Charm Helpers

Juju openstack-dashboard creates incorrect config

Bug #2028560 reported by Bartosz Woronicz
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Invalid
Undecided
Unassigned

Bug Description

This bug seems similar to
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1935990
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1952414
but does not fit this one
https://bugs.launchpad.net/charm-helpers/+bug/2012801
As I use MAAS 3.2.8, and the DNS records are return correctly
cloud.someregion.example.com. 30 IN A 10.169.134.120
120.134.169.10.in-addr.arpa. 30 IN PTR cloud.someregion.example.com.

The error I see is:
```
Jul 20 16:05:49 juju-aeacd6-3-lxd-20 apachectl[58652]: AH00526: Syntax error on line 43 of /etc/apache2/sites-enabled/default-ssl.conf:
Jul 20 16:05:49 juju-aeacd6-3-lxd-20 apachectl[58652]: SSLCertificateFile: file '/etc/apache2/ssl/horizon/cert_10.169.134.120' does not exist or is empty
```

It creates VirtualHosts for nonexisting endpoints (internal and admin)
These two tuples are results of receiving back vip as endpoint
```
[('10.169.129.192', '10.169.134.120'), ('10.169.129.192', '10.169.134.120'), ... ]
```
in this piece of code
https://opendev.org/openstack/charm-openstack-dashboard/src/branch/master/charmhelpers/contrib/openstack/ip.py#L221

These are the tuples
```
[('10.169.129.192', '10.169.134.120'), ('10.169.129.192', '10.169.134.120'), ('10.169.129.192', 'cloud.someregion.example.com')]
```
after applying set() on that list, the final context is like following
```
{'namespace': 'horizon', 'endpoints': [('10.169.129.192', '10.169.134.120', 433, 423), ('10.169.129.192', 'cloud.someregion.example.com', 433, 423)], 'ext_ports': [433]}
```

https://opendev.org/openstack/charm-openstack-dashboard/src/branch/master/charmhelpers/contrib/openstack/context.py#L1175

That issue blocks the deployment. It is critical

Revision history for this message
Bartosz Woronicz (mastier1) wrote (last edit ):

private sos report: https://drive.google.com/file/d/1IHau3dtbuhKztT0_uqR8vKEG7V337jCl/view?usp=drive_link

FIXED LINK

Revision history for this message
Nobuto Murata (nobuto) wrote (last edit ):

Can we have an excerpt of `juju export-bundle` for the openstack-dashboard application?

Revision history for this message
Nobuto Murata (nobuto) wrote :

Do you happen to have a relation with Vault for openstack-dashboard although you wanted to use a custom cert/key uploaded as a charm config?

Revision history for this message
Bartosz Woronicz (mastier1) wrote :

@Nobuto indeed

  openstack-dashboard:
    charm: openstack-dashboard
    channel: yoga/stable
    revision: 589
    resources:
      policyd-override: 0
      theme: 0
    num_units: 3
    to:
    - lxd:3
    - lxd:4
    - lxd:5
    options:
      endpoint-type: publicURL
      enforce-ssl: true
      neutron-network-l3ha: true
      neutron-network-lb: true
      openstack-origin: distro
      os-public-hostname: cloud.<censored>
      password-retrieve: true
      secret: |
        <censored>
      ssl_ca: ""
      ssl_cert: <censored>
      ssl_key: <censored>
      vip: 10.169.134.120
      webroot: /
    constraints: arch=amd64
    bindings:
      "": oam-space
      application-dashboard: oam-space
      certificates: internal-space
      cluster: oam-space
      dashboard-plugin: external-space
      ha: oam-space
      identity-service: internal-space
      nrpe-external-master: oam-space
      public: oam-space
      shared-db: internal-space
      website: oam-space
      websso-fid-service-provider: oam-space
      websso-trusted-dashboard: oam-space

Revision history for this message
Bartosz Woronicz (mastier1) wrote :

vault:certificates openstack-dashboard:certificates tls-certificates regular

yes, I got custom certificate
ssl_ca is not required as it official rootca GlobalSign authority

Revision history for this message
Bartosz Woronicz (mastier1) wrote :

ok, seems after removing that relation the certificate for the VIP (10.169.134.20) was created

```

root@juju-c921b6-3-lxd-20:/etc/apache2/sites-enabled# ls -la /etc/apache2/ssl/horizon/
total 44
dr-xr-xr-x 2 root root 4096 Jul 25 17:43 .
drwxr-xr-x 3 root root 4096 Jul 24 22:41 ..
-rw-r----- 1 root root 5678 Jul 24 22:41 cert_10.169.129.85
-rw-r----- 1 root root 5678 Jul 25 17:43 cert_10.169.134.120
-rw-r----- 1 root root 5678 Jul 24 22:41 cert_cloud.<censored>
-rw-r----- 1 root root 3272 Jul 24 22:41 key_10.169.129.85
-rw-r----- 1 root root 3272 Jul 25 17:43 key_10.169.134.120
-rw-r----- 1 root root 3272 Jul 24 22:41 key_cloud.<censored>
```

Nobuto Murata (nobuto)
Changed in charm-helpers:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.