tripleo

ceph-mgr asks for certificates for the dashboard even when CephDasboardEnables is set to false

Bug #1927093 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Michele Baldessari
tripleo wallaby-rc1

Bug Description

See Subj. When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
(undercloud) [stack@undercloud-0 ~]$ openstack stack environment show overcloud -f yaml |grep -i cephenabledashboard

  CephEnableDashboard: false

Yet it still tries to request a cert for it:
2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 | FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa', 'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name': 'ceph_dashboard', 'principal': '<email address hidden>', 'run_after': '# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/ {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ]; then\n systemctl restart "$mgr_unit"\nfi\n'} | error={"ansible_loop_var": "item", "changed": false, "cmd": "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k /etc/pki/tls/private/ceph_dashboard.key -f /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca": "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048", "name": "ceph_dashboard", "principal": "<email address hidden>", "run_after": "# Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ]; then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "New signing request \"20210503140253\" added.\n", "stdout_lines": ["New signing request \"20210503140253\" added."]}

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/789560

Changed in tripleo:
status: Triaged → In Progress
Michele Baldessari (michele)
Changed in tripleo:
assignee: nobody → Michele Baldessari (michele)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/789560
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/92f722a05c361333ec3e3712e3f8ae7569abda49
Submitter: "Zuul (22348)"
Branch: master

commit 92f722a05c361333ec3e3712e3f8ae7569abda49
Author: Michele Baldessari <email address hidden>
Date: Tue May 4 14:40:00 2021 +0200

    Do not ask for cephdashboard certificates when it is disabled

    When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
    (undercloud) [stack@undercloud-0 ~]$ openstack stack environment show
    overcloud -f yaml |grep -i cephenabledashboard

      CephEnableDashboard: false

    Yet it still tries to request a cert for it (and fails due to
    https://bugs.launchpad.net/tripleo/+bug/1926746):
    2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 |
    FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa',
    'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name':
    'ceph_dashboard', 'principal':
    '<email address hidden>', 'run_after': '#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/
    {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ];
    then\n systemctl restart "$mgr_unit"\nfi\n'} |
    error={"ansible_loop_var": "item", "changed": false, "cmd":
    "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k
    /etc/pki/tls/private/ceph_dashboard.key -f
    /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D
    '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u
    keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C
    /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca":
    "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048",
    "name": "ceph_dashboard", "principal":
    "<email address hidden>", "run_after": "#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/
    {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ];
    then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2,
    "stderr": "", "stderr_lines": [], "stdout": "New signing request
    \"20210503140253\" added.\n", "stdout_lines": ["New signing request
    \"20210503140253\" added."]}

    With this patch applied I correctly get passed this point and am able to
    reach later steps:
    2021-05-04 12:40:44.300445 | 5254004b-fe7a-5ccf-c0b9-0000000000df | TASK | External deployment step 2

    The problem is that the 'enable_internal_tls' is global and only checks
    for internal TLS being enabled so it will still be triggered when
    CephEnabledDashboard is set to false. Let's switch it to the internal
    condition internal_tls_enabled which takes the dashboard into account.

    Change-Id: I73a58b00f31bfeffb724e12515d8c5cb0625ca7f
    Closes-Bug: #1927093

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 15.0.0

This issue was fixed in the openstack/tripleo-heat-templates 15.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/814758

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/814758
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/1e347f5b328d352d0c0b414121d59f5f6a896c9e
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 1e347f5b328d352d0c0b414121d59f5f6a896c9e
Author: Michele Baldessari <email address hidden>
Date: Tue May 4 14:40:00 2021 +0200

    Do not ask for cephdashboard certificates when it is disabled

    When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
    (undercloud) [stack@undercloud-0 ~]$ openstack stack environment show
    overcloud -f yaml |grep -i cephenabledashboard

      CephEnableDashboard: false

    Yet it still tries to request a cert for it (and fails due to
    https://bugs.launchpad.net/tripleo/+bug/1926746):
    2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 |
    FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa',
    'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name':
    'ceph_dashboard', 'principal':
    '<email address hidden>', 'run_after': '#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/
    {print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ];
    then\n systemctl restart "$mgr_unit"\nfi\n'} |
    error={"ansible_loop_var": "item", "changed": false, "cmd":
    "/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k
    /etc/pki/tls/private/ceph_dashboard.key -f
    /etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D
    '' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u
    keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C
    /etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca":
    "ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048",
    "name": "ceph_dashboard", "principal":
    "<email address hidden>", "run_after": "#
    Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/
    {print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ];
    then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2,
    "stderr": "", "stderr_lines": [], "stdout": "New signing request
    \"20210503140253\" added.\n", "stdout_lines": ["New signing request
    \"20210503140253\" added."]}

    With this patch applied I correctly get passed this point and am able to
    reach later steps:
    2021-05-04 12:40:44.300445 | 5254004b-fe7a-5ccf-c0b9-0000000000df | TASK | External deployment step 2

    The problem is that the 'enable_internal_tls' is global and only checks
    for internal TLS being enabled so it will still be triggered when
    CephEnabledDashboard is set to false. Let's switch it to the internal
    condition internal_tls_enabled which takes the dashboard into account.

    Change-Id: I73a58b00f31bfeffb724e12515d8c5cb0625ca7f
    Closes-Bug: #1927093
    (cherry picked from commit 92f722a05c361333ec3e3712e3f8ae7569abda49)

tags: added: in-stable-wallaby
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.