Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693529 - Octavia host set to IP_ADDRESS in tls-everywhere-endpoints-dns.yaml
Summary: Octavia host set to IP_ADDRESS in tls-everywhere-endpoints-dns.yaml
Status: ON_QA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z6
: 13.0 (Queens)
Assignee: Carlos Goncalves
QA Contact: Bruna Bonguardo
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-28 06:11 UTC by Nick Satsia
Modified: 2019-04-11 12:09 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.3.1-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Launchpad 1822035 None None None 2019-03-28 06:13:58 UTC
OpenStack gerrit 648321 None master: MERGED tripleo-heat-templates: TLS everywhere: switch Octavia to use DNS entries (Ic6f0f26c03c443edf1715927a4542245e08567f4) 2019-04-02 18:51:58 UTC
OpenStack gerrit 649334 None stable/queens: NEW tripleo-heat-templates: TLS everywhere: switch Octavia to use DNS entries (Ic6f0f26c03c443edf1715927a4542245e08567f4) 2019-04-02 18:51:42 UTC

Description Nick Satsia 2019-03-28 06:11:31 UTC
Description of problem:

"/tls-everywhere-endpoints-dns.yaml" is setting Octavia endpoints to IP_ADDRESS which does not make sense since the IDM signed certificates cannot have an IP SAN entry to verify the certificate.

(cloud) [stack@director deployment]$ openstack endpoint list | egrep -i octavia
| 48250fe5373048e7bb11152bee2da6b3 | regionOne | octavia      | load-balancer  | True    | admin     |                                     |
| 565be13b3a814f89b2b764cbb98648da | regionOne | octavia      | load-balancer  | True    | public    |                              |
| 711f215615a843068e749bf2d4b27776 | regionOne | octavia      | load-balancer  | True    | internal  |                                     |
(cloud) [stack@director deployment]$

(cloud) [stack@director deployment]$ egrep -i octavia /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml
    OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'}
    OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
(cloud) [stack@director deployment]$

[root@cloud-controller-0 ~]# curl
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
[root@cloud-controller-0 ~]#

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Configure TLS everywhere with Octavia enabled.

Actual results:

Expected results:

Additional info:
     Bug upstream:

     Fix upstream:

Note You need to log in before you can comment on or make changes to this bug.