Overcloud deployment fails with TLS-everywhere because of keytab permission issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Undecided
|
Lance Bragstad |
Bug Description
TLS-e deployments require the undercloud to have a keytab it uses to authenticate to FreeIPA. The undercloud manages resources in FreeIPA for the overcloud infrastructure like hosts, services, and DNS entries.
A deployer either configures the undercloud keytab manually or passes a one-time password to the undercloud via it's configuration file, which enrolls the undercloud as a FreeIPA host, registers it, and allows it to fetch the keytab. Afterwards, the keytab permissions are updated so that it's readable by whatever user performs the overcloud installation.
With the removal of mistral from the undercloud, we've simplified some of the ansible variables to connect to the undercloud [0]. This change [1] causes some permission issues because tripleo-ipa assumed the tripleo-admin user and group as the ansible_ssh_user for the undercloud. Now that we're dealing with local connections [2]. This use can be anyone who is invoking the overcloud deploy.
You can recreate this by following the steps for TLS-e with tripleo-ipa, which are currently still under review [3].
The deployment fails during the overcloud installation when the undercloud attempts to enroll overcloud hosts to FreeIPA [4]. The failure manifests as a 401 because the user invoking the playbook (e.g., stack) doesn't have access to the keytab.
The expected result would be to successfully deploy the overcloud using the stack user. Note, this is only applicable on deployments not user deployed servers, since tripleo-admin is configured in the ansible inventory for those deployments.
[0] https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
Fix proposed to branch: master /review. opendev. org/740275
Review: https:/