puppet-tripleo generates wrong haproxy.cfg for SSL-protected rgw instances
Issue
-
haproxy.pp
assumes that Ceph rgw instances are always using plaintext and do not support SSL connectivity and hence explicitly ignore internal_tls_member_options even if EnableInternalTLS is active. -
In setups with SSL-protected rgw instances, this leads to a broken
haproxy.cfg
configuration file in which the Ceph rgw instances refuse to communicate to HAproxy, reporting an SSL handshake failure. -
To the outside world, this leads to
503
errors when trying to communicate to the Ceph rgw instance, effectively making it impossible to use rgw for instance as storage for OpenShift deployments in TLS-everywhere setups.
Environment
Red Hat OpenStack 16.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.