[kolla][ssl] Deploy third-party SSL for HAProxy
Folks,
I have GoDaddy SSL cert and trying to deploy with kolla but little big confused with this doc https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
I have a single interface for internal/external vip and try following config to deploy SSL/TLS for haproxy and other services.
--- openstack_release: "wallaby" kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" network_interface: "eth0" neutron_external_interface: "eth1"
# TLS kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/my_company_cert.pem"
When i run "kolla-ansible -i multinode certificates" command it deploy something but then i found it generated certificate itself (self-sign) in /etc/kolla/cacertificates directory and override my third-party cert
When I tried in the browser https://foobar.com it didn't connect to 443 port that means it did not enable SSL. Am I missing something here?
The ``certificates`` command is for generating certificates (the help is explicit on it). For all-things-deployment one just needs to run ``deploy`` again.
Radek -yoctozepto
On Wed, 28 Sept 2022 at 23:02, Satish Patel satish.txt@gmail.com wrote:
Folks,
I have GoDaddy SSL cert and trying to deploy with kolla but little big confused with this doc https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
I have a single interface for internal/external vip and try following config to deploy SSL/TLS for haproxy and other services.
openstack_release: "wallaby" kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" network_interface: "eth0" neutron_external_interface: "eth1"
# TLS kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/my_company_cert.pem"
When i run "kolla-ansible -i multinode certificates" command it deploy something but then i found it generated certificate itself (self-sign) in /etc/kolla/cacertificates directory and override my third-party cert
When I tried in the browser https://foobar.com it didn't connect to 443 port that means it did not enable SSL. Am I missing something here?
Thanks Radosław,
I figured out later that "certificates" are used to generate self-signed certificates. I have a similar ip address on both internal/external vip in that case how does it work? I am seeing in doc which is saying.
"If there is only a single network configured in your topology (as opposed to separate internal and external networks), TLS can only be enabled using the internal network configuration variables."
Based on the above sentence I should use only kolla_enable_tls_internal: "yes" in global.yml correct? no need to use external. I am trying to find a good working example to deploy third party SSL which is not in the official doc.
On Thu, Sep 29, 2022 at 4:01 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
The ``certificates`` command is for generating certificates (the help is explicit on it). For all-things-deployment one just needs to run ``deploy`` again.
Radek -yoctozepto
On Wed, 28 Sept 2022 at 23:02, Satish Patel satish.txt@gmail.com wrote:
Folks,
I have GoDaddy SSL cert and trying to deploy with kolla but little big
confused with this doc https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
I have a single interface for internal/external vip and try following
config to deploy SSL/TLS for haproxy and other services.
openstack_release: "wallaby" kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" network_interface: "eth0" neutron_external_interface: "eth1"
# TLS kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_cert.pem"
When i run "kolla-ansible -i multinode certificates" command it deploy
something but then i found it generated certificate itself (self-sign) in /etc/kolla/cacertificates directory and override my third-party cert
When I tried in the browser https://foobar.com it didn't connect to 443
port that means it did not enable SSL. Am I missing something here?
On Thu, 29 Sept 2022 at 11:03, Satish Patel satish.txt@gmail.com wrote:
I have a similar ip address on both internal/external vip in that case how does it work? I am seeing in doc which is saying.
I don't know a good definition for a "similar" IP address so I assume you mean the *same* for the rest of the answer. If that is not the case, i.e., you have two addresses on the same network, then the sentence below does not apply. The docs could be worded better mayhaps...
"If there is only a single network configured in your topology (as opposed to separate internal and external networks), TLS can only be enabled using the internal network configuration variables."
Based on the above sentence I should use only kolla_enable_tls_internal: "yes" in global.yml correct? no need to use external.
Yes, when addresses are the same, k-a detects that and simply configures everything to the kolla_enable_tls_internal and family settings. The external family of vars should be left unset (i.e. not included in your globals.yml).
Radek -yoctozepto
Hi Radoslaw,
I meant the same ip address for internal/external vips. like the following snippet. 10.73.0.180 is used for internal and external addresses.
kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" network_interface: "eth0" neutron_external_interface: "eth1"
I did the following in global.yml and ran "deploy" but it stuck somewhere in nova. I am looking for errors to find out what happened. Am I missing something in the following configuration?
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/my_company_certificate.pem"
Is the above going to enable SSL for all communications or just horizon web GUI?
On Thu, Sep 29, 2022 at 5:08 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
On Thu, 29 Sept 2022 at 11:03, Satish Patel satish.txt@gmail.com wrote:
I have a similar ip address on both internal/external vip in that case
how does it work? I am seeing in doc which is saying.
I don't know a good definition for a "similar" IP address so I assume you mean the *same* for the rest of the answer. If that is not the case, i.e., you have two addresses on the same network, then the sentence below does not apply. The docs could be worded better mayhaps...
"If there is only a single network configured in your topology (as
opposed to separate internal and external networks), TLS can only be enabled using the internal network configuration variables."
