75eb5bcc3f
Currently etcd is requiring the following dns entries in the certificate: - str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} - str_replace: template: "{{cloud_names.cloud_name_NETWORK}}" params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} The problem is that etcd tasks get invoked before anything else creates the actual service corresponding to the vip name. So the deployment fails with: Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child. Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: " for child. Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Running enrollment helper "/usr/libexec/certmonger/ipa-submit". Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: Submitting request to "https://freeipa-0.bgp.ftw/ipa/json". Apr 27 18:29:17 ctrl-1-0.bgp.ftw ipa-submit[39933]: JSON-RPC error: 4001: The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission still ongoing. Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission attempt complete. Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child status = 3. Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child output: Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: "Server at https://freeipa-0.bgp.ftw/ipa/json failed request, will retry: 4001 (The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist). Let's make sure that the type: vip is inside the metadata_settings. After this my deployment succeeded with: pr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child. Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child. Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child. Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. ... Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[58174]: Certificate in file "/etc/pki/tls/certs/etcd.crt" issued by CA and saved. Tested in a couple of runs and with this patch the TLS-E deployment proceeds. Change-Id: I8c77ca4b983c8d617b3d0576877c138e75eb4530 |
||
---|---|---|
.. | ||
etcd-container-puppet.yaml |