kolla-ansible

CloudKitty bootstrap fails when using internal TLS

Bug #1998831 reported by Pierre Riteau
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
kolla-ansible
In Progress
Undecided
Unassigned

Bug Description

When InfluxDB is behind HAProxy's internal TLS, CloudKitty fails to bootstrap its InfluxDB database with the following error:

TASK [cloudkitty : Creating Cloudkitty influxdb database] ***************************************************************************************************************************
fatal: [controller01 -> controller01]: FAILED! => changed=false
  action: influxdb_database
  msg: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

When Elasticsearch is used, a similar problem happens during TASK [cloudkitty : Running Cloudkitty bootstrap container]. cloudkitty-api.log shows:

requests.exceptions.SSLError: HTTPSConnectionPool(host='<INTERNAL_VIP>', port=9200): Max retries exceeded with url: /cloudkitty (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/866598

Changed in kolla-ansible:
status: New → In Progress
Pierre Riteau (priteau)
summary: - CloudKitty bootstrap fails when using InfluxDB and internal TLS
+ CloudKitty bootstrap fails when using internal TLS
Pierre Riteau (priteau)
description: updated
Revision history for this message
joek-office (joek-office) wrote :

Hello priteau,
what have to be done to release/merge the bug fix.
I'm new in such cases but in my opinion, the bug fix is suitable. There's only thing, could we make it possibly configurable over a new configuration parameter in the ansible/roles/cloudkitty/defaults/main.yml file?
Can't we use the value of cloudkitty_influxdb_insecure_connections also on deployment by standard?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.