cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

octavia-ingress-controller: unable to get https working

Open jouvin opened this issue 1 year ago • 3 comments

/kind bug

What happened:

I followed the documentation to configure Octavia ingress controller on an OpenStacked/Magnum-backed k8s cluster. Everthing works as far http is concerned but for https I've been struggling without success to get it woking. From the k8s logs and event, everthing looks fine but curl fails.

My goal is to use Let's Encrypt but I started with a self-signed cert to disentangle problems, using the gen_cert script (after increasing the key len to 2048 as 1024 is no longer matching the min key size requirement). I followed exactly (I think) the suggested configuration/yaml files.

Initially, curl https://.. was not returning anything. I realized that the security group rule associated with the floating IP had no ingress rule for https. I added one and since then I get the error "connection refused". I can't find any error on the k8s side.

What you expected to happen:

curl https:// returning the same information as curl http://...

How to reproduce it:

Follow the steps in the documentation.

Anything else we need to know?:

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: not sure how to ckeck it
  • ingress controller 1.29
  • OpenStack version: Victoria
  • Others:

jouvin avatar Feb 19 '24 17:02 jouvin

Help with this issue would be very appreciated... (for some reason I cannot join the Slack channel, seems to say it is by invitation only...)

jouvin avatar Feb 29 '24 12:02 jouvin

Connection refused suggests no port opened on the LB side. Could you check that, i.e. that LB has a HTTPS listener on port 443?

dulek avatar Feb 29 '24 12:02 dulek

@dulek Sorry for the delay.. I checked the configuration of the LB and it does have a listener on port 443, with protocol TERMINATED_HTTPS. Not sure where to look for additional info? On the amphora?

I attach a some information collected from OpenStack that shows nothing wrong as far as I can tell... security_group.self-signed.txt.

For the record, the cloud was upgraded to Wallaby before my last attempt and according to my last attempt, it seems the need to add a rule in the security group associated with the floating IP disappeared. Not sure if something was fixed in Wallaby or if I made a mistake in my initial tests... but anyway the "connection refused" is still there...

jouvin avatar Mar 04 '24 20:03 jouvin

@durek great news, it seems to work now. Not completely sure the reason why... We completed yesterday the Wallaby upgrade (Neutron, the other services were already updated at my last attempt, I think) but probably due to something fixed in Wallaby release. Thanks for your help.

As for me the ticket can be closed.

jouvin avatar Mar 06 '24 11:03 jouvin

Alright! I bet it was networking-related then.

dulek avatar Mar 06 '24 15:03 dulek