CloudKitty bootstrap fails when using internal TLS

Bug #1998831 reported by Pierre Riteau
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Undecided
Unassigned

Bug Description

When InfluxDB is behind HAProxy's internal TLS, CloudKitty fails to bootstrap its InfluxDB database with the following error:

TASK [cloudkitty : Creating Cloudkitty influxdb database] ***************************************************************************************************************************
fatal: [controller01 -> controller01]: FAILED! => changed=false
  action: influxdb_database
  msg: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

When Elasticsearch is used, a similar problem happens during TASK [cloudkitty : Running Cloudkitty bootstrap container]. cloudkitty-api.log shows:

requests.exceptions.SSLError: HTTPSConnectionPool(host='<INTERNAL_VIP>', port=9200): Max retries exceeded with url: /cloudkitty (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)
Changed in kolla-ansible:
status: New → In Progress
Pierre Riteau (priteau)
summary: - CloudKitty bootstrap fails when using InfluxDB and internal TLS
+ CloudKitty bootstrap fails when using internal TLS
Pierre Riteau (priteau)
description: updated
Revision history for this message
joek-office (joek-office) wrote :

Hello priteau,
what have to be done to release/merge the bug fix.
I'm new in such cases but in my opinion, the bug fix is suitable. There's only thing, could we make it possibly configurable over a new configuration parameter in the ansible/roles/cloudkitty/defaults/main.yml file?
Can't we use the value of cloudkitty_influxdb_insecure_connections also on deployment by standard?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/866598
Committed: https://opendev.org/openstack/kolla-ansible/commit/78e7f133f0b5462ca5449b34c9aed7745c14600b
Submitter: "Zuul (22348)"
Branch: master

commit 78e7f133f0b5462ca5449b34c9aed7745c14600b
Author: Pierre Riteau <email address hidden>
Date: Tue May 14 09:35:51 2024 +0200

    Support CloudKitty deployment with internal TLS

    Configure cloudkitty_influxdb_use_ssl automatically based on the value
    of kolla_enable_tls_internal. Set cloudkitty_elasticsearch_cafile,
    cloudkitty_influxdb_cafile and cloudkitty_prometheus_cafile to
    openstack_cacert.

    Disable certificate validation when bootstrapping the InfluxDB database:
    the influxdb_database module and the InfluxDB 1.x Python client don't
    support specifying a CA certificate file.

    This fixes bootstrap and execution of CloudKitty with internal TLS.

    Closes-Bug: #1998831
    Change-Id: I5524169b9567819d379726099bf70c692c85acc1

Changed in kolla-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.