Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    TomEros
    @TomEros
    Hello and welcome to the beta of Octavia Load Balancer
    Tim Usner
    @timuthy
    Hi, I just tried out the LBaaS support in GRA9 with Gardener and Kubernetes controllers. While we successfully got an LB with the OpenStack Cloud Controller Manager, we hit some issue with the Neutron API and hope you can support us. We use GopherCloud (https://github.com/gophercloud/gophercloud/) as a Golang client in our Gardener component, and whenever we try to retrieve ports via Network.ListPorts , we receive an empty list even though ports are available (works via OpenStack CLI).
    We found out that the returned JSON doesn’t fit the format expected by GopherCloud (see https://github.com/gophercloud/gophercloud/blob/ec3f761dbd2a3bab5efefac50a7bae7bd7063873/openstack/networking/v2/ports/results.go#L61). Do you have more information about this?
    yanndegat
    @yanndegat
    hi @timuthy
    do you mind if we handle this issue in a private chat ? i may have some questions related to gardener in addition to the neutron api issue ?
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab

    @TomEros We are trying the beta of the Octavia Load Balancer. However it seems that the certificate of your key manager is expired:

    • Server certificate:
    • subject: CN=key-manager.addons.gra9.cook.cloud.ovh.net
    • start date: Mar 3 08:59:09 2021 GMT
    • expire date: Jun 1 08:59:09 2021 GMT
    • issuer: C=US; O=Let's Encrypt; CN=R3
    • SSL certificate verify result: certificate has expired (10)

    Can this be fixed?

    TomEros
    @TomEros
    This is fixed ! We will add some monitoring about the certificates
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    @TomEros Thank you!
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab

    @TomEros Another issue we are facing:

    Doing the following command

    "openstack loadbalancer listener create --name fe_https --protocol TERMINATED_HTTPS --protocol-port 443 --default-tls-container="https://key-manager.gra9.cloud.ovh.net/v1/secrets/071******152" qa-gra-aio"

    leads to

    "Could not retrieve certificate: ['https://key-manager.gra9.cloud.ovh.net/v1/secrets/071******152'] (HTTP 400) (Request-ID: req-26e**307)"

    We were hoping that fixing the certificate would fix the problem but it doesn't

    Any solution?

    TomEros
    @TomEros

    Hello @jbvanzuylen_gitlab
    Does an :

    openstack secret get https://key-manager.gra9.cloud.ovh.net/v1/secrets/071******152

    return you a valid secret ( with Status= ACTIVE ) ?

    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    @TomEros Yes
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab

    We tried with a new certificate:

    openstack secret  get https://key-manager.gra9.cloud.ovh.net/v1/secrets/9e5***24c

    Gives:

    +---------------+----------------------------------------------------------------------------------------+
    | Field         | Value                                                                                  |
    +---------------+----------------------------------------------------------------------------------------+
    | Secret href   | https://key-manager.gra9.cloud.ovh.net/v1/secrets/9e5***c24c |
    | Name          | wildcard-qa_tls_secret                                                                 |
    | Created       | 2021-06-17T09:05:53+00:00                                                              |
    | Status        | ACTIVE                                                                                 |
    | Content types | {'default': 'application/octet-stream'}                                                |
    | Algorithm     | aes                                                                                    |
    | Bit length    | 256                                                                                    |
    | Secret type   | opaque                                                                                 |
    | Mode          | cbc                                                                                    |
    | Expiration    | None                                                                                   |
    +---------------+----------------------------------------------------------------------------------------+

    With:

    openstack acl get  https://key-manager.gra9.cloud.ovh.net/v1/secrets/9e59******0c24c

    Gives:

    +----------------+----------------+-------+---------+---------+--------------------------------------------------------------------------------------------+
    | Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref                                                                             |
    +----------------+----------------+-------+---------+---------+--------------------------------------------------------------------------------------------+
    | read           | True           | []    | None    | None    | https://key-manager.gra9.cloud.ovh.net/v1/secrets/9e5****24c/acl |
    +----------------+----------------+-------+---------+---------+--------------------------------------------------------------------------------------------+

    Looks like Octavia doesn't have access

    TomEros
    @TomEros

    Hello
    Did you combine the individual certificate, key, and intermediate certificate to a single PKCS12 file ?
    i apply these steps :

    # CA certificates generation
    openssl genrsa -des3 -out CA.key 2048
    openssl req -x509 -new -nodes -key CA.key -sha256 -days 1825 -out CA.pem
    
    # Server key generation
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -out server.csr # Request certificate
    openssl x509 -req -in server.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out server.crt -days 825 -sha256
    
    # Packed the certificate for Barbican
    openssl pkcs12 -export -inkey server.key -in server.crt -certfile CA.pem -passout pass: -out server.p12
    
    # Send to Barbican
    openstack secret store --name='MySuperCertificate' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
    
    openstack secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)"
    openstack secret store --payload-content-type='text/plain' --name='private_key' --payload="$(cat server.key)"
    openstack secret container create --name='ssl_certificate_container' --type='certificate' --secret="certificate=https://key-manager.gra9.cloud.ovh.net/v1/secrets/id_cert" --secret="private_key=https://key-manager.gra9.cloud.ovh.net/v1/secrets/id_private_key"
    
    openstack loadbalancer create --name lb-tls --vip-subnet-id PRIVATE_NET_ID
    openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener-tls --default-tls-container=$(openstack secret list | awk '/ MySuperCertificate / {print $2}') lb-tls
    openstack loadbalancer pool create --name pool-tls --lb-algorithm ROUND_ROBIN --listener listener-tls --protocol HTTP
    openstack loadbalancer member create --subnet-id PRIVATE_NET_ID --address IP.BACK.VM.1  --protocol-port 80 pool-tls
    openstack loadbalancer member create --subnet-id PRIVATE_NET_ID --address IP.BACK.VM.2  --protocol-port 80 pool-tls

    we can switch in private for further debuging if you want

    dbartz
    @dbartz:matrix.org
    [m]
    Hi @TomEros I am Daniel and was the guy behind Jean-Bernard typing the command ;-).
    Yes we used (another pkcs12) but just to be sure I replay your command and find the same issue.
    TomEros
    @TomEros
    Hello @dbartz:matrix.org let me check if i find something in the log
    dbartz
    @dbartz:matrix.org
    [m]
    Note that we already had an issue with that (few weeks old) public cloud project as at its creation the endpoints of the loadbalancer were not available. OVH support did add them but since then we have those issues. Of course not sure it is related.
    We may switch to DM if you prefer but then please keep @jbvanzuylen_gitlab with us
    TomEros
    @TomEros
    Can you provide me the output with "--debug" to have all the informations ( request-id, timestamp ) when you want to create the listener, you can send me this in private if you want ?
    dbartz
    @dbartz:matrix.org
    [m]
    Sent in DM, did you get it ?
    TomEros
    @TomEros
    nope sorry i didn't get it
    TomEros
    @TomEros
    we have identified the problem, we will work to solve it ( Barbican API )
    dbartz
    @dbartz:matrix.org
    [m]
    oh great
    dbartz
    @dbartz:matrix.