Fix etcd/tls-e deployments
Currently etcd is requiring the following dns entries in the
certificate:
- str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
The problem is that etcd tasks get invoked before anything else creates
the actual service corresponding to the vip name. So the deployment
fails with:
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: Submitting request to "https://freeipa-0.bgp.ftw/ipa/json".
Apr 27 18:29:17 ctrl-1-0.bgp.ftw ipa-submit[39933]: JSON-RPC error: 4001: The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission still ongoing.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission attempt complete.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child status = 3.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child output:
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: "Server at https://freeipa-0.bgp.ftw/ipa/json failed request, will retry: 4001 (The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist).
Let's make sure that the type: vip is inside the metadata_settings.
After this my deployment succeeded with:
pr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
...
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[58174]: Certificate in file "/etc/pki/tls/certs/etcd.crt" issued by CA and saved.
Tested in a couple of runs and with this patch the TLS-E deployment
proceeds.
Change-Id: I8c77ca4b983c8d617b3d0576877c138e75eb4530
This commit is contained in:
Michele Baldessari
parent
b2b29b8013
commit
75eb5bcc3f
|
|
@ -262,5 +262,8 @@ outputs:
|
|||
if:
|
||||
- internal_tls_enabled
|
||||
- - service: etcd
|
||||
network: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
type: vip
|
||||
- service: etcd
|
||||
network: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
type: node
|
||||
|
|
|
|||
Loading…
Reference in New Issue