OpenStack Compute Load Balancer (nova-loadbalancer)

Bug #1877818
Comment #0

Comment 0 for bug 1877818

Revision history for this message

Jie Li (ramboman) wrote on 2020-05-10:

We run the octavia scenario test [1] failed when the OpenStack env enable TLS.
Release infomation:
Octavia:Train.
Octavia-tempest-plugin:1.2.0
Barbican:Train

we can see the log:
2020-05-10 11:12:05.869 9 DEBUG octavia.db.repositories [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Checking quota for project: a24edb960f2540fcb191a4a1f5a18b78 object: <class 'octavia.common.data_models.Listener'> check_quota_met /usr/lib/python2.7/site-packages/octavia/db/repositories.py:371
2020-05-10 11:12:06.002 9 DEBUG octavia.certificates.manager.barbican [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Setting project ACL for certificate secret... set_acls /usr/lib/python2.7/site-packages/octavia/certificates/manager/barbican.py:150
2020-05-10 11:12:06.410 9 DEBUG barbicanclient.client [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Creating Client object Client /usr/lib/python2.7/site-packages/barbicanclient/client.py:156
2020-05-10 11:12:06.413 9 DEBUG barbicanclient.v1.acls [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Getting ACL for secret href: https://vip.external.qs.in:9311/v1/secrets/e0c06929-ef62-4ae7-ae1a-c6e6708ebf74/acl get /usr/lib/python2.7/site-packages/barbicanclient/v1/acls.py:485
2020-05-10 11:12:06.449 9 WARNING keystoneauth.identity.generic.base [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Failed to discover available identity versions when contacting https://vip.qs.in:35357. Attempting to parse version from URL.: SSLError: SSL exception connecting to https://vip.qs.in:35357: HTTPSConnectionPool(host='vip.qs.in', port=35357): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))
2020-05-10 11:12:06.455 9 DEBUG wsme.api [req-43f74e13-be71-4236-bdcf-23b38f485318 - a24edb960f2540fcb191a4a1f5a18b78 - default default] Client-side error: Could not retrieve certificate: ['https://vip.external.qs.in:9311/v1/secrets/e0c06929-ef62-4ae7-ae1a-c6e6708ebf74'] format_exception /usr/lib/python2.7/site-packages/wsme/api.py:222

finally: we find the [2] cann't set the verify for the session[3]. So we need solve it.
[1]:https://github.com/openstack/octavia-tempest-plugin/blob/a97deefcb3c21194ec1e2b4f11cc0fbd3c16b720/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py#L285
[2]:https://github.com/openstack/octavia/blob/5ec5fb73f8cbf3b4d3b437a117159f50411ae4bd/octavia/certificates/common/auth/barbican_acl.py#L90
[3]:https://github.com/openstack/keystoneauth/blob/1bffde3315e68a6eadf48e09f831d9fab2bc5332/keystoneauth1/session.py#L280

We run the octavia scenario test [1] failed when the OpenStack env enable TLS.
Release infomation:
Octavia:Train.
Octavia-tempest-plugin:1.2.0
Barbican:Train