When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
"kolla-ansible/ansible/group_vars/all.yml" will set:
public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"
This leads to "kolla-ansible/ansible/roles/defaults/mistral/main.yml" to set:
mistral_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"
And since "kolla-ansible/ansible/roles/mistral/tasks/config.yml" is not configured with any ssl/tls settings:
This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python-mistralclient or simply by browsing to the mistral parts in horizon.
The error looks like this:
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/v2/workbooks: HTTPSConnectionPool(host='<vip>', port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
The easiest workaround to get mistral to work is to change the public endpoint to http like so:
1) delete the old https public endpoint
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/haproxy/haproxy.cfg and replace:
listen mistral_api_external
bind 192.168.9.9:8989 ssl crt /etc/haproxy/haproxy.pem
Can be done simply from your deploynode with two ad-hoc's:
ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/haproxy.pem,bind <vip>:8989,' /etc/kolla/haproxy/haproxy.cfg"
ansible -i multinode control -m shell -a "docker restart haproxy"
kolla version: rocky, source, ubuntu
kolla-ansible: 7.0.0
When deploying mistral with ssl/tls by setting in globals.yml + running kolla-ansible certificates tls_external: "yes" fqdn_cert: "{{ node_config_ directory }}/certificates /haproxy. pem"
kolla_enable_
kolla_external_
"kolla- ansible/ ansible/ group_vars/ all.yml" will set: tls_external | bool else 'http' }}"
public_protocol: "{{ 'https' if kolla_enable_
This leads to "kolla- ansible/ ansible/ roles/defaults/ mistral/ main.yml" to set: public_ endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ mistral_api_port }}/v2"
mistral_
And since "kolla- ansible/ ansible/ roles/mistral/ tasks/config. yml" is not configured with any ssl/tls settings:
[api]
enable_ssl_api = True
[ssl] certificate file>
ca_file = <path-to-ca file>
cert_file = <path-to-
key_file = <path-to-key file>
And "kolla- ansible/ ansible/ roles/haproxy- config/ templates/ haproxy_ single_ service_ split.cfg. j2" will create a config like:
listen mistral_ api_external haproxy. pem
bind 192.168.9.9:8989 ssl crt /etc/haproxy/
This will lead to a failure to contact mistral-api with ssl errors. It can be tested with python- mistralclient or simply by browsing to the mistral parts in horizon.
The error looks like this: v2/workbooks: HTTPSConnection Pool(host= '<vip>' , port=8989): Max retries exceeded with url: /v2/workbooks (Caused by SSLError( SSLError( "bad handshake: Error([('SSL routines', 'tls_process_ server_ certificate' , 'certificate verify failed')],)",),))
Error: Unable to retrieve workbooks.: SSL exception connecting to https://<vip>:8989/
I haven't tested with a proper certificate yet.
======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =
The easiest workaround to get mistral to work is to change the public endpoint to http like so:
1) delete the old https public endpoint haproxy/ haproxy. cfg and replace: api_external haproxy. pem
2) create a new endpoint with:
openstack endpoint create workflowv2 public http://<vip>:8989 --region <region>
3) edit /etc/kolla/
listen mistral_
bind 192.168.9.9:8989 ssl crt /etc/haproxy/
Can be done simply from your deploynode with two ad-hoc's:
ansible -i multinode control -m shell -a "sed -i 's,bind <vip>:8989 ssl crt /etc/haproxy/ haproxy. pem,bind <vip>:8989,' /etc/kolla/ haproxy/ haproxy. cfg"
ansible -i multinode control -m shell -a "docker restart haproxy"
with:
listen mistral_ api_external
bind 192.168.9.9:8989