tripleo-heat-templates/deployment/etcd
Michele Baldessari 75eb5bcc3f Fix etcd/tls-e deployments
Currently etcd is requiring the following dns entries in the
certificate:

  - str_replace:
      template: "{{fqdn_$NETWORK}}"
      params:
        $NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
  - str_replace:
      template: "{{cloud_names.cloud_name_NETWORK}}"
      params:
        NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}

The problem is that etcd tasks get invoked before anything else creates
the actual service corresponding to the vip name. So the deployment
fails with:

Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW

Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [39933] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: Submitting request to "https://freeipa-0.bgp.ftw/ipa/json".
Apr 27 18:29:17 ctrl-1-0.bgp.ftw ipa-submit[39933]: JSON-RPC error: 4001: The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission still ongoing.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Certificate submission attempt complete.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child status = 3.
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 18:29:17 [38973] Child output:
Apr 27 18:29:17 ctrl-1-0.bgp.ftw certmonger[38973]: "Server at https://freeipa-0.bgp.ftw/ipa/json failed request, will retry: 4001 (The service principal for subject alt name overcloud.main.bgp.ftw in certificate request does not exist).

Let's make sure that the type: vip is inside the metadata_settings.
After this my deployment succeeded with:
pr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_SUBJECT" to "CN=ctrl-1-0.mainnetwork.bgp.ftw" for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_HOSTNAME" to "ctrl-1-0.mainnetwork.bgp.ftw
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: overcloud.main.bgp.ftw
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_REQ_PRINCIPAL" to "etcd/ctrl-1-0.mainnetwork.bgp.ftw@BGP.FTW
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: " for child.
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[38973]: 2021-04-27 19:19:49 [58130] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
...
Apr 27 19:19:49 ctrl-1-0.bgp.ftw certmonger[58174]: Certificate in file "/etc/pki/tls/certs/etcd.crt" issued by CA and saved.

Tested in a couple of runs and with this patch the TLS-E deployment
proceeds.

Change-Id: I8c77ca4b983c8d617b3d0576877c138e75eb4530
2021-04-28 07:43:01 +02:00
..
etcd-container-puppet.yaml Fix etcd/tls-e deployments 2021-04-28 07:43:01 +02:00