Hi Zufar, Tenant traffic into the VIP and out to member servers is isolated from the lb-mgmt-net. The VIP network is hot-plugged into the amphora network namespace for tenant traffic when a user creates a load balancer and specifies the VIP subnet or network. As for the certificate creation, please see this document awaiting patch review: https://review.openstack.org/613454 I wrote up a detailed certificate configuration guide that should help you resolve your certificate configuration issue. Michael On Tue, Dec 4, 2018 at 3:59 PM Zufar Dhiyaulhaq <zufar@onf-ambassador.org> wrote:
Hi all,
Thank you, So the amphora will use a provider network. but how we can access this load balancer externally? via IP assign into amphora (provider network IP)?
Another question, I am facing a problem with a keypair. I am generating a keypair with `create_certificates.sh` source /tmp/octavia/bin/create_certificates.sh /etc/octavia/certs /tmp/octavia/etc/certificates/openssl.cnf
but when creating the load balancer service, I got this error from /var/log/octavia/worker.log ERROR oslo_messaging.rpc.server CertificateGenerationException: Could not sign the certificate request: Failed to load CA Private Key /etc/octavia/certs/private/cakey.pem.
I am using this configuration under octavia.conf [certificates]
ca_certificate = /etc/octavia/certs/ca_01.pem
ca_private_key = /etc/octavia/certs/private/cakey.pem
ca_private_key_passphrase = foobar
Anyone know this issue? I am following Mr. Lingxian Kong blog in https://lingxiankong.github.io/2016-06-07-octavia-deployment-prerequisites.h...
Best Regards, Zufar Dhiyaulhaq
On Wed, Dec 5, 2018 at 4:35 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
On Wed, Dec 5, 2018 at 6:27 AM Gaël THEROND <gael.therond@gmail.com> wrote:
You can do it with any routed network that you’ll load as a provider network too.
Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers.
Yeah, that's also how we did for our Octavia service in production thanks to our ops team.
Cheers, Lingxian Kong