Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1514842 - Keystone Admin API on external Network down after upgrading to OSP10z6
Summary: Keystone Admin API on external Network down after upgrading to OSP10z6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: All
OS: Linux
medium
high
Target Milestone: z8
: 10.0 (Newton)
Assignee: Juan Antonio Osorio
QA Contact: Pavan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-18 21:02 UTC by Siggy Sigwald
Modified: 2018-05-17 15:42 UTC (History)
15 users (show)

Fixed In Version: puppet-tripleo-5.6.8-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-17 15:40:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1748872 None None None 2018-02-12 11:32:55 UTC
Red Hat Product Errata RHSA-2018:1593 None None None 2018-05-17 15:42:04 UTC
OpenStack gerrit 543431 None None None 2018-02-12 11:33:42 UTC

Comment 3 Pablo Iranzo Gómez 2017-11-28 09:07:45 UTC
Description of problem:
With OSP10z6 a new puppet-tripleo package  (5.6.4-2) was released and it removed the configuration of Keystone Admin API on External interface in TLS, that API is only configured on Internal Interface but we need it also on external interface, see below the haproxy configuration after update of overcloud   

less /etc/haproxy/haproxy.cfg

listen keystone_admin
  bind 10.10.10.33:35357 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server server001.net 10.10.10.7:35357 check fall 5 inter 2000 rise 2
  server server002.net 10.10.10.8:35357 check fall 5 inter 2000 rise 2
  server server003.net 10.10.10.9:35357 check fall 5 inter 2000 rise 2

we need like this as we have in production (different site)

listen keystone_admin
  bind 420:fe0:0:2000:2001:4888:a42:3101:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 20.20.20.138:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 10.10.10.33:35357 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server anotherserv-001.internal.net 10.10.10.7:35357 check fall 5 inter 2000 rise 2
  server anotherserv-002.internal.net 10.10.10.8:35357 check fall 5 inter 2000 rise 2
  server anotherserv-003.internal.net 10.10.10.9:35357 check fall 5 inter 2000 rise 2

we can see /etc/puppet/modules/tripleo/manifests/haproxy.pp has changed and removed keystone_admin_api_ssl_port  configuration

    keystone_admin_api_port => 35357,
    keystone_public_api_port => 5000,

  if $keystone_admin {
    ::tripleo::haproxy::endpoint { 'keystone_admin':
      internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
      service_port    => $ports[keystone_admin_api_port],
      ip_addresses    => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
      server_names    => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
      mode            => 'http',
      listen_options  => {
          'http-request' => [
            'set-header X-Forwarded-Proto https if { ssl_fc }',
            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
      },
      service_network => hiera('keystone_admin_api_network', undef)
    }
  }


this is what /etc/puppet/modules/tripleo/manifests/haproxy.pp used to be in previous package version that we have in production (puppet-tripleo-5.5.0-4)

    keystone_admin_api_port => 35357,
    keystone_admin_api_ssl_port => 13357,
    keystone_public_api_port => 5000,

  if $keystone_admin {
    ::tripleo::haproxy::endpoint { 'keystone_admin':
      public_virtual_ip => $public_virtual_ip,
      internal_ip       => hiera('keystone_admin_api_vip', $controller_virtual_ip),
      service_port      => $ports[keystone_admin_api_port],
      ip_addresses      => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
      server_names      => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
      mode              => 'http',
      listen_options    => {
          'http-request' => [
            'set-header X-Forwarded-Proto https if { ssl_fc }',
            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
      },
      public_ssl_port   => $ports[keystone_admin_api_ssl_port],
    }
  }
To fix this issue I had added an workaround in templates to configure haproxy, but this implementation broke our initial implementation, so  I want to know why this code changed and how would be the right implementation of Keystone Admin API on external network without my workaround 

How reproducible:
Every time

Comment 5 Ade Lee 2017-12-08 17:34:22 UTC
It makes sense from a security standpoint to eliminate the non-ssl endpoint.
If you really need the non-ssl endpoint, workarounds are provided here:

https://access.redhat.com/solutions/2943481

Or in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1514244

Closing as NOTABUG.  Please feel free to reopen if needed.

Comment 7 Ade Lee 2017-12-12 22:32:00 UTC
If you switch to using keystone v3 you won't need the admin endpoint to be exposed in the external network and you could just use the public one. Is there a specific reason why you need the admin endpoint exposed? If you REALLY need it in the external network you could configure it via the ServiceNetMap.

The previous exposing of the admin endpoint was more a bug than a feature.

If you really need the admin network exposed externally, we can see if we can configure the ServiceNetMap to match your desired config.

Comment 8 Ade Lee 2017-12-14 15:33:58 UTC
Please confirm that you really need the admin endpoint exposed in the external network.

Comment 28 Juan Antonio Osorio 2018-02-02 16:55:27 UTC
The double endpoint for the keystone admin interface was removed in an effort increase security by locking down the overcloud. It is also not needed when using keystone v3, as one can also use the public keystone endpoint (which uses TLS).

Comment 40 errata-xmlrpc 2018-05-17 15:40:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1593


Note You need to log in before you can comment on or make changes to this bug.