python-mistralclient

mistral endpoint when deploying with ssl/tls (self-signed)

Bug #1804064 reported by Marek Grudzinski
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-mistralclient
New
Undecided
Unassigned

Bug Description

kolla version: rocky, source, ubuntu
kolla-ansible: 7.0.0

When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"

"kolla-ansible/ansible/group_vars/all.yml" will set:
public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"

This leads to "kolla-ansible/ansible/roles/defaults/mistral/main.yml" to set:
mistral_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"

And since "kolla-ansible/ansible/roles/mistral/tasks/config.yml" is not configured with any ssl/tls settings:

[api]
enable_ssl_api = True

[ssl]
ca_file = <path-to-ca file>
cert_file = <path-to-certificate file>
key_file = <path-to-key file>

And "kolla-ansible/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2" will create a config like:

listen mistral_api_external
  bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem

This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python-mistralclient or simply by browsing to the mistral parts in horizon.

The error looks like this:
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/v2/workbooks: HTTPSConnectionPool(host='<vip>', port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

I haven't tested with a proper certificate yet.

==============================================================================

The easiest workaround to get mistral to work is to change the public endpoint to http like so:

1) delete the old https public endpoint
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/haproxy/haproxy.cfg and replace:
listen mistral_api_external
  bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem

with:

listen mistral_api_external
  bind 192.168.9.9:8989

Can be done simply from your deploynode with two ad-hoc's:

ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/haproxy.pem,bind <vip>:8989,' /etc/kolla/haproxy/haproxy.cfg"
ansible -i multinode control -m shell -a "docker restart haproxy"

See original description
Marek Grudzinski (ivve)
description: updated
Revision history for this message
Eduardo Gonzalez (egonzalez90) wrote :

Added mistralclient as affected project, I tested locally and other services work.

Using mistral --insecure workflow-list works, but openstack --insecure workflow list does not,
returns an unverified ssl error. Seems mistralclient is not reading --insecure part from openstackclient.

Also tested adding MISTRALCLIENT_INSECURE=True, but still not working.

A few logs http://paste.openstack.org/show/735834/

Version used:

openstacksdk==0.19.0
python-mistralclient==3.7.0
python-openstackclient==3.17.0

Regards

no longer affects: kolla-ansible
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.