1. Copying over haproxy-internal.pem task fails. It appears that the haproxy-internal.pem is not created by the `certificates` playbook?
2. The `kolla-ansible certificates` should generate all required certificate files for running tls with a kolla-ansible deployment.
3. Reproduce by going through kolla-ansible quickstart guide, run `kolla-ansible certificates` after making appropriate configurations in globals.yml, then attempt to finish out the deployment. The failure occurs during the `kolla-ansible deploy` playbook.
Environment:
OS: CentOS 7.7(1908)
Kernel: Linux openstack.local.lan 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Docker version: 19.03.6
Kolla-Ansible Version: 9.0.1 (Train)
Docker Image Install Type: Source
Docker Image Distribution: CentOS
I am using official images.
Below is the output from the "deploy" playbook:
TASK [haproxy : Copying over haproxy-internal.pem] *******************************************************************************************************************************************
task path: /home/osadmin/openstack/share/kolla-ansible/ansible/roles/haproxy/tasks/config.yml:128
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: osadmin
<localhost> EXEC /bin/sh -c 'echo ~osadmin && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/osadmin/.ansible/tmp/ansible-tmp-1582154731.45-75981622065221 `" && echo ansible-tmp-1582154731.45-75981622065221="` echo /home/osadmin/.ansible/tmp/ansible-tmp-1582154731.45-75981622065221 `" ) && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/osadmin/.ansible/tmp/ansible-tmp-1582154731.45-75981622065221/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/osadmin/openstack/lib/python2.7/site-packages/ansible/plugins/action/copy.py", line 464, in run
source = self._find_needle('files', source)
File "/home/osadmin/openstack/lib/python2.7/site-packages/ansible/plugins/action/__init__.py", line 1178, in _find_needle
return self._loader.path_dwim_relative_stack(path_stack, dirname, needle)
File "/home/osadmin/openstack/lib/python2.7/site-packages/ansible/parsing/dataloader.py", line 319, in path_dwim_relative_stack
raise AnsibleFileNotFound(file_name=source, paths=[to_native(p) for p in search])
AnsibleFileNotFound: Could not find or access '/etc/kolla/certificates/haproxy-internal.pem' on the Ansible Controller.
If you are using a module and expect the file to exist on the remote, see the remote_src option
failed: [localhost] (item=haproxy-internal.pem) => {
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"dest": "/etc/kolla/haproxy/haproxy-internal.pem",
"mode": "0660",
"module_args": {
"dest": "/etc/kolla/haproxy/haproxy-internal.pem",
"mode": "0660",
"src": "/etc/kolla/certificates/haproxy-internal.pem"
},
"src": "/etc/kolla/certificates/haproxy-internal.pem"
},
"item": "haproxy-internal.pem",
"msg": "Could not find or access '/etc/kolla/certificates/haproxy-internal.pem' on the Ansible Controller.\nIf you are using a module and expect the file to exist on the remote, see the remote_src option"
}
PLAY RECAP ***********************************************************************************************************************************************************************************
localhost : ok=54 changed=0 unreachable=0 failed=1 skipped=12 rescued=0 ignored=0
Below is the output from the "certificates" playbook:
Generate TLS Certificates : ansible-playbook -i /home/osadmin/openstack/share/kolla-ansible/ansible/inventory/all-in-one -e @/etc/kolla/globals.yml -e @/etc/kolla/passwords.yml -e CONFIG_DIR=/etc/kolla /home/osadmin/openstack/share/kolla-ansible/ansible/certificates.yml
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation.
This feature will be removed in version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Apply role certificates] ***************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************************
ok: [localhost]
TASK [certificates : include_tasks] **********************************************************************************************************************************************************
included: /home/osadmin/openstack/share/kolla-ansible/ansible/roles/certificates/tasks/generate.yml for localhost
TASK [certificates : Ensuring config directories exist] **************************************************************************************************************************************
ok: [localhost]
TASK [certificates : Creating SSL configuration file] ****************************************************************************************************************************************
ok: [localhost] => (item=openssl-kolla.cnf)
TASK [certificates : Creating Key] ***********************************************************************************************************************************************************
ok: [localhost] => (item=/etc/kolla/certificates/private/haproxy.key)
TASK [certificates : Setting permissions on key] *********************************************************************************************************************************************
ok: [localhost]
TASK [certificates : Creating Server Certificate] ********************************************************************************************************************************************
ok: [localhost] => (item=/etc/kolla/certificates/private/haproxy.crt)
TASK [certificates : Creating CA Certificate File] *******************************************************************************************************************************************
ok: [localhost]
TASK [certificates : Creating Server PEM File] ***********************************************************************************************************************************************
changed: [localhost]
PLAY RECAP ***********************************************************************************************************************************************************************************
localhost : ok=9 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I also checked the https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/certificates/tasks/generate.yml and it also doesn't reference the "haproxy-internal.pem" anywhere that I could find. If any further information is required, please feel free to let me know.
Please try with this patch applied.