I'm trying to deploy a HA overcloud with public TLS endpoints:
openstack overcloud deploy --override-ansible-cfg /home/stack/custom_ansible.cfg \
--templates /usr/share/openstack-tripleo-heat-templates \
--libvirt-type qemu --timeout 90 --ntp-server clock.redhat.com -e /home/stack/cloud-names.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml -e /home/stack/containers-prepare-parameter.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/podman.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/net-single-nic-with-vlans.yaml -e /home/stack/network-environment.yaml -e /home/stack/overcloud_storage_params.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/low-memory-usage.yaml -e /home/stack/enable-tls.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml -e /home/stack/inject-trust-anchor.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml --validation-warnings-fatal -e /home/stack/overcloud-topology-config.yaml -e /home/stack/overcloud-selinux-config.yaml -e /usr/share/openstack-tripleo-heat-templates/ci/environments/ovb-ha.yaml
The deployment fails early during configuration of haproxy service in container-puppet-haproxy
TASK [tripleo_container_manage : Print failing containers] *********************
Tuesday 14 April 2020 16:46:17 +0000 (0:00:00.218) 0:13:07.871 *********
ESC[0;31mfatal: [overcloud-controller-0]: FAILED! => changed=false ESC[0m
ESC[0;31m msg: 'Container(s) with bad ExitCode: [''container-puppet-haproxy''], check logs in /var/log/containers/stdouts/'ESC[0m
The error seems to be related to a pem file which cannot be parsed correctly by haproxy:
<13>Apr 14 21:03:13 puppet-user: Notice: Compiled catalog for overcloud-controller-0.localdomain in environment production in 0.94 seconds
<13>Apr 14 21:03:13 puppet-user: Error: Execution of '/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg20200414-17-mcrnj -c' returned 1: [ALERT] 104/210313 (53) : parsing [/etc/haproxy/haproxy.cfg20200414-17-mcrnj:27]
: 'bind 10.0.0.5:13776' : unable to load SSL private key from PEM file '/etc/pki/tls/private/overcloud_endpoint.pem'.
<13>Apr 14 21:03:13 puppet-user: [ALERT] 104/210313 (53) : parsing [/etc/haproxy/haproxy.cfg20200414-17-mcrnj:42] : 'bind 10.0.0.5:13292' : unable to load SSL private key from PEM file '/etc/pki/tls/private/overcl
oud_endpoint.pem'.
<13>Apr 14 21:03:13 puppet-user: [ALERT] 104/210313 (53) : parsing [/etc/haproxy/haproxy.cfg20200414-17-mcrnj:64] : 'bind 10.0.0.5:13004' : unable to load SSL private key from PEM file '/etc/pki/tls/private/overcl
oud_endpoint.pem'.
[...]
on the controller, /etc/pki/tls/private/overcloud_endpoint.pem seems to be generated with escaped \n, which confuses parsing:
[root@overcloud-controller-0 ~]# openssl x509 -in /etc/pki/tls/private/overcloud_endpoint.pem -text
unable to load certificate
139864179402560:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
[root@overcloud-controller-0 ~]# cat /etc/pki/tls/private/overcloud_endpoint.pem
