Folks,

I am deploying OpenStack Xena via Kolla. As part of improving our orchestration offerings, I am investigating the use of Senlin in our deployments.

Using `enable_senlin: "yes"`, the containers install as expected. When I attempt to create an initial profile, I get the following error:

HttpException: 500: Server Error for url: https://external:8778/v1/profiles, Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://internal:35357: HTTPSConnectionPool(host='internal', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))

I have tried setting `verify_ssl = False` in senlin.conf, but no dice.

I don't see this issue on the other services for which we're using the same certificates (e.g., Heat, Keystone, Barbican). Looking in the containers, I don't see <service>-cert.pem or <service>-key.pem files for Senlin as I did for other services. Moreover, the authentication configurations look the same in all relevant respects, between Senlin and the services that do work.

I'm positively flummoxed about why the certs aren't getting distributed. When I take a look at the documentation for Kolla TLS [1], I saw the following:

Enabling TLS on the backend services secures communication between the HAProxy listing on the internal/external VIP and the OpenStack services. It also enables secure end-to-end communication between OpenStack services that support TLS termination. The OpenStack services that support backend TLS termination in Victoria are: Nova, Ironic, Neutron, Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder.

Missing from here is Senlin, and looking at the same document from subsequent OpenStack releases suggests this hasn't changed. I don't know if this is a relevant issue to the problem I've been having (to be fair, I don't see Octavia, which we've also been using, on the list, even though we also haven't been having issues with Octavia certs).

Is this something that I can fix via configuration, or is this a thing wherein we need to change how Kolla deploys Senlin, or even adding in SSL termination to the Senlin service?

Any help on this would be greatly appreciated.

Thanks,

Rob

[1] https://github.com/openstack/kolla-ansible/blob/stable/xena/doc/source/admin...