| *** spellbind3r is now known as Guest689 | 06:10 | |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: ovn: Break out role into ovn-db and ovn-controller roles https://review.opendev.org/c/openstack/kolla-ansible/+/868744 | 07:18 |
|---|---|---|
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: ovn: Break out role into ovn-db and ovn-controller roles https://review.opendev.org/c/openstack/kolla-ansible/+/868744 | 07:18 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: ovn: Break out role into ovn-db and ovn-controller roles https://review.opendev.org/c/openstack/kolla-ansible/+/868744 | 08:26 |
| opendevreview | Merged openstack/kolla master: Change libvirt-exporter repo to Tinkoff https://review.opendev.org/c/openstack/kolla/+/868161 | 09:34 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: ovn: Break out role into ovn-db and ovn-controller roles https://review.opendev.org/c/openstack/kolla-ansible/+/868744 | 09:57 |
| opendevreview | Verification of a change to openstack/kayobe stable/xena failed: Fix tox.ini for tox4 https://review.opendev.org/c/openstack/kayobe/+/868568 | 09:58 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: ovn: Break out role into ovn-db and ovn-controller roles https://review.opendev.org/c/openstack/kolla-ansible/+/868744 | 10:25 |
| opendevreview | Merged openstack/kayobe stable/xena: Fix tox.ini for tox4 https://review.opendev.org/c/openstack/kayobe/+/868568 | 10:57 |
| EugenMayer4 | my ssl certificate for the internal/external/backend expired, so i'am in the middle of installing the re-issued/extended one. I have this globals configuration and i use an official certificate, see https://gist.github.com/EugenMayer/f908588ad260b89679f8b150e89b83e1. in wildcard.cluster.pem i just have the leave cert, in | 12:12 |
| EugenMayer4 | wildcard.cluster.combined.pem i have the cert including the intermediates. When i redeploy with kolla i see the the controller haproxy fails to start due to https://gist.github.com/EugenMayer/f908588ad260b89679f8b150e89b83e1#file-logs | 12:12 |
| EugenMayer4 | (i-am running xena) - i redploy using 'reconfigure' | 12:13 |
| EugenMayer4 | Checking https://docs.openstack.org/kolla-ansible/latest/admin/tls.html i'am not sure why the key is missing. I provided kolla_tls_backend_key | 12:14 |
| EugenMayer4 | i verified with openssl x509 -noout -modulus -in wildcard.cluster.pem | openssl md5 ..... openssl rsa -noout -modulus -in wildcard.cluster.key | openssl md5 .... that the private key matches the certificate | 12:17 |
| EugenMayer4 | the question basically is, why /etc/haproxy/haproxy-internal.pem.key is not deployed to the controller. Checking /etc/kolla/haproxy on the controller, i cannot see the file either | 12:18 |
| EugenMayer4 | any hints would be awesome! | 12:20 |
| mnasiadka | EugenMayer4: are you sure kolla_enable_tls_external is true, and kolla_external_fqdn_cert points to the cert file location? Basically this is the task that copies the cert file - https://github.com/openstack/kolla-ansible/blob/dd64d8b0b760a75ae949fccabd91c64100c624a6/ansible/roles/loadbalancer/tasks/config.yml#L94 | 15:01 |
| EugenMayer4 | mnasiadka i would say 100% sure see by gist - u see the global.yml section and you see the ls of the filesystem https://gist.github.com/EugenMayer/f908588ad260b89679f8b150e89b83e1 | 17:06 |
| EugenMayer4 | i did double check the paths and for me, it looks right. I also did not change it comparing to the initial deployment. could it be that reconfigure is the issue? do i have to use upgrade / deploy instead? | 17:06 |
| opendevreview | Merged openstack/kolla master: Revert "[release] Use Zed sources by default" https://review.opendev.org/c/openstack/kolla/+/868565 | 19:50 |
| opendevreview | Merged openstack/kolla master: Revert "[release] Change RDO's DELOREAN_DEPS repo to Zed" https://review.opendev.org/c/openstack/kolla/+/868564 | 19:50 |
| guesswhat | mnasiadka https://review.opendev.org/c/openstack/kolla/+/868565 is merged, so nightly pipeline will publish images builded from master, right ? thanks | 20:05 |
| EugenMayer4 | mnasiadka the most interesting part here https://github.com/openstack/kolla-ansible/blob/dd64d8b0b760a75ae949fccabd91c64100c624a6/ansible/roles/loadbalancer/tasks/config.yml#L94 is, that only the certificates are copied, no private key. Internal and external certificates without private key. That is kinda odd. Is it expected to have all the things | 20:40 |
| EugenMayer4 | in one file? (never have seen this format yet) | 20:40 |
| EugenMayer4 | oh i see https://github.com/haproxy/haproxy/issues/221 that is the case for haproxy in general | 20:41 |
| EugenMayer4 | i assume that must me my issue. I did not add docs before on how i understood "combined" and assumed, it is the usual nginx format (chain+cert). But in this case it seems to be cert+key, not cert+chain+key (which i already tried) | 20:44 |
| EugenMayer4 | the problem is, if i deploy the variant "cert+key" or "cert+chain+key" haproxy starts, but seem to no longer be able to connect: https://gist.github.com/EugenMayer/dc128861a0f25f0a98611bc56b7073cb (keystone fails because all the upstream connections do fail, i guess) | 20:47 |
| EugenMayer4 | ok that one is solved. For both cases i need a chain+cert combination, but for the ha-proxy with key. What i did beforehand was cert / key sep. for the kolla_tls_backend_cert / kolla_tls_backend_key (but not with chain). And a cert+chain or cert+chain+key. The latter is the right one here, but only if i also use the chain+cert on the backend side. | 20:54 |
| EugenMayer4 | So using cert+chain for backend + the sep. key, and cert+chain+key for internal/external (haproxy) make it work | 20:54 |
| EugenMayer4 | This time i add those docs :) | 20:54 |
| guesswhat | JOIN #openstack-neuron | 21:16 |
| guesswhat | kolla does not support setting vlan-transparent for neutron ? | 22:47 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!