uc installation fails with parameter 'ssl_cacert' expects a Stdlib::Absolutepath
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Michele Baldessari |
Bug Description
Lon hit this issue and I can reproduce it:
2021-10-19 18:12:02.562474 | | WARNING | ERROR: Can't run container container-
stderr: + /usr/bin/puppet apply --summarize --detailed-
+ logger -s -t puppet-user
<13>Oct 19 18:11:57 puppet-user: Warning: /etc/puppet/
<13>Oct 19 18:12:02 puppet-user: (file: /etc/puppet/
<13>Oct 19 18:12:02 puppet-user: Warning: Undefined variable '::deploy_
<13>Oct 19 18:12:02 puppet-user: (file & line not available)
<13>Oct 19 18:12:02 puppet-user: Warning: The function 'hiera' is deprecated in favor of using 'lookup'. See https:/
<13>Oct 19 18:12:02 puppet-user: (file & line not available)
<13>Oct 19 18:12:02 puppet-user: Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Rabbitmq]:
<13>Oct 19 18:12:02 puppet-user: parameter 'ssl_cacert' expects a Stdlib:
\/]+)).*\z/], Stdlib::Unixpath = Pattern[
<13>Oct 19 18:12:02 puppet-user: parameter 'ssl_management
?[\\\/]
me.arpa
+ rc=1
+ '[' false = false ']'
+ set +x
2021-10-19 18:12:02.563524 | 52540085-
-puppet-rabbitmq"}
2021-10-19 18:12:02.564039 | 52540085-
The undercloud.conf that triggers this issue is:
[DEFAULT]
overcloud_
undercloud_hostname = undercloud-
undercloud_
undercloud_timezone = UTC
container_
undercloud_
local_interface = enp2s0
local_ip = 192.168.24.1/24
undercloud_
undercloud_
subnets = ctlplane-subnet
local_subnet = ctlplane-subnet
[ctlplane-subnet]
local_subnet = ctlplane-subnet
cidr = 192.168.24.0/24
dhcp_start = 192.168.24.160
dhcp_end = 192.168.24.170
gateway = 192.168.24.1
inspection_iprange = 192.168.
masquerade = true
The issue is that v1/undercloud_ config. py sets the following: 'InternalTLSCAF ile'] = ''
env_data[
This then gets passed to the rabbitmq.yaml file: :ssl_cacert: {get_param: InternalTLSCAFile} :ssl_management _cacert: {get_param: InternalTLSCAFile}
rabbitmq:
rabbitmq:
and so we have the the following hiera keys: hieradata/ service_ configs. json: "rabbitmq::ssl": false, hieradata/ service_ configs. json: "rabbitmq: :ssl_cacert" : "", hieradata/ service_ configs. json: "rabbitmq: :ssl_depth" : 1, hieradata/ service_ configs. json: "rabbitmq: :ssl_erl_ dist": false, hieradata/ service_ configs. json: "rabbitmq: :ssl_interface" : "%{hiera( 'ctlplane' )}", hieradata/ service_ configs. json: "rabbitmq: :ssl_management _cacert" : "", hieradata/ service_ configs. json: "rabbitmq: :ssl_only" : false,
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
Which then confuses the puppet-rabbitmq module. So fundamentally we always pushed a configuration that only now fails since we started using the proper ca, because the empty cacert does not validate in puppet-rabbitmq.