tripleo

  1. Bug #1820577
  2. Comment #2

Comment 2 for bug 1820577

Revision history for this message
Michele Baldessari (michele) wrote :

So this likely works on docker because docker will simply create a non-existing bind-mount (like /etc/pki/tls/private/haproxy in this case).

The command that failed for us is the following (normal deploy via infrared but with the additional 'overcloud-ssl true' param):
openstack overcloud deploy \
  --timeout 100 \
  --templates /usr/share/openstack-tripleo-heat-templates \
  --libvirt-type kvm \
  --stack overcloud \
  -r /home/stack/composable_roles/roles/roles_data.yaml \
  -e /home/stack/composable_roles/roles/nodes.yaml \
-e /home/stack/composable_roles/config_lvm.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \
-e /home/stack/composable_roles/network/network-environment.yaml \
-e /home/stack/composable_roles/enable-tls.yaml \
-e /home/stack/composable_roles/inject-trust-anchor.yaml \
-e /home/stack/composable_roles/public_vip.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml \
-e ~/fencing.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/services/neutron-ovn-ha.yaml \
-e /home/stack/composable_roles/debug.yaml \
-e /home/stack/composable_roles/config_heat.yaml \
--log-file overcloud_deployment_67.log

Here are the custom ones that might be relevant here:
### /home/stack/composable_roles/enable-tls.yaml ###
parameter_defaults:
  # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
  # Type: boolean
  HorizonSecureCookies: True
  # The content of the SSL certificate (without Key) in PEM format.
  # Type: string
  SSLCertificate: |
    -----BEGIN CERTIFICATE-----
    MIIDaDCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzEL
    MAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIQXQx
    CzAJBgNVBAsMAlFFMRUwEwYDVQQDDAwxOTIuMTY4LjI0LjIwHhcNMTkwMzE4MTcy
    MzEwWhcNMjAwMzE3MTcyMzEwWjBgMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMx
    EDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIQXQxCzAJBgNVBAsMAlFF
    MRMwEQYDVQQDDAoxMC4wLjAuMTAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA3eues7Hlhtzo7IO8dohSeQzQx9K9gu/UNBIypq5cDKng99td8OGL//dy
    ijAiOw3LkE+z9QjoEXRGONmu+m1f429G8JDtW47WfzAEZ5Fr1GojRUs/ZkmBwI6g
    TfxZKqX8XX4Ws3PDb70giwcANi/9B7kN6ltbL/U6seyEOSmFfEF1juS/otARqQe4
    lZioxJKwaQn0pSmPHMIwyQj0zOctiXY9GqEf3dQgFyfi7InC5wnU/RUAcmOUJpoy
