When deploying with TLS-E and cephadm, I disabled the ceph dashboard:
(undercloud) [stack@undercloud-0 ~]$ openstack stack environment show
overcloud -f yaml |grep -i cephenabledashboard
CephEnableDashboard: false
Yet it still tries to request a cert for it (and fails due to
https://bugs.launchpad.net/tripleo/+bug/1926746):
2021-05-03 14:02:54.876228 | 5254004b-fe7a-614d-c9eb-00000000e323 |
FATAL | Ensure certificate requests | ctrl-3-0 | item={'ca': 'ipa',
'dns': 'ctrl-3-0.mainnetwork.bgp.ftw', 'key_size': '2048', 'name':
'ceph_dashboard', 'principal':
'ceph_dashboard/ctrl-3-0.mainnetwork.bgp.ftw@BGP.FTW', 'run_after': '#
Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk \'/ceph-mgr/
{print $1}\')\n# Restart the mgr systemd unit\nif [ -n "$mgr_unit" ];
then\n systemctl restart "$mgr_unit"\nfi\n'} |
error={"ansible_loop_var": "item", "changed": false, "cmd":
"/bin/getcert request -N CN=ctrl-3-0.mainnetwork.bgp.ftw -c IPA -w -k
/etc/pki/tls/private/ceph_dashboard.key -f
/etc/pki/tls/certs/ceph_dashboard.crt -D ctrl-3-0.mainnetwork.bgp.ftw -D
'' -A '' -E '' -r -g 2048 -K '' -K '' -u digitalSignature -u
keyEncipherment -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C
/etc/certmonger/post-scripts/ceph_dashboard-838da8a.sh", "item": {"ca":
"ipa", "dns": "ctrl-3-0.mainnetwork.bgp.ftw", "key_size": "2048",
"name": "ceph_dashboard", "principal":
"ceph_dashboard/ctrl-3-0.mainnetwork.bgp.ftw@BGP.FTW", "run_after": "#
Get mgr systemd unit\nmgr_unit=$(systemctl list-units | awk '/ceph-mgr/
{print $1}')\n# Restart the mgr systemd unit\nif [ -n \"$mgr_unit\" ];
then\n systemctl restart \"$mgr_unit\"\nfi\n"}, "msg": "", "rc": 2,
"stderr": "", "stderr_lines": [], "stdout": "New signing request
\"20210503140253\" added.\n", "stdout_lines": ["New signing request
\"20210503140253\" added."]}
With this patch applied I correctly get passed this point and am able to
reach later steps:
2021-05-04 12:40:44.300445 | 5254004b-fe7a-5ccf-c0b9-0000000000df | TASK | External deployment step 2
The problem is that the 'enable_internal_tls' is global and only checks
for internal TLS being enabled so it will still be triggered when
CephEnabledDashboard is set to false. Let's switch it to the internal
condition internal_tls_enabled which takes the dashboard into account.
Change-Id: I73a58b00f31bfeffb724e12515d8c5cb0625ca7f
Closes-Bug: #1927093