tripleo

The ssl_verify_client parameter is required when setting ssl_ca (file: /etc/puppet/modules/horizon/manifests/wsgi/apache.pp,

Bug #2031599 reported by chandan kumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Takashi Kajinami
tripleo antelope-1

Bug Description

IPA related jobs are failing on CS9 wallaby promotion pipeline during overcloud and standalone deploy with following error.
```
/usr/bin/puppet apply --summarize --detailed-exitcodes --color=false --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags '"file,file_line,concat,augeas,cron,horizon_config"' /etc/config.pp
2023-08-16 23:48:20 | <13>Aug 16 23:47:54 puppet-user: Warning: /etc/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
2023-08-16 23:48:20 | <13>Aug 16 23:47:57 puppet-user: (file: /etc/puppet/hiera.yaml)
2023-08-16 23:48:20 | <13>Aug 16 23:47:57 puppet-user: Warning: Undefined variable '::deploy_config_name';
2023-08-16 23:48:20 | <13>Aug 16 23:47:57 puppet-user: (file & line not available)
2023-08-16 23:48:20 | <13>Aug 16 23:47:57 puppet-user: Warning: The function 'hiera' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.10/deprecated_language.html
2023-08-16 23:48:20 | <13>Aug 16 23:47:57 puppet-user: (file & line not available)
2023-08-16 23:48:20 | <13>Aug 16 23:47:58 puppet-user: Warning: This parameter is deprecated, please use `internal_proxy`. at ["/etc/puppet/modules/apache/manifests/mod/remoteip.pp", 77]:["/etc/puppet/modules/tripleo/manifests/profile/base/horizon.pp", 103]
2023-08-16 23:48:20 | <13>Aug 16 23:47:58 puppet-user: (location: /etc/puppet/modules/stdlib/lib/puppet/functions/deprecation.rb:34:in `deprecation')
2023-08-16 23:48:20 | <13>Aug 16 23:47:58 puppet-user: Warning: Scope(Class[Horizon]): horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated
2023-08-16 23:48:20 | <13>Aug 16 23:47:58 puppet-user: Error: Evaluation Error: Error while evaluating a Function Call, The ssl_verify_client parameter is required when setting ssl_ca (file: /etc/puppet/modules/horizon/manifests/wsgi/apache.pp, line: 193, column: 7) on node overcloud1-controller-0.ooo.test
2023-08-16 23:48:20 | + rc=1
```
Here is the package diff from current-tripleo and tripleo-ci-testing.
```
Packages Tested
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ current-tripleo ┃ tripleo-ci-testing ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ openstack-tripleo-heat-templates-14.3.1-0.20230812013424.2bcb0ca.el9 │ openstack-tripleo-heat-templates-14.3.1-0.20230814211449.efd13fb.el9 │
│ tripleo-ansible-3.3.1-0.20230810194503.02e48f0.el9 │ tripleo-ansible-3.3.1-0.20230815085422.bd032f7.el9 │
└─────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────┘
```

Below are the logs of failed jobs:
[1].https://logserver.rdoproject.org/openstack-periodic-integration-stable1/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-wallaby/4959a3c/logs/undercloud/home/zuul/overcloud1_deploy.log.txt.gz

[2]. https://logserver.rdoproject.org/openstack-periodic-integration-stable1/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-standalone-on-multinode-ipa-wallaby/e8eb520/logs/undercloud/home/zuul/standalone_deploy.log

[3].https://logserver.rdoproject.org/openstack-periodic-integration-stable1/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset039-wallaby/4e63cdf/logs/undercloud/home/zuul/overcloud_deploy.log.txt.gz

A similar bug https://bugs.launchpad.net/tripleo/+bug/1900947 is filed long time regarding similar issue.

See original description
chandan kumar (chkumar246)
description: updated
Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Fix proposed to master https://review.opendev.org/c/openstack/tripleo-heat-templates/+/891649

Changed in tripleo:
status: Triaged → In Progress
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ci (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ci/+/891650

Revision history for this message
chandan kumar (chkumar246) wrote :

https://review.rdoproject.org/r/c/testproject/+/49665/24#message-1cd45c6cd10acb5006b6c1394215321a0d7da481

periodic-tripleo-ci-centos-9-standalone-on-multinode-ipa-wallaby https://review.rdoproject.org/zuul/build/db31cd554d8b4fcbb29ed2a44184f65d : SUCCESS in 1h 30m 51s
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/891649 fixes the issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ci (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ci/+/891650
Committed: https://opendev.org/openstack/tripleo-ci/commit/b76951774fb0525bf7aee599826702212cda718d
Submitter: "Zuul (22348)"
Branch: master

commit b76951774fb0525bf7aee599826702212cda718d
Author: Chandan Kumar (raukadah) <email address hidden>
Date: Thu Aug 17 11:22:08 2023 +0530

    Run standalone IPA job on tht horizon changes

    Horizon tht deployment files include tls related changes.
    In order to verify those changes, we need to run IPA job
    to verify and catch the breakage. This patch does the same.

    Related-Bug: #2031599

    Change-Id: I1b82b9d9e90f5a80b9cc9d55374f81d05e1a0ac3
    Signed-off-by: Chandan Kumar (raukadah) <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/891649
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/847782b33aab656f9e226915a6f401c6d90c606b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 847782b33aab656f9e226915a6f401c6d90c606b
Author: Takashi Kajinami <email address hidden>
Date: Thu Aug 17 14:28:47 2023 +0900

    Horizon: Stop setting CA certificate for client authentication

    ... because we do not intend to implement it by tls-e. Currently
    deployment is failing with the following error when tls-e is enabled,
    because ca cert is given without ssl_verify_client, which was removed
    by I7d3f833cf36d7169a0fbc25d133284e06d3f1468 .

    ```
    The ssl_verify_client parameter is required when setting ssl_ca
    ```

    Closes-Bug: #2031599
    Depends-on: https://review.opendev.org/c/openstack/tripleo-ci/+/891650
    Related: rhbz#2193388
    Change-Id: I329f492570fbb559db73298285a8c624603bdc3d

tags: added: in-stable-wallaby
Takashi Kajinami (kajinamit)
Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.