kolla-ansible

prometheus openstack exporter with kolla_enable_tls_internal not working

Bug #2008208 reported by Markus Lindenblatt
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Unassigned
Antelope
Fix Released
High
Unassigned
Bobcat
Fix Released
High
Unassigned
Yoga
Fix Released
High
Unassigned
Zed
Fix Released
High
Unassigned

Bug Description

When deploying prometheus with enable_prometheus_openstack_exporter in a kolla_enable_tls_internal environment, the exporter can not be scraped because of missmatching TLS certificate which is of course not valid for an ip address:

Get "https://192.168.16.9:9198/metrics": x509: cannot validate certificate for 192.168.16.9 because it doesn't contain any IP SANs

Is it possible to use the real internal VIP Name but not VIP Address here: https://opendev.org/openstack/kolla-ansible/src/commit/c977c54738f12b613abdfee6256eadad12447372/ansible/roles/prometheus/templates/prometheus.yml.j2#L110 ?

Or can something like 'insecure_skip_verify: true' be added so that prometheus will scrape the openstack exporter even when the certifivate does not match?

Revision history for this message
Markus Lindenblatt (0-markus) wrote :
Dr. Jens Harbott (j-harbott)
Changed in kolla-ansible:
importance: Undecided → High
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/877483

Changed in kolla-ansible:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/877483
Committed: https://opendev.org/openstack/kolla-ansible/commit/c2838823f1120cb571c1557b9c159d845d85f1a2
Submitter: "Zuul (22348)"
Branch: master

commit c2838823f1120cb571c1557b9c159d845d85f1a2
Author: Mark Goddard <email address hidden>
Date: Wed Mar 15 14:06:56 2023 +0000

    Fix OpenStack exporter scrape with internal TLS & FQDN

    Since switching to use HAProxy to access Prometheus OpenStack exporter,
    scraping would fail when using internal TLS with an FQDN (rather than an
    IP address) to access the API.

    This patch fixes the issue by using the FQDN instead of the VIP address.

    Change-Id: Iddbdc4190b7953e9140d0740daf57f4062ba1b76
    Closes-Bug: #2008208

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/900990

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/900992

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/901068

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 17.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 17.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/900990
Committed: https://opendev.org/openstack/kolla-ansible/commit/78c25aabae861923a60449f6b95e1d7c9687e929
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 78c25aabae861923a60449f6b95e1d7c9687e929
Author: Mark Goddard <email address hidden>
Date: Wed Mar 15 14:06:56 2023 +0000

    Fix OpenStack exporter scrape with internal TLS & FQDN

    Since switching to use HAProxy to access Prometheus OpenStack exporter,
    scraping would fail when using internal TLS with an FQDN (rather than an
    IP address) to access the API.

    This patch fixes the issue by using the FQDN instead of the VIP address.

    Change-Id: Iddbdc4190b7953e9140d0740daf57f4062ba1b76
    Closes-Bug: #2008208
    (cherry picked from commit c2838823f1120cb571c1557b9c159d845d85f1a2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/900992
Committed: https://opendev.org/openstack/kolla-ansible/commit/8a4de2a11c33a0cb0cc9dfe8fe67260aa2df9509
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 8a4de2a11c33a0cb0cc9dfe8fe67260aa2df9509
Author: Mark Goddard <email address hidden>
Date: Wed Mar 15 14:06:56 2023 +0000

    Fix OpenStack exporter scrape with internal TLS & FQDN

    Since switching to use HAProxy to access Prometheus OpenStack exporter,
    scraping would fail when using internal TLS with an FQDN (rather than an
    IP address) to access the API.

    This patch fixes the issue by using the FQDN instead of the VIP address.

    Change-Id: Iddbdc4190b7953e9140d0740daf57f4062ba1b76
    Closes-Bug: #2008208
    (cherry picked from commit c2838823f1120cb571c1557b9c159d845d85f1a2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/901068
Committed: https://opendev.org/openstack/kolla-ansible/commit/eaaa30ee584b638361c4cfabee8968b67339d656
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit eaaa30ee584b638361c4cfabee8968b67339d656
Author: Mark Goddard <email address hidden>
Date: Wed Mar 15 14:06:56 2023 +0000

    Fix OpenStack exporter scrape with internal TLS & FQDN

    Since switching to use HAProxy to access Prometheus OpenStack exporter,
    scraping would fail when using internal TLS with an FQDN (rather than an
    IP address) to access the API.

    This patch fixes the issue by using the FQDN instead of the VIP address.

    Change-Id: Iddbdc4190b7953e9140d0740daf57f4062ba1b76
    Closes-Bug: #2008208
    (cherry picked from commit c2838823f1120cb571c1557b9c159d845d85f1a2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 16.3.0

This issue was fixed in the openstack/kolla-ansible 16.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 14.11.0

This issue was fixed in the openstack/kolla-ansible 14.11.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 15.4.0

This issue was fixed in the openstack/kolla-ansible 15.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.