kolla-ansible

deploy with SSL enabled fails

Bug #1720995 reported by Eduardo Gonzalez
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Undecided
Eduardo Gonzalez

Bug Description

deploy when tls is enabled for public endpoints fail.

TASK [keystone : Creating default user role] ***************************************************************************************************
FAILED - RETRYING: Creating default user role (10 retries left).
FAILED - RETRYING: Creating default user role (9 retries left).
FAILED - RETRYING: Creating default user role (8 retries left).
FAILED - RETRYING: Creating default user role (7 retries left).
FAILED - RETRYING: Creating default user role (6 retries left).
FAILED - RETRYING: Creating default user role (5 retries left).
FAILED - RETRYING: Creating default user role (4 retries left).
FAILED - RETRYING: Creating default user role (3 retries left).
FAILED - RETRYING: Creating default user role (2 retries left).
FAILED - RETRYING: Creating default user role (1 retries left).
fatal: [192.168.100.244]: FAILED! => {"attempts": 10, "changed": false, "failed": true, "msg": "SSL exception connecting to https://192.168.100.11:5000: HTTPSConnectionPool(host='192.168.100.11', port=5000): Max retries exceeded with url: / (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))"}

Ansible modules are using public interface rather than admin/internal

Eduardo Gonzalez (egonzalez90)
Changed in kolla-ansible:
assignee: nobody → Eduardo Gonzalez (egonzalez90)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/509186

Revision history for this message
Pierre Hanselmann (pierre-hanselmann) wrote :

Perfect i have the same issue and i'm not enough familiar with kolla to solve it by myself. Now i don't catch the point... How does "endpoint_type" solve this issue. Taking the "Creating default user role" task... do you have an example?

Revision history for this message
Eduardo Gonzalez (egonzalez90) wrote :

It will tell ansible/services to connect through internal or admin endpoint (http) rather than public (https). This is caused because self-signed certificates are not authorized in service's container, because ssl termination is done at HAproxy external VIP

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.openstack.org/509186
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=56374206bebe1a4a3f25e2099cbd839f47ff3a6f
Submitter: Jenkins
Branch: master

commit 56374206bebe1a4a3f25e2099cbd839f47ff3a6f
Author: Eduardo Gonzalez <email address hidden>
Date: Tue Oct 3 14:48:55 2017 +0200

    Fix deployment with public TLS enabled

    When deploying with tls enabled in public
    endpoints, ansible modules fails due SSL certificates
    are self-signed.

    This change adds a new variable to allow customization
    on which endpoints ansible should connect.
    Defaults to admin because admin auth parameters defaults
    to admin endpoint.

    Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
    Closes-Bug: #1720995

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
Pierre Hanselmann (pierre-hanselmann) wrote :

Works perfectly with my deployment. Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/521154

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 6.0.0.0b2

This issue was fixed in the openstack/kolla-ansible 6.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/pike)

Reviewed: https://review.openstack.org/521154
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=ec8e233f4d4523eee7f777421ac35904151300f2
Submitter: Zuul
Branch: stable/pike

commit ec8e233f4d4523eee7f777421ac35904151300f2
Author: Eduardo Gonzalez <email address hidden>
Date: Tue Oct 3 14:48:55 2017 +0200

    Fix deployment with public TLS enabled

    When deploying with tls enabled in public
    endpoints, ansible modules fails due SSL certificates
    are self-signed.

    This change adds a new variable to allow customization
    on which endpoints ansible should connect.
    Defaults to admin because admin auth parameters defaults
    to admin endpoint.

    Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
    Closes-Bug: #1720995
    (cherry picked from commit 56374206bebe1a4a3f25e2099cbd839f47ff3a6f)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/536757

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 5.0.2

This issue was fixed in the openstack/kolla-ansible 5.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ocata)

Reviewed: https://review.openstack.org/536757
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=9e48668d6ba452928b5aceec133268655b629f76
Submitter: Zuul
Branch: stable/ocata

commit 9e48668d6ba452928b5aceec133268655b629f76
Author: Eduardo Gonzalez <email address hidden>
Date: Tue Oct 3 14:48:55 2017 +0200

    Fix deployment with public TLS enabled

    When deploying with tls enabled in public
    endpoints, ansible modules fails due SSL certificates
    are self-signed.

    This change adds a new variable to allow customization
    on which endpoints ansible should connect.
    Defaults to admin because admin auth parameters defaults
    to admin endpoint.

    Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
    Closes-Bug: #1720995
    (cherry picked from commit 56374206bebe1a4a3f25e2099cbd839f47ff3a6f)
    (cherry picked from commit ec8e233f4d4523eee7f777421ac35904151300f2)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 4.0.5

This issue was fixed in the openstack/kolla-ansible 4.0.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.