-openstack) on 2020-06-25

Changed in tripleo:
assignee:	wes hayutin (weshayutin) → Ronelle Landy (rlandy)

OpenStack Infra (hudson-openstack) on 2020-06-25

Changed in tripleo:
assignee:	Ronelle Landy (rlandy) → Harry Rybacki (hrybacki-h)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-29: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/736089
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2acb0d376b66375ba000369b24fc3354365b2601
Submitter: Zuul
Branch: master

commit 2acb0d376b66375ba000369b24fc3354365b2601
Author: Rabi Mishra <email address hidden>
Date: Wed Jun 17 09:36:10 2020 +0530

Add new parameter PublicTLSCACert

    We've been using InternalTLSCAFile parameter when enabling
    public TLS for undercloud and is quite confusing. We recently
    changed to use it in clouds.yaml and it would break when
    both public and internal TLS are enabled for overcloud and both
    use different CA certs. This adds a new parameter which we
    will use in clouds.yaml, that would default to empty string
    assuming that the certificates are trusted.

    Closes-Bug: #1883818
    Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496
    Depends-On: https://review.opendev.org/737998

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-29: Fix proposed to tripleo-heat-templates (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/738506

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-29: Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/738507

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-03: Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/738506
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=48940849b438dc33ac7f0b945a7989e6a04455a5
Submitter: Zuul
Branch: stable/ussuri

commit 48940849b438dc33ac7f0b945a7989e6a04455a5
Author: Rabi Mishra <email address hidden>
Date: Wed Jun 17 09:36:10 2020 +0530

Add new parameter PublicTLSCACert

    Closes-Bug: #1883818
    Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496
    Depends-On: https://review.opendev.org/737998
    (cherry picked from commit 2acb0d376b66375ba000369b24fc3354365b2601)