search

redhat-openstack / infrared

Plugin based framework that aims to provide an easy-to-use CLI for Ansible based projects
https://infrared.readthedocs.io/en/latest/index.html
Apache License 2.0
99 stars 97 forks source link

undercloud ssl.yml uses undercloud.conf values but runs before the undercloud.conf has been updated #336

Closed zzzeek closed 5 years ago

zzzeek commented 5 years ago

I'm deploying undercloud using --config-options to override all the conf settings that deal with the "192.168.24" network to use 192.168.25:

infrared tripleo-undercloud ... --config DEFAULT.cidr=192.168.25.0/24  --config DEFAULT.undercloud_public_host=192.168.25.2 .... (lots more --config )

However, plugins/tripleo-undercloud/tasks/ssl.yml runs and grabs out the "undercloud_public_host" before the correct values are written to undercloud.conf:

TASK [grab undercloud_public_host from undercloud.conf] *******************************************************************************************************************************
task path: /home/classic/dev/stretch_cluster/checkouts/infrared/plugins/tripleo-undercloud/tasks/ssl.yml:15
changed: [s2undercloud-0] => {"changed": true, "cmd": ["awk", "-F=", "/^undercloud_public_host\\s*=\\s*/ {print $2}", "~/undercloud.conf"], "delta": "0:00:00.003176", "end": "2018-10-
05 18:39:15.612734", "rc": 0, "start": "2018-10-05 18:39:15.609558", "stderr": "", "stderr_lines": [], "stdout": " 192.168.24.2", "stdout_lines": [" 192.168.24.2"]}

... later ...

TASK [override values in undercloud conf] *********************************************************************************************************************************************
task path: /home/classic/dev/stretch_cluster/checkouts/infrared/plugins/tripleo-undercloud/tasks/inject_undercloud_conf.yml:2
changed: [s2undercloud-0] => (item={'value': u'192.168.25.2', 'key': u'undercloud_public_host'}) => {"changed": true, "gid": 1001, "group": "stack", "item": {"key": "undercloud_public
_host", "value": "192.168.25.2"}, "mode": "0755", "msg": "option changed", "owner": "stack", "path": "/home/stack/undercloud.conf", "secontext": "unconfined_u:object_r:user_home_t:s0"
, "size": 873, "state": "file", "uid": 1001}

so the cert is generated with the wrong IP number and undercloud deploy fails:


tripleoclient.v1.tripleo_deploy.Deploy [  ]                 "Certificate did not match expected hostname: 192.168.25.2. Certificate: {'notBefore$
: u'Oct  5 18:39:16 2018 GMT', 'serialNumber': u'BB3D764D931D3119', 'notAfter': 'Oct  5 18:39:16 2019 GMT', 'version': 3L, 'subject': ((('countryName', u'US'),), (('stateOrProvinceNa$
e', u'NC'),), (('localityName', u'Raleigh'),), (('organizationName', u'Red HAt'),), (('organizationalUnitName', u'QE'),), (('commonName', u'192.168.24.2'),)), 'issuer': ((('countryNa$
e', u'US'),), (('stateOrProvinceName', u'NC'),), (('localityName', u'Raleigh'),), (('organizationName', u'Red HAt'),), (('organizationalUnitName', u'QE'),), (('commonName', u'192.168$
24.2'),))}",
2018-10-05 19:09:22.577 12754 WARNING tripleoclient.v1.tripleo_deploy.Deploy [  ]                 "Failed to discover available identity versions when contacting https://192.168.25.2$
13000/. Attempting to parse version from URL.",
2018-10-05 19:09:22.577 12754 WARNING tripleoclient.v1.tripleo_deploy.Deploy [  ]                 "Could not find versioned identity endpoints when attempting to authenticate. Please 
check that your auth_url is correct. SSL exception connecting to https://192.168.25.2:13000/: hostname '192.168.25.2' doesn't match u'192.168.24.2'",

I believe you'd want to make this change (haven't tested yet):

diff --git a/plugins/tripleo-undercloud/configure.yml b/plugins/tripleo-undercloud/configure.yml
index a0496b69..cf78cf73 100644
--- a/plugins/tripleo-undercloud/configure.yml
+++ b/plugins/tripleo-undercloud/configure.yml
@@ -37,17 +37,17 @@
             mode: 0755
         when: not local_src

-      - name: enable undercloud-ssl
-        include_tasks: tasks/ssl.yml
-        when: install.ssl or install.version|openstack_release > 13
-        tags: ssl
-
       - name: override values in undercloud conf
         include_tasks: tasks/inject_undercloud_conf.yml
         with_dict: "{{ conf.options|default({}) }}"
         loop_control:
             loop_var: section

+      - name: enable undercloud-ssl
+        include_tasks: tasks/ssl.yml
+        when: install.ssl or install.version|openstack_release > 13
+        tags: ssl
+
       - name: create the base undercloud deploy script
         template:
             src: undercloud_deploy.sh.j2
zzzeek commented 5 years ago

confirmed this fixes.

gerrit at https://review.gerrithub.io/#/c/redhat-openstack/infrared/+/428249