Kubernetes API Load Balancer

  1. Bug #1836885
  2. Comment #6

Comment 6 for bug 1836885

Revision history for this message
Tim Van Steenburgh (tvansteenburgh) wrote :

From Ed @ Atos:

ok thanks - I've tested this and have an issue. It looks like some of the code within the openstack-integrator is trying to use the admin endpoints of OpenStack instead of the public ones. I get this error in the openstack-integrator logs when it tries to create the k8s master loadbalancer:

2019-10-04 20:12:29 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {3 {map[kubernetes-worker/0:{0}] []}}
2019-10-04 20:13:01 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {1 {map[kubernetes-master/1:{0}] []}}
2019-10-04 20:13:01 DEBUG juju.worker.uniter.remotestate watcher.go:525 got a relation units change: {2 {map[kubernetes-master/1:{0}] []}}
2019-10-04 20:15:42 DEBUG juju.worker.uniter.remotestate watcher.go:531 update status timer triggered
2019-10-04 20:21:18 DEBUG juju.worker.uniter.remotestate watcher.go:531 update status timer triggered
2019-10-04 20:21:52 DEBUG loadbalancer-relation-joined Unable to establish connection to https://192.168.10.200:35357/v3/domains?: HTTPSConnectionPool(host='192.168.10.
200', port=35357): Max retries exceeded with url: /v3/domains (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fcdbe655160>: Fail
ed to establish a new connection: [Errno 110] Connection timed out',))
2019-10-04 20:21:52 DEBUG worker.uniter.jujuc server.go:182 running hook tool "juju-log"
2019-10-04 20:21:52 ERROR juju-log loadbalancer:1: Error creating loadbalancer
Traceback (most recent call last):
File "lib/charms/layer/openstack.py", line 325, in get_or_create
lb.create()
File "lib/charms/layer/openstack.py", line 388, in create
sg_id = self._impl.find_secgrp(self.name)
File "lib/charms/layer/openstack.py", line 584, in find_secgrp
'--project', self.project_id)}
File "lib/charms/layer/openstack.py", line 577, in project_id
project)['id']
File "lib/charms/layer/openstack.py", line 267, in _openstack
output = _run_with_creds('openstack', *args, '--format=yaml')
File "lib/charms/layer/openstack.py", line 262, in _run_with_creds
stdout=subprocess.PIPE)
File "/usr/lib/python3.6/subprocess.py", line 438, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '('openstack', 'project', 'show', '--domain', 'admin_domain', 'dpcop_mgmt', '--format=yaml')' returned non-zero exit status 1.

The issue is this: 192.168.10.200', port=35357
Keystone endpoints are as follows:
ubuntu@juju-4a107b-0-lxd-1:~$ openstack endpoint list | grep keystone
| 86307cea7d984b48871c043186393c63 | RegionOne | keystone | identity | True | public | https://auth.ohc01.customerb.internal:5000/v3
|
| b877879836c0490695d345459367e34b | RegionOne | keystone | identity | True | internal | https://192.168.10.200:5000/v3
|
| f37fb0f679654f53bf845dd738491aeb | RegionOne | keystone | identity | True | admin | https://192.168.10.200:35357/v3

The OpenStack network hosting the services can route/access the public URL but not the internal or admin ones. Shouldn't the integrator only access the public API endpoints?
thanks
Ed