Fix neutron api TLS issues
There are two tls issues currently in neutron:
A) neutron_api is doing bind mounting tls certs directly from the host and then chowning them from then container.
"Source": "/etc/pki/tls/private/ovn_neutron_client.key",
"Destination": "/etc/pki/tls/private/ovn_neutron_client.key",
"Source": "/etc/pki/tls/certs/ovn_neutron_client.crt",
"Destination": "/etc/pki/tls/certs/ovn_neutron_client.crt",
And then it thinks it can chown it inside the container via the kolla script:
[root@controller-0 stdouts]# more /var/lib/kolla/config_files/neutron_api.json
...
{
"optional": true,
"owner": "neutron:neutron",
"path": "/etc/pki/tls/certs/ovn_neutron_client.crt",
"perm": "0644"
},
{
"optional": true,
"owner": "neutron:neutron",
"path": "/etc/pki/tls/private/ovn_neutron_client.key",
"perm": "0644"
}
What needs to happen here is that we drop the direct bind mounts, and copy in the certs via kolla. Just like galera is doing.
Tested and with this patch I correctly get a Train/OSP16 TLS everywhere
deployment with a working neutron:
Before:
(overcloud) [stack@undercloud-0 ~]$ openstack network list
HttpException: 503: Server Error for url: https://overcloud.redhat.local:13696/v2.0/networks, No server is available to handle this request.: 503 Service Unavailable
After:
(overcloud) [stack@undercloud-0 ~]$ openstack network list
(overcloud) [stack@undercloud-0 ~]$
B) The logging in the neutron_server_tls_proxy container is not persisted to the host
Before:
[root@controller-0 ~]# ls -l /var/log/containers/httpd/neutron-api/
[root@controller-0 ~]#
After:
[root@controller-0 ~]# ls -l /var/log/containers/httpd/neutron-api/
total 136
-rw-r--r--. 1 root root 400 Nov 15 17:43 error_log
-rw-r--r--. 1 root root 72784 Nov 15 17:53 neutron-api-proxy_access_ssl.log
-rw-r--r--. 1 root root 2748 Nov 15 17:43 neutron-api-proxy_error_ssl.log
[root@controller-0 ~]#
Change-Id: Ia1c22b8981fb735a052707516f73313c4e5ca93c
Closes-Bug: #1852779
(cherry picked from commit a7db39af7c
)
This commit is contained in:
parent
ee043af58d
commit
491ffccbb9
|
@ -404,6 +404,11 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
optional: true
|
||||
preserve_properties: true
|
||||
permissions:
|
||||
- path: /var/log/neutron
|
||||
owner: neutron:neutron
|
||||
|
@ -469,8 +474,8 @@ outputs:
|
|||
- if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_neutron_client.crt:/etc/pki/tls/certs/ovn_neutron_client.crt
|
||||
- /etc/pki/tls/private/ovn_neutron_client.key:/etc/pki/tls/private/ovn_neutron_client.key
|
||||
- /etc/pki/tls/certs/ovn_neutron_client.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_neutron_client.crt:ro
|
||||
- /etc/pki/tls/private/ovn_neutron_client.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_neutron_client.key:ro
|
||||
- null
|
||||
environment:
|
||||
map_merge:
|
||||
|
@ -486,6 +491,7 @@ outputs:
|
|||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [NeutronLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
|
|
Loading…
Reference in New Issue