    GalyXf6RI8oaIjPdCt9Ox+ZEogyAgdPgpGjKyGLlj4uG+sqj2/Xap0VnmTWYioQG
    wkD9VRrKYq6k80JuGmyEZ2+VHSXEQQIDAQABoyswKTAJBgNVHRMEAjAAMAsGA1Ud
    DwQEAwIF4DAPBgNVHREECDAGhwQKAABlMA0GCSqGSIb3DQEBCwUAA4IBAQBWcQkj
    3I2/mbOnYZt7nUTNGqPZctTLqFfN2UvMjHla2ZFBb3BfW2LUkj0Z91kmztRCNRbh
    Z8dKq583CCbLnWpjbKpWJfP0nWD/zvrB76tzJXZXQdM81t92C2AOelhaivfuBw9b
    ZoBiN/CfHOroZgN7oOZzmhjxm+y5/mr3sBxbuMsdk7UdCgzNmFv06hnG1V3HnacP
    uApJ55FDelvNDFrypbCdLm5aw00CDD+CFZy9I10nM3vFF1MOJXU/bvTa1Dc94uY6
    nsxYiUaH+E7X6ONxyP0Ttz2XvQe5n9B/sHCpSmySlV7Xnwlu4QhFFh9qT0QxGeq8
    wlW8xDcD+88LP815
    -----END CERTIFICATE-----
  # The content of an SSL intermediate CA certificate in PEM format.
  # Type: string
  SSLIntermediateCertificate: ''
  # The content of the SSL Key in PEM format.
  # Type: string
  SSLKey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA3eues7Hlhtzo7IO8dohSeQzQx9K9gu/UNBIypq5cDKng99td
    8OGL//dyijAiOw3LkE+z9QjoEXRGONmu+m1f429G8JDtW47WfzAEZ5Fr1GojRUs/
    ZkmBwI6gTfxZKqX8XX4Ws3PDb70giwcANi/9B7kN6ltbL/U6seyEOSmFfEF1juS/
    otARqQe4lZioxJKwaQn0pSmPHMIwyQj0zOctiXY9GqEf3dQgFyfi7InC5wnU/RUA
    cmOUJpoyGalyXf6RI8oaIjPdCt9Ox+ZEogyAgdPgpGjKyGLlj4uG+sqj2/Xap0Vn
    mTWYioQGwkD9VRrKYq6k80JuGmyEZ2+VHSXEQQIDAQABAoIBAGtTO3JuU7IQfnl8
    EJZGwZQXdZVePxbnA/qW3nYsFwps0gcsyVbozbtiIbvhIXzr5AoL8d1MjGd8k0WF
    SZGFef1VYLqRbKl+ABCM2WR5OOwG1L37cVL3s8+7ap2ssDbnBZD1nOb20orkratv
    HFQYi0fD4I351rTv5Y4M87ltckgvvaQhM4I6xuSq+fU3CMXex8SodJaRp8ryMXtg
    TCc3F7HvZHkWGJAAGSyJ7BGIK59Re4bVVGoLtQAbWHQlCvK4qK1FuD/anpMrbJCJ
    z1h82bq7afPRk6S7RrGq+XgEYXQQvzGb5gNynk0i2EziMN8SLWKJI8IJHw9ENDGN
    zlBtrO0CgYEA8r1Vz/6sQa+148ljhUBgjDH1YxsMRszaHyI8EHKRMirj5S2WnSuh
    5GFZ35k8zoV6eEpkDpo9pykIbf5xWF4x/W0sayHB8owRg9hR/JCEu2dKS0tXk2Kz
    Yd2jw9gEkwTgjhIRj/y0N+DrIgyQdH7efCjVCdk/HX0t6AwNKnev/pMCgYEA6gsh
    4jKVUTfcXNQltjgruzPnfziAqKQ21Q2tvi1J3f5C0G5Ahi8/L/P49iPc0AGpQAWs
    3zUrd1e4zj8/HqU4C8+BigdcJSLMiOxH4dwj0MUrrtQ0ZWCCR6auVXNRjz/bMPTn
    6/A1y5JJL6qUa6cQyoqI7CkqlZze84q5QNiWYlsCgYAQaWq24GInIskqeIBJDxw3
    /ly38ak31DvfJQJonkZg3POBmD55q+yLM2XPL14kHHQ2U9lF/3mxpp2SSkTBk8TP
    fKUnLSYezweUIXkRmXfP7+DfDF4EcgTs1f5vjFhq1EaWdHRJhu1sZcGgELdnmPhT
    7rLQsqaIyODksoPlXihBDwKBgBaiUPqRLcOXBWas1aDTudb25BJ3ommsx+i+0+iq
    dJRVfJyvrOnNM+0tSQx012v+XSHl6pwDhlqaTzMTBsWt8Mejn8F7iLvGq8UqJKGB
    Kq2MA/d6aj7LoI3RXtbAukiCQm5voOY+atVvJkjH1Ga813DfCPLd4FJrw1wGNHhC
