HAProxy healthchecks fail to negociate TLS connection to services with client verification enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Confirmed
|
Medium
|
Damien Ciabrini |
Bug Description
When TLS-e is enabled, the horizon service cannot be proxied correctly by HAProxy, as horizon requires client certificate verification for TLS connection, and HAProxy does not advertise its client certificate appropriately.
Consequently, the Horizon service always shows are not available in HAProxy, as shown in the stats socket output:
[root@controller-0 container-puppet]# echo "show stat" | socat - unix-connect:
horizon,
0,0,0,,
Fix proposed to branch: stable/wallaby /review. opendev. org/c/openstack /puppet- tripleo/ +/886290
Review: https:/