Based on the above sentence I should use only
kolla_enable_tls_internal: "yes" in global.yml correct? no need to use external.
Yes, when addresses are the same, k-a detects that and simply configures everything to the kolla_enable_tls_internal and family settings. The external family of vars should be left unset (i.e. not included in your globals.yml).
Radek -yoctozepto
On Thu, 29 Sept 2022 at 11:22, Satish Patel satish.txt@gmail.com wrote:
I did the following in global.yml and ran "deploy" but it stuck somewhere in nova. I am looking for errors to find out what happened. Am I missing something in the following configuration?
It looks correct at first glance. You need to be more specific about the issue at hand. The error message, circumstances...
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/my_company_certificate.pem"
Is the above going to enable SSL for all communications or just horizon web GUI?
All communications via haproxy.
Radek -yoctozepto
Hi Radosław,
Following error encounter if i turn on above 3 lines to implement SSL. if i remove then the error disappears. https://paste.opendev.org/show/bOqOAQyqni0nJcWbUuv9/
TASK [nova-cell : Waiting for nova-compute services to register themselves] ****************************************************************************************************** skipping: [kolla-comp-2] skipping: [kolla-infra-1] fatal: [kolla-comp-1 -> kolla-infra-1]: FAILED! => {"msg": "The conditional check '(nova_compute_services.stdout | from_json | map(attribute='Host') | list) is superset(expected_compute_service_hosts)' failed. The error was: Expecting value: line 1 column 1 (char 0)"}
TASK [nova-cell : Fail if nova-compute service failed to register] *************************************************************************************************************** fatal: [kolla-comp-2]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"} fatal: [kolla-infra-1]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"}
PLAY RECAP *********************************************************************************************************************************************************************** kolla-comp-1 : ok=46 changed=9 unreachable=0 failed=1 skipped=14 rescued=0 ignored=0 kolla-comp-2 : ok=42 changed=9 unreachable=0 failed=1 skipped=13 rescued=0 ignored=0 kolla-infra-1 : ok=214 changed=51 unreachable=0 failed=1 skipped=133 rescued=0 ignored=0 localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Command failed ansible-playbook -i multinode -e @/etc/kolla/globals.yml -e @/etc/kolla/passwords.yml -e CONFIG_DIR=/etc/kolla -e kolla_action=deploy /root/venv-kolla/share/kolla-ansible/ansible/site.yml
On Thu, Sep 29, 2022 at 5:26 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
On Thu, 29 Sept 2022 at 11:22, Satish Patel satish.txt@gmail.com wrote:
I did the following in global.yml and ran "deploy" but it stuck
somewhere in nova. I am looking for errors to find out what happened. Am I missing something in the following configuration?
It looks correct at first glance. You need to be more specific about the issue at hand. The error message, circumstances...
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_certificate.pem"
Is the above going to enable SSL for all communications or just horizon
web GUI?
All communications via haproxy.
Radek -yoctozepto
Looking into nova-compute logs looks like it's trying to talk to keystone using http instead of https. Do i need to tell exclusive somewhere to use SSL for keystone service or it should be default when you turn on SSL?
2022-09-29 11:29:09.562 7 ERROR nova.compute.manager keystoneauth1.exceptions.connection.ConnectFailure: Unable to establish connection to http://10.73.0.180:8780/resource_providers?in_tree=a3163bbf-a97b-4162-89c7-5...: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
On Thu, Sep 29, 2022 at 5:32 AM Satish Patel satish.txt@gmail.com wrote:
Hi Radosław,
Following error encounter if i turn on above 3 lines to implement SSL. if i remove then the error disappears. https://paste.opendev.org/show/bOqOAQyqni0nJcWbUuv9/
TASK [nova-cell : Waiting for nova-compute services to register themselves] ****************************************************************************************************** skipping: [kolla-comp-2] skipping: [kolla-infra-1] fatal: [kolla-comp-1 -> kolla-infra-1]: FAILED! => {"msg": "The conditional check '(nova_compute_services.stdout | from_json | map(attribute='Host') | list) is superset(expected_compute_service_hosts)' failed. The error was: Expecting value: line 1 column 1 (char 0)"}
TASK [nova-cell : Fail if nova-compute service failed to register] *************************************************************************************************************** fatal: [kolla-comp-2]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"} fatal: [kolla-infra-1]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"}
PLAY RECAP *********************************************************************************************************************************************************************** kolla-comp-1 : ok=46 changed=9 unreachable=0 failed=1 skipped=14 rescued=0 ignored=0 kolla-comp-2 : ok=42 changed=9 unreachable=0 failed=1 skipped=13 rescued=0 ignored=0 kolla-infra-1 : ok=214 changed=51 unreachable=0 failed=1 skipped=133 rescued=0 ignored=0 localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Command failed ansible-playbook -i multinode -e @/etc/kolla/globals.yml -e @/etc/kolla/passwords.yml -e CONFIG_DIR=/etc/kolla -e kolla_action=deploy /root/venv-kolla/share/kolla-ansible/ansible/site.yml
On Thu, Sep 29, 2022 at 5:26 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
On Thu, 29 Sept 2022 at 11:22, Satish Patel satish.txt@gmail.com wrote:
I did the following in global.yml and ran "deploy" but it stuck
somewhere in nova. I am looking for errors to find out what happened. Am I missing something in the following configuration?