    +fg1AoGBALjJjxtI8hRU2jtHHqv/TStT8zVeXQCkQEXq1HrbKG37RRk2qpnQWuSC
    Vb8ehWIvJu44htJ78W9o7z3GcGccnd6ihWs87lOOs4SJbj1sg2tO3hGcfqnuA0mU
    bSepd0aZd5IXVPRrxG0IT2GC4v2GwPe8qryeaIUqEx1jxhKohmec
    -----END RSA PRIVATE KEY-----
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
  # The filepath of the certificate as it will be stored in the controller.
  # Type: string
  DeployedSSLCertificatePath: /etc/pki/tls/private/overcloud_endpoint.pem
  # End static parameters
### /home/stack/composable_roles/inject-trust-anchor.yaml ###
parameter_defaults:
  # The content of a CA's SSL certificate file in PEM format. This is evaluated on the client side.
  # Mandatory. This parameter must be set by the user.
  # Type: string
  SSLRootCertificate: |
    -----BEGIN CERTIFICATE-----
    MIIDpTCCAo2gAwIBAgIUItY3H2WSwy+lZDPBTDSuQnrGes8wDQYJKoZIhvcNAQEL
    BQAwYjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMRAwDgYDVQQHDAdSYWxlaWdo
    MRAwDgYDVQQKDAdSZWQgSEF0MQswCQYDVQQLDAJRRTEVMBMGA1UEAwwMMTkyLjE2
    OC4yNC4yMB4XDTE5MDMxODE2Mzc1M1oXDTIwMDMxNzE2Mzc1M1owYjELMAkGA1UE
    BhMCVVMxCzAJBgNVBAgMAk5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdS
    ZWQgSEF0MQswCQYDVQQLDAJRRTEVMBMGA1UEAwwMMTkyLjE2OC4yNC4yMIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxl21+ya9LcASoCL18ntty751ezFV
    olT4RZeV9KA+jdMKgd8ErIFaZar+i/W47ZZZWBVaFQo3sdLad/gQEAGbrTKYaWir
    ZlJIAmLJ/dQaPo/IPR1MItQtXMKAyQsPnTHUkihiXrLNgbtpSgXDHXgvpq+DeaUq
    b7EzJ/S5A3gTEZtwCHBjQ5svhEooMm5ZbWqmqNuJcC3hEYSy7eH72qM/KYXKB5pD
    Ofulx6CNQKy886gS99aOb7P8gnVL5j9krz5mG6UlN1Y5PAAT3RiZpNSG8bPjwGsc
    QHyoG7reIK+/K3W2Mit00qJSDKOugatqpCOYkINcPAIq6KIGPdI7Iq7BSQIDAQAB
    o1MwUTAdBgNVHQ4EFgQUVBRXM9WAqOYhW42KgRD+uY0x+L8wHwYDVR0jBBgwFoAU
    VBRXM9WAqOYhW42KgRD+uY0x+L8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
    AQsFAAOCAQEAvj1HwjZhNOTDu+X9Ou3DAz1FAo14xBytP6uBDjoJGsP+mq5CkBwN
    32SGBiPqlwQSj/uvdA7cc/gz5i//uYWl9TU85Lu0sMYKb36UQWRo/59rsB0lu7sf
    MWJIaUSqkJerSX9Mw1xJ7HTSY7j1Ur4jxs4JZgHIPdcPJN31TwodTYF/mFHxE8ro
    Ty21BQT9B7K9XLJAq/cHXnn7uh4q4DxFSe7glUJUCz3LXpHZoR1rSzAMYbLKrolD
    P8bwJu94UG3pera4EPYLLx+v+JoLTlsPl9fO5r6mvEcFIIs0PR5FFVXt2X7rRtm9
    ALYhwaOhOkCXxjDhyV0nA2HnCJSUrkndww==
    -----END CERTIFICATE-----
resource_registry:
  OS::TripleO::NodeTLSCAData: /usr/share/openstack-tripleo-heat-templates/puppet/extraconfig/tls/ca-inject.yaml