tripleo

rabbitmq cert and keys are injected incorretly after certmonger regenerates them

Bug #1941727 reported by Damien Ciabrini
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Confirmed
High
Damien Ciabrini

Bug Description

When certmonger resubmit a certificate to the IPA server, it calls a post_save script that fails to inject the updated certificate and key because it fetches an invalid hiera key:

[root@messaging-1 ~]# /usr/bin/certmonger-rabbitmq-refresh.sh
Traceback (most recent call last):
        9: from /bin/hiera:246:in `<main>'
        8: from /usr/share/ruby/vendor_ruby/hiera.rb:116:in `lookup'
        7: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:267:in `lookup'
        6: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:267:in `each'
        5: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:272:in `block in lookup'
        4: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:272:in `catch'
        3: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:279:in `block (2 levels) in lookup'
        2: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:316:in `qualified_lookup'
        1: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:316:in `each'
/usr/share/ruby/vendor_ruby/hiera/backend.rb:329:in `block in qualified_lookup': Hiera type mismatch: Got String when a hash-like object was expected to access value using 'service_certificate' from key 'tripleo::rabbitmq::service_certificate.service_certificate' (Exception)
Traceback (most recent call last):
        9: from /bin/hiera:246:in `<main>'
        8: from /usr/share/ruby/vendor_ruby/hiera.rb:116:in `lookup'
        7: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:267:in `lookup'
        6: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:267:in `each'
        5: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:272:in `block in lookup'
        4: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:272:in `catch'
        3: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:279:in `block (2 levels) in lookup'
        2: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:316:in `qualified_lookup'
        1: from /usr/share/ruby/vendor_ruby/hiera/backend.rb:316:in `each'
/usr/share/ruby/vendor_ruby/hiera/backend.rb:329:in `block in qualified_lookup': Hiera type mismatch: Got String when a hash-like object was expected to access value using 'service_key' from key 'tripleo::rabbitmq::service_certificate.service_key' (Exception)
tar: Substituting `.' for empty member name
tar: : Cannot stat: No such file or directory
tar: Substituting `.' for empty member name
tar: : Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
cp: -r not specified; omitting directory '/var/lib/kolla/config_files/src-tls'
chown: cannot access '': No such file or directory
chown: cannot access '': No such file or directory

Revision history for this message
Damien Ciabrini (dciabrin) wrote :

This does not happen in master, but is specific to Victoria and Train where the scripts still reside in puppet-tripleo

Changed in tripleo:
milestone: xena-rc1 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/806135

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/806136

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/806330

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/806135
Committed: https://opendev.org/openstack/puppet-tripleo/commit/76ecde4cf5ab514a9f4ffdb8ed8bf23f04999047
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 76ecde4cf5ab514a9f4ffdb8ed8bf23f04999047
Author: Damien Ciabrini <email address hidden>
Date: Thu Aug 26 12:53:24 2021 +0200

    Fix rabbitmq certificate reload after it is resubmitted

    When certmonger resubmit a certificate, make sure that
    the post_save command reads the right hiera key to
    update the certificate file into the running rabbitmq
    container.

    Change-Id: Ic7f66b83611794d41105941c15c32479fe876980
    Closes-Bug: #1941727

tags: added: in-stable-victoria
tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/806136
Committed: https://opendev.org/openstack/puppet-tripleo/commit/48d6566567234e7269a29eff8d56208dd49b2884
Submitter: "Zuul (22348)"
Branch: stable/train

commit 48d6566567234e7269a29eff8d56208dd49b2884
Author: Damien Ciabrini <email address hidden>
Date: Thu Aug 26 12:53:24 2021 +0200

    Fix rabbitmq certificate reload after it is resubmitted

    When certmonger resubmit a certificate, make sure that
    the post_save command reads the right hiera key to
    update the certificate file into the running rabbitmq
    container.

    Change-Id: Ic7f66b83611794d41105941c15c32479fe876980
    Closes-Bug: #1941727
    (cherry picked from commit 42a29d04139f938f180b66060d8580325a57ff11)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/806330
Committed: https://opendev.org/openstack/puppet-tripleo/commit/1b540eaa2629d5fc4a7f0eb56d4165a1f4b22fb8
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 1b540eaa2629d5fc4a7f0eb56d4165a1f4b22fb8
Author: Damien Ciabrini <email address hidden>
Date: Thu Aug 26 12:53:24 2021 +0200

    Fix rabbitmq certificate reload after it is resubmitted

    When certmonger resubmit a certificate, make sure that
    the post_save command reads the right hiera key to
    update the certificate file into the running rabbitmq
    container.

    Change-Id: Ic7f66b83611794d41105941c15c32479fe876980
    Closes-Bug: #1941727
    (cherry picked from commit 42a29d04139f938f180b66060d8580325a57ff11)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 12.7.1

This issue was fixed in the openstack/puppet-tripleo 12.7.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 13.7.0

This issue was fixed in the openstack/puppet-tripleo 13.7.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.