puppet-tripleo generates wrong haproxy.cfg for SSL-protected rgw instances

Solution Verified - Updated -

Issue

  • haproxy.pp assumes that Ceph rgw instances are always using plaintext and do not support SSL connectivity and hence explicitly ignore internal_tls_member_options even if EnableInternalTLS is active.

  • In setups with SSL-protected rgw instances, this leads to a broken haproxy.cfg configuration file in which the Ceph rgw instances refuse to communicate to HAproxy, reporting an SSL handshake failure.

  • To the outside world, this leads to 503 errors when trying to communicate to the Ceph rgw instance, effectively making it impossible to use rgw for instance as storage for OpenShift deployments in TLS-everywhere setups.

Environment

Red Hat OpenStack 16.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content