-----BEGIN CERTIFICATE-----\nMIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEL\nMAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB1JlZCBIYXQx\nDTALBgNVBAsMBE9PT1ExEjAQBgNVBAMMCW92ZXJjbG91ZDAeFw0yMDA0MTQwOTA2\nNDZaFw0yMTA0MTQwOTA2NDZaMGAxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQ\nMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHUmVkIEhhdDENMAsGA1UECwwET09P\nUTERMA8GA1UEAwwIMTAuMC4wLjUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQDfZli2bMohbME4Si1HaxbH4TKfaWMeeIsFoLw/8C7spKmkGQjrZYnMKMpJ\nUHWzO7p/JweWQ/l9OJgbYNgI6f9S2ijFgPkp1wI8ZW0TE1/U6e6tWLjp3fuARL+i\nxVKseIe7He4mPy9gULZfFVkQvIYs37w0baXtmJ9ohT0oGhOxGfvuQjZJqvQI7Wfb\nEQ3+UFgNRpiNhQiTNjer/v+FITs2u3xvMDr0oQBNRXPh7UMnrWX3qiJJ5wtZ6Sg3\n2Yb1al6KVbnOgFElx0VmQtcXlrrAdZ2m79Ur1/CM8Uy5nryIW+2gxVlWqOMnWvQ3\napv5FZC2jEin8exDfv9ztH9KVAIJAgMBAAGjEzARMA8GA1UdEQQIMAaHBAoAAAUw\nDQYJKoZIhvcNAQELBQADggEBABekCRlzNsGYkjYrfwOrfHeMbj1J33+32jGpdXqL\nNQ6uz9iInuuEPhKseG1Dymx/pzeHRk1oqv8WSYsjy7jCTEhi35cnS8DraP7Wh6D/\nxTmHi45Jl2nWPMhr4yndBAS0lAQENLkt4v4M97gNEru74g4Tjp4f5YviS3+ha8ba\n9fM3JlKFXrXbbuTFRMQP8I699dm2bvuYgC7mtL3RHqVfQcsJgYZb582RizPuLngT\nol7TxmhoN8jBU3uD0cmG8Xgqje3p38luuq2DLeGGfcrdyPFO0eM0SVwIIPYKCOpZ\n3qE6W5IP7FxzNmv9DEl25aB6AyhDL5B/ZTxlqNL+BJN+3tg=\n-----END CERTIFICATE-----\n
-----BEGIN RSA PRIVATE KEY-----\nMIIEpgIBAAKCAQEA32ZYtmzKIWzBOEotR2sWx+Eyn2ljHniLBaC8P/Au7KSppBkI\n62WJzCjKSVB1szu6fycHlkP5fTiYG2DYCOn/UtooxYD5KdcCPGVtExNf1OnurVi4\n6d37gES/osVSrHiHux3uJj8vYFC2XxVZELyGLN+8NG2l7ZifaIU9KBoTsRn77kI2\nSar0CO1n2xEN/lBYDUaYjYUIkzY3q/7/hSE7Nrt8bzA69KEATUVz4e1DJ61l96oi\nSecLWekoN9mG9WpeilW5zoBRJcdFZkLXF5a6wHWdpu/VK9fwjPFMuZ68iFvtoMVZ\nVqjjJ1r0N2qb+RWQtoxIp/HsQ37/c7R/SlQCCQIDAQABAoIBAQCQgCwLu6y3GBiX\nJ2vIUV2H5oOPF2T0tbX+6uw5U0uW6B+OtF7PnHsYYp4N9Axd5dmJG57NtKQxOiUx\nOGAky+7KEbDjp7wDMz8P/+8gspx/JN2spMHfDCX83vsx9v617rSk9QQxGxey7iI4\nuJ9Gsxr69bFQHEiCugEKY3yebtej6lxJmoecxGxCgdiaS2VgaNBv9U/t324lyA7n\nItvVNFtdz2IT4CVrRhziKlFQI+HPVnJn4fr2VGEjWpDWWsLJCXEdF/+uvCEJWs7O\nreYQtvi2tNIw3BnfQKYT4Q40ueomoccZ0oyBkHXXz8pHtxkAShuyLnfIcQcpPwlP\n4LwdZk5xAoGBAPYQmrjchsxACqU6tA7ZBlOfyetINrGinqKFAQFDSjks2xxGcYFT\nNs9ah22OTiutY3LyFj4XXgEdQXUEYv3P5XKzX+YhVipN+RbC3z0bDUSIzCXYk4Cw\ngGTdm0Z2tEqXX2EdLD+riB3Yxa9DunoSqjUL7u701PfEoZW1NloWIwftAoGBAOhr\neDij32UeDaxAQiMY3BPxe7xFQWp+LPc2dBeoK32JFXceMYmCVCp8GsThCTQekp/Y\nKwG1TVj2kvX7IKE+U32w2OtgCRPRMZC4lO4EBOJ4ASYsLltJH9iFrZb2rz7OQa3b\nnmy47vPRXcOhG7N8gzAo3YiFTWDYkTiwj3ozxacNAoGBAK7SSTsB4vuGnImb1YWf\nB3GuWyVAnytBoHdTC8274yYQCnRiUA5T8uMLLKDXtA4wGDH4cXkX3P/pqzHaNgKi\nDCCb9IxqLu/LiidzuGuPprOEhZZ18wZBYFdJYyKC/8DnHyq+MUvjMMgT1Q+ajQhh\n7m/V1KINbKnEGBFnOAB1LdpZAoGBALB5ucU4GM4MrdEW0aEYpTK3b36bD3qu57Gm\nNSwpUyx0xEm4MWD6BrJjnWfUf0qF1EtutekMIvjj8N65miMU0gxkFbFTMFFNzFbY\n8KxxfMwA1s6HSYOi2H1ts0sncBU+Q3yhf3+KRFX5qTp7wC7e4jXVMbERlplsl4f1\n+FuPqAqZAoGBAKADjvoLa6GHX2ORb2bAaFNRkuZaixqdUiBIz98CJqM98WJsx9MN\nZ6sQa4EN1HQZmYAPBeGAOWBrvVSTCjFJeYdP4AZ+D0SaP4nGOys6FHWfJJrw459B\nnEUOnr6UG1ByPKH1zuIwOSJIosBYDpU9FWciO18X6yr4Sk6z6+ZU6wTD\n-----END RSA PRIVATE KEY-----\n
There seems to be an issue with ansible-runner which treats every extravar as string and there is no proper serialization for multiline strings like private key.
I've submitted PR[1] for that few days back. However, there is a workaround in tripleoclient[2] that already merged to fix this. I think your python- tripleoclient is old and does not have it.
[1] https:/ /github. com/ansible/ ansible- runner/ pull/444 /github. com/openstack/ python- tripleoclient/ commit/ a947b57094f2fd5 da6d54e1c98b2aa 947bb37914# diff-3d0be95f0f 9b73cbde278ac20 e8e41ff
[2] https:/