tripleo

HAProxy healthchecks fail to negociate TLS connection to services with client verification enabled

Bug #2024201 reported by Damien Ciabrini on 2023-06-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Confirmed	Medium	Damien Ciabrini

Bug Description

When TLS-e is enabled, the horizon service cannot be proxied correctly by HAProxy, as horizon requires client certificate verification for TLS connection, and HAProxy does not advertise its client certificate appropriately.

Consequently, the Horizon service always shows are not available in HAProxy, as shown in the stats socket output:

[root@controller-0 container-puppet]# echo "show stat" | socat - unix-connect:/var/lib/haproxy/stats | grep horizon | grep controller-0

horizon,controller-0.internalapi.redhat.local,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,83,83,,1,8,2,,0,,2,0,,0,SOCKERR,,3,0,0,0,0,0,0,,,,0,0,0,,,,,-1,,,0,0,0,0,,,,Socket error,,2,5,0,,,,,,http,,,,,,,,
0,0,0,,,0,,0,0,0,0,0,0,0,0,1,1,,-,42,0,0,,,,,,,,,,,,,,

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-16: Fix proposed to puppet-tripleo (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/886290

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Change abandoned on puppet-tripleo (stable/wallaby)

Change abandoned by "Ghanshyam <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/886290
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.