cannot start a kubernetes cluster with openstack_ca_file and SSL keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
Using openstack rocky (CentOS7) and fedora-atomic 2019-04-29.
I have enabled SSL on keystone and some openstack endpoints.
Using a non-standard CA, but one that I don't control neither which is member of the IGTF.
That CA is a sub CA of another one :
ROOT CA -> Service CA
(and I have other CAs I'd like to include, but see below)
My keystone endpoint (and others) has a certificate issued from the "Service CA".
In order for authentication to work, I have to create a CA bundle which contains at least the root CA and its sub-CA certs, in PEM format.
File is then 5838 octets big and is assigned to the openstack magnum configuration parameter "openstack_
=> trying to create a kubernetes cluster using magnum then stalls because the user_data is too big. Looks like this is because the user_data is limited to 64K, and including the CA bundle inside is blowing the thing up.
Heat-enging reports in its logs :
Invalid input for field/attribute user_data. Value: Q29udGVudC1UeXB
=> removing the openstack_ca_file param and setting verify_ca=false in magnum : fails too, because THEN, inside the kube master, a heat-container-
Error then is:
Authorization failed: SSL exception connecting to https:/
This then makes it impossible to start a kubernetes cluster on my openstack installation.
My next try will be to try to modify the fedora-atomic image in order to include myself the CA bundle :'(
Best regards
affects: | openstack-manuals → magnum |