python-mistralclient

  1. Bug #1804064
  2. Comment #0

Comment 0 for bug 1804064

Revision history for this message
Marek Grudzinski (ivve) wrote :

kolla version: rocky, source, ubuntu
kolla-ansible: 7.0.0

When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"

"kolla-ansible/ansible/group_vars/all.yml" will set:
public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"

This leads to "kolla-ansible/ansible/roles/defaults/mistral/main.yml" to set:
mistral_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"

And since "kolla-ansible/ansible/roles/mistral/tasks/config.yml" is not configured with any ssl/tls settings:

[api]
enable_ssl_api = True

[ssl]
ca_file = <path-to-ca file>
cert_file = <path-to-certificate file>
key_file = <path-to-key file>

And "kolla-ansible/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2" will create a config like:

listen mistral_api_external
  bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem

This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python-mistralclient or simply by browsing to the mistral parts in horizon.

The error looks like this:
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/v2/workbooks: HTTPSConnectionPool(host='<vip>', port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

I haven't tested with a proper certificate yet.

==============================================================================

The easiest workaround to get mistral to work is to change the public endpoint to http like so:

1) delete the old https public endpoint
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/haproxy/haproxy.cfg and replace:
listen mistral_api_external
  bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem

Can be done simply from your deploynode with two ad-hoc's:

ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/haproxy.pem,bind <vip>:8989,' /etc/kolla/haproxy/haproxy.cfg"
ansible -i multinode control -m shell -a "docker restart haproxy"

with:

listen mistral_api_external
  bind 192.168.9.9:8989