| Melonia | Hi | 07:27 |
|---|---|---|
| Melonia | I have trouble in connecting to the OSA-AIO: https://dpaste.com/7JUMXV4BM | 07:28 |
| jrosser | Melonia: is it really *.* in those IP? | 07:30 |
| Melonia | no no! | 07:30 |
| jrosser | so it's really a public IP? | 07:31 |
| jrosser | it's just confusing, and really there is not much gain to obfuscate it | 07:31 |
| Melonia | Yes, It's a public IP to be able to present to the company | 07:31 |
| jrosser | right, so you are already scanned / probed by the whole internet :) | 07:31 |
| jrosser | but anyway, the message is about the SSL verification | 07:32 |
| Melonia | no problem. It's just a demo | 07:32 |
| jrosser | so 1) where is the certificate from.... 2) where do you run the client | 07:32 |
| jrosser | becasue 2 needs to trust the cert presented by 1, unless you disable verification | 07:33 |
| Melonia | I didn't introduced ant cert. I think it's self-signed bt AIO itself! | 07:33 |
| jrosser | that is the default in the AIO | 07:33 |
| Melonia | The client is on my Laptop | 07:33 |
| jrosser | so this is kind of just basic SSL setup, not really OSA specific | 07:34 |
| jrosser | if you have the AIO generate its own CA, you will need that CA in your client certificate store, or disable verification | 07:35 |
| jrosser | same will be true for horizon | 07:35 |
| Melonia | How can disable verification for the command `openstack` | 07:36 |
| Melonia | How can I disable verification for the command `openstack`? | 07:37 |
| jrosser | try `--insecure` | 07:37 |
| jrosser | for a more proper proof of concept you are able to supply your own CA+Cert, or use LetsEncrypt | 07:38 |
| jrosser | i think it's important to appreciate that OSA is a bit like a toolbox and the AIO makes some "sensible defaults" but almost everything is customisable | 07:39 |
| jrosser | the self signed cert is a pretty good example if this, it's fine for hacking around but you really need to customise for production use | 07:39 |
| Melonia | Sure; Thanks | 07:42 |
| Melonia | [Worked] | 07:42 |
| Melonia | I also get this error when I try for a new user registration: https://gcdnb.pbrd.co/images/DLI1mRp8GrTq.png (I have enabled adjutant module during deployment) | 07:43 |
| Melonia | Similar issue with Horizon>Rating>Rating: https://gcdnb.pbrd.co/images/4ZXYr5OiGDXi.png (I aslo have enabled cloudkitty module) | 07:43 |
| jrosser | Melonia: https://opendev.org/openstack/adjutant-ui/src/branch/master/doc/source/configuration.rst#L4 | 08:08 |
| jrosser | but really i would be looking carefully at how well maintained you think the adjutant-ui code is https://opendev.org/openstack/adjutant-ui/commits/branch/master | 08:11 |
| jrosser | and decide if thats something you want to install/support as a service | 08:11 |
| Melonia | You mean adding `OPENSTACK_ADJUTANT_URL = "<base_url>"` to user_variables file? | 08:12 |
| Melonia | jrosser: I'm working on a demo for now, but why not even for production? Isn't adjutant reliable or something? | 08:13 |
| jrosser | thats your judgement to make if any particular component of openstack is suitable for your use case | 08:14 |
| jrosser | they are all maintained by different teams, some very actively like the core nova/keystone/glance/cinder etc...... | 08:15 |
| jrosser | some are almost abandoned | 08:15 |
| Melonia | Oh, then I need to check both adjutant and cloudkitty for their development and the community support | 08:16 |
| Melonia | Thanks for the hint | 08:16 |
| jrosser | indeed - OSA people can help with deployment and getting the right config in place | 08:16 |
| Melonia | Yeah, I see | 08:17 |
| jrosser | but we dont work directly on the service projects as part of working on OSA, except maybe for major regressions like we found recently in keystone | 08:17 |
| jrosser | the OSA people are almost all running their own clouds, rather than just developers of a deployment tool | 08:19 |
| jrosser | so theres a a lot of experience of what does/doesnt work in real life here | 08:19 |
| Melonia | +1 | 08:24 |
| NeilHanlon | and then there's me. I'm here because jrosser told me he'd hunt me down if I left! /s | 13:37 |
| jamesdenton | Good moning, jrosser. noonedeadpunk pointed me into the direction of your haproxy map patches a while back, but I'm not yet sure if that's the right approach if I'm looking to modify haproxy to use unique FQDNs per endpoint on port 443 versus the default of same FQDN:service port. What say you? | 13:39 |
| jrosser | jamesdenton: I hope that it is ideal for that :) | 13:45 |
| jamesdenton | If it IS, that's great, i just wasn't 100% on that | 13:46 |
| jamesdenton | before i went down that path | 13:46 |
| jrosser | the way the vars are at them moment, you can have arbitrary maps with arbitrary config | 13:46 |
| jrosser | though there are some hardwired defaults currently | 13:46 |
| damiandabrowski | if anyone's interested, I talked a bit about haproxy maps and possible usecases in Vancouver :D | 13:46 |
| damiandabrowski | https://youtu.be/1i60u_dfTBU?si=rvmXdJaJBYiiGjaM&t=807 | 13:46 |
| jamesdenton | i am very interested, thank you | 13:47 |
| jrosser | I had in my mind when writing this part of the haproxy role that it should be possible to do something like use the service name as the key in the map file when doing fqdn->service mapping | 13:47 |
| jrosser | and ultimately it would be just one bool needed to switch into this mode through user vars | 13:48 |
| jrosser | I would expect it to be actually quite a small patch to make this work | 13:49 |
| jrosser | jamesdenton: the map file config is distributed in pieces, like this for horizon https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/horizon_all/haproxy_service.yml#L39 | 14:01 |
| jrosser | then you instruct it to use a particular map on the frontend like this https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/haproxy/haproxy.yml#L86-L91 | 14:02 |
| *** dviroel_ is now known as dviroel | 14:03 | |
| jamesdenton | looking looking | 14:06 |
| jrosser | oh of course then there is the service catalog to get right | 14:10 |
| jrosser | so i think thats why this ends up with some global bool, as what you tell haproxy to route has to actually match whats in the service catalog | 14:10 |
| jamesdenton | i imagine you would just override the individual catalog entries, then? | 14:14 |
| jamesdenton | hi kstev bjoernt | 14:29 |
| kstev | hi jamesdenton | 14:31 |
| jrosser | jamesdenton: yes i think it would be possible to make a bunch of overrides for catalog entries | 14:35 |
| jrosser | have to decide if we want this "service-as-fqdn" thing to me a first class feature in OSA | 14:35 |
| jrosser | if so we should probably make it a bit more slick than that | 14:36 |
| jrosser | *to be | 14:36 |
| jamesdenton | i think it definitely could/should be. I hope to implement this in a project we're working on soon | 14:39 |
| jamesdenton | thank you for the help | 14:39 |
| *** starkis is now known as Guest535 | 23:14 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!
