ceph-mgr asks for certificates for the dashboard even when CephDasboardEnables is set to false

Bug #1927093 reported by Michele Baldessari on 2021-05-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Michele Baldessari

Bug Description

See Subj. When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
(undercloud) [stack@undercloud-0 ~]$ openstack stack environment show overcloud -f yaml |grep -i cephenabledashboard

  CephEnableDashboard: false

Yet it still tries to request a cert for it:
2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 | FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa', 'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name': 'ceph_dashboard', 'principal': '<email address hidden>', 'run_after': '# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/ {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ]; then\n systemctl restart "$mgr_unit"\nfi\n'} | error={"ansible_loop_var": "item", "changed": false, "cmd": "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k /etc/pki/tls/private/ceph_dashboard.key -f /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca": "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048", "name": "ceph_dashboard", "principal": "<email address hidden>", "run_after": "# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ]; then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "New signing request \"20210503140253\" added.\n", "stdout_lines": ["New signing request \"20210503140253\" added."]}

Changed in tripleo:
status: Triaged → In Progress
Changed in tripleo:
assignee: nobody → Michele Baldessari (michele)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/789560
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/92f722a05c361333ec3e3712e3f8ae7569abda49
Submitter: "Zuul (22348)"
Branch: master

commit 92f722a05c361333ec3e3712e3f8ae7569abda49
Author: Michele Baldessari <email address hidden>
Date: Tue May 4 14:40:00 2021 +0200

    Do not ask for cephdashboard certificates when it is disabled

    When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
    (undercloud) [stack@undercloud-0 ~]$ openstack stack environment show
    overcloud -f yaml |grep -i cephenabledashboard

      CephEnableDashboard: false

    Yet it still tries to request a cert for it (and fails due to
    https://bugs.launchpad.net/tripleo/+bug/1926746):
    2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 |
    FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa',
    'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name':
    'ceph_dashboard', 'principal':
    '<email address hidden>', 'run_after': '#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/
    {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ];
    then\n systemctl restart "$mgr_unit"\nfi\n'} |
    error={"ansible_loop_var": "item", "changed": false, "cmd":
    "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k
    /etc/pki/tls/private/ceph_dashboard.key -f
    /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D
    '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u
    keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C
    /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca":
    "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048",
    "name": "ceph_dashboard", "principal":
    "<email address hidden>", "run_after": "#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/
    {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ];
    then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2,
    "stderr": "", "stderr_lines": [], "stdout": "New signing request
    \"20210503140253\" added.\n", "stdout_lines": ["New signing request
    \"20210503140253\" added."]}

    With this patch applied I correctly get passed this point and am able to
    reach later steps:
    2021-05-04 12:40:44.300445 | 5254004b-fe7a-5ccf-c0b9-0000000000df | TASK | External deployment step 2

    The problem is that the 'enable_internal_tls' is global and only checks
    for internal TLS being enabled so it will still be triggered when
    CephEnabledDashboard is set to false. Let's switch it to the internal
    condition internal_tls_enabled which takes the dashboard into account.

    Change-Id: I73a58b00f31bfeffb724e12515d8c5cb0625ca7f
    Closes-Bug: #1927093

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers