| 2018-11-19 21:15:34 |
Marek Grudzinski |
description |
kolla version: rocky, source, ubuntu
kolla-ansible: 7.0.0
When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
"kolla-ansible/ansible/group_vars/all.yml" will set:
public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"
This leads to "kolla-ansible/ansible/roles/defaults/mistral/main.yml" to set:
mistral_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"
And since "kolla-ansible/ansible/roles/mistral/tasks/config.yml" is not configured with any ssl/tls settings:
[api]
enable_ssl_api = True
[ssl]
ca_file = <path-to-ca file>
cert_file = <path-to-certificate file>
key_file = <path-to-key file>
And "kolla-ansible/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2" will create a config like:
listen mistral_api_external
bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem
This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python-mistralclient or simply by browsing to the mistral parts in horizon.
The error looks like this:
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/v2/workbooks: HTTPSConnectionPool(host='<vip>', port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
I haven't tested with a proper certificate yet.
==============================================================================
The easiest workaround to get mistral to work is to change the public endpoint to http like so:
1) delete the old https public endpoint
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/haproxy/haproxy.cfg and replace:
listen mistral_api_external
bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem
Can be done simply from your deploynode with two ad-hoc's:
ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/haproxy.pem,bind <vip>:8989,' /etc/kolla/haproxy/haproxy.cfg"
ansible -i multinode control -m shell -a "docker restart haproxy"
with:
listen mistral_api_external
bind 192.168.9.9:8989 |
kolla version: rocky, source, ubuntu
kolla-ansible: 7.0.0
When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
"kolla-ansible/ansible/group_vars/all.yml" will set:
public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"
This leads to "kolla-ansible/ansible/roles/defaults/mistral/main.yml" to set:
mistral_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"
And since "kolla-ansible/ansible/roles/mistral/tasks/config.yml" is not configured with any ssl/tls settings:
[api]
enable_ssl_api = True
[ssl]
ca_file = <path-to-ca file>
cert_file = <path-to-certificate file>
key_file = <path-to-key file>
And "kolla-ansible/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2" will create a config like:
listen mistral_api_external
bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem
This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python-mistralclient or simply by browsing to the mistral parts in horizon.
The error looks like this:
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/v2/workbooks: HTTPSConnectionPool(host='<vip>', port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
I haven't tested with a proper certificate yet.
==============================================================================
The easiest workaround to get mistral to work is to change the public endpoint to http like so:
1) delete the old https public endpoint
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/haproxy/haproxy.cfg and replace:
listen mistral_api_external
bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem
with:
listen mistral_api_external
bind 192.168.9.9:8989
Can be done simply from your deploynode with two ad-hoc's:
ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/haproxy.pem,bind <vip>:8989,' /etc/kolla/haproxy/haproxy.cfg"
ansible -i multinode control -m shell -a "docker restart haproxy" |
|