It looks correct at first glance. You need to be more specific about the issue at hand. The error message, circumstances...
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_certificate.pem"
Is the above going to enable SSL for all communications or just horizon
web GUI?
All communications via haproxy.
Radek -yoctozepto
Following my problem, it was missing FQDN. Now everything is working fine. Thanks for the help.
kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" kolla_external_fqdn: "openstack-kolla.mycompany.com" kolla_internal_fqdn: "openstack-kolla.mycompany.com"
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/mycompany.pem"
On Thu, Sep 29, 2022 at 5:38 AM Satish Patel satish.txt@gmail.com wrote:
Looking into nova-compute logs looks like it's trying to talk to keystone using http instead of https. Do i need to tell exclusive somewhere to use SSL for keystone service or it should be default when you turn on SSL?
2022-09-29 11:29:09.562 7 ERROR nova.compute.manager keystoneauth1.exceptions.connection.ConnectFailure: Unable to establish connection to http://10.73.0.180:8780/resource_providers?in_tree=a3163bbf-a97b-4162-89c7-5...: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
On Thu, Sep 29, 2022 at 5:32 AM Satish Patel satish.txt@gmail.com wrote:
Hi Radosław,
Following error encounter if i turn on above 3 lines to implement SSL. if i remove then the error disappears. https://paste.opendev.org/show/bOqOAQyqni0nJcWbUuv9/
TASK [nova-cell : Waiting for nova-compute services to register themselves] ****************************************************************************************************** skipping: [kolla-comp-2] skipping: [kolla-infra-1] fatal: [kolla-comp-1 -> kolla-infra-1]: FAILED! => {"msg": "The conditional check '(nova_compute_services.stdout | from_json | map(attribute='Host') | list) is superset(expected_compute_service_hosts)' failed. The error was: Expecting value: line 1 column 1 (char 0)"}
TASK [nova-cell : Fail if nova-compute service failed to register] *************************************************************************************************************** fatal: [kolla-comp-2]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"} fatal: [kolla-infra-1]: FAILED! => {"msg": "The conditional check 'any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)' failed. The error was: error while evaluating conditional (any_failed_services or (nova_compute_registration_fatal | bool and\n failed_compute_service_hosts | length > 0)): {{ ansible_facts.nodename in failed_compute_service_hosts or\n (ansible_facts.hostname ~ "-ironic") in failed_compute_service_hosts }}: {{ expected_compute_service_hosts | difference(nova_compute_service_hosts) | list }}: {{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}: Unable to look up a name or access an attribute in template string ({{ hostvars[all_computes_in_batch[0]].nova_compute_services.stdout |\n from_json |\n map(attribute='Host') |\n list }}).\nMake sure your variable name does not contain invalid characters like '-': the JSON object must be str, bytes or bytearray, not AnsibleUndefined\n\nThe error appears to be in '/root/venv-kolla/share/kolla-ansible/ansible/roles/nova-cell/tasks/wait_discover_computes.yml': line 46, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # that failed to register.\n - name: Fail if nova-compute service failed to register\n ^ here\n"}
PLAY RECAP *********************************************************************************************************************************************************************** kolla-comp-1 : ok=46 changed=9 unreachable=0 failed=1 skipped=14 rescued=0 ignored=0 kolla-comp-2 : ok=42 changed=9 unreachable=0 failed=1 skipped=13 rescued=0 ignored=0 kolla-infra-1 : ok=214 changed=51 unreachable=0 failed=1 skipped=133 rescued=0 ignored=0 localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Command failed ansible-playbook -i multinode -e @/etc/kolla/globals.yml -e @/etc/kolla/passwords.yml -e CONFIG_DIR=/etc/kolla -e kolla_action=deploy /root/venv-kolla/share/kolla-ansible/ansible/site.yml
On Thu, Sep 29, 2022 at 5:26 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
On Thu, 29 Sept 2022 at 11:22, Satish Patel satish.txt@gmail.com wrote:
I did the following in global.yml and ran "deploy" but it stuck
somewhere in nova. I am looking for errors to find out what happened. Am I missing something in the following configuration?
It looks correct at first glance. You need to be more specific about the issue at hand. The error message, circumstances...
kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_certificate.pem"
Is the above going to enable SSL for all communications or just
horizon web GUI?
All communications via haproxy.
Radek -yoctozepto
participants (2)
-
Radosław Piliszek
-
Satish Patel