ok thanks - I've tested this and have an issue. It looks like some of the code within the openstack-integrator is trying to use the admin endpoints of OpenStack instead of the public ones. I get this error in the openstack-integrator logs when it tries to create the k8s master loadbalancer:
2019-10-04 20:12:29 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {3 {map[kubernetes-worker/0:{0}] []}}
2019-10-04 20:13:01 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {1 {map[kubernetes-master/1:{0}] []}}
2019-10-04 20:13:01 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {2 {map[kubernetes-master/1:{0}] []}}
2019-10-04 20:15:42 DEBUG juju.worker.uniter.remotestate watcher.go:531 update status timer triggered
2019-10-04 20:21:18 DEBUG juju.worker.uniter.remotestate watcher.go:531 update status timer triggered
2019-10-04 20:21:52 DEBUG loadbalancer-relation-joined Unable to establish connection to https://192.168.10.200:35357/v3/domains?: HTTPSConnectionPool(host='192.168.10.
200', port=35357): Max retries exceeded with url: /v3/domains (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fcdbe655160>: Fail
ed to establish a new connection: [Errno 110] Connection timed out',))
2019-10-04 20:21:52 DEBUG worker.uniter.jujuc server.go:182 running hook tool "juju-log"
2019-10-04 20:21:52 ERROR juju-log loadbalancer:1: Error creating loadbalancer
Traceback (most recent call last):
File "lib/charms/layer/openstack.py", line 325, in get_or_create
lb.create()
File "lib/charms/layer/openstack.py", line 388, in create
sg_id = self._impl.find_secgrp(self.name)
File "lib/charms/layer/openstack.py", line 584, in find_secgrp
'--project', self.project_id)}
File "lib/charms/layer/openstack.py", line 577, in project_id
project)['id']
File "lib/charms/layer/openstack.py", line 267, in _openstack
output = _run_with_creds('openstack', *args, '--format=yaml')
File "lib/charms/layer/openstack.py", line 262, in _run_with_creds
stdout=subprocess.PIPE)
File "/usr/lib/python3.6/subprocess.py", line 438, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '('openstack', 'project', 'show', '--domain', 'admin_domain', 'dpcop_mgmt', '--format=yaml')' returned non-zero exit status 1.
The OpenStack network hosting the services can route/access the public URL but not the internal or admin ones. Shouldn't the integrator only access the public API endpoints?
thanks
Ed
From Ed @ Atos:
ok thanks - I've tested this and have an issue. It looks like some of the code within the openstack- integrator is trying to use the admin endpoints of OpenStack instead of the public ones. I get this error in the openstack- integrator logs when it tries to create the k8s master loadbalancer:
2019-10-04 20:12:29 DEBUG juju.worker. uniter. remotestate watcher.go:525 got a relation units change: {3 {map[kubernetes -worker/ 0:{0}] []}} uniter. remotestate watcher.go:525 got a relation units change: {1 {map[kubernetes -master/ 1:{0}] []}} uniter. remotestate watcher.go:525 got a relation units change: {2 {map[kubernetes -master/ 1:{0}] []}} uniter. remotestate watcher.go:531 update status timer triggered uniter. remotestate watcher.go:531 update status timer triggered relation- joined Unable to establish connection to https:/ /192.168. 10.200: 35357/v3/ domains?: HTTPSConnection Pool(host= '192.168. 10. ror('<urllib3. connection. VerifiedHTTPSCo nnection object at 0x7fcdbe655160>: Fail layer/openstack .py", line 325, in get_or_create layer/openstack .py", line 388, in create find_secgrp( self.name) layer/openstack .py", line 584, in find_secgrp layer/openstack .py", line 577, in project_id layer/openstack .py", line 267, in _openstack creds(' openstack' , *args, '--format=yaml') layer/openstack .py", line 262, in _run_with_creds subprocess. PIPE) python3. 6/subprocess. py", line 438, in run CalledProcessEr ror: Command '('openstack', 'project', 'show', '--domain', 'admin_domain', 'dpcop_mgmt', '--format=yaml')' returned non-zero exit status 1.
2019-10-04 20:13:01 DEBUG juju.worker.
2019-10-04 20:13:01 DEBUG juju.worker.
2019-10-04 20:15:42 DEBUG juju.worker.
2019-10-04 20:21:18 DEBUG juju.worker.
2019-10-04 20:21:52 DEBUG loadbalancer-
200', port=35357): Max retries exceeded with url: /v3/domains (Caused by NewConnectionEr
ed to establish a new connection: [Errno 110] Connection timed out',))
2019-10-04 20:21:52 DEBUG worker.uniter.jujuc server.go:182 running hook tool "juju-log"
2019-10-04 20:21:52 ERROR juju-log loadbalancer:1: Error creating loadbalancer
Traceback (most recent call last):
File "lib/charms/
lb.create()
File "lib/charms/
sg_id = self._impl.
File "lib/charms/
'--project', self.project_id)}
File "lib/charms/
project)['id']
File "lib/charms/
output = _run_with_
File "lib/charms/
stdout=
File "/usr/lib/
output=stdout, stderr=stderr)
subprocess.
The issue is this: 192.168.10.200', port=35357 juju-4a107b- 0-lxd-1: ~$ openstack endpoint list | grep keystone 8871c043186393c 63 | RegionOne | keystone | identity | True | public | https:/ /auth.ohc01. customerb. internal: 5000/v3 695d345459367e3 4b | RegionOne | keystone | identity | True | internal | https:/ /192.168. 10.200: 5000/v3 3bf845dd738491a eb | RegionOne | keystone | identity | True | admin | https:/ /192.168. 10.200: 35357/v3
Keystone endpoints are as follows:
ubuntu@
| 86307cea7d984b4
|
| b877879836c0490
|
| f37fb0f679654f5
The OpenStack network hosting the services can route/access the public URL but not the internal or admin ones. Shouldn't the integrator only access the public API endpoints?
thanks
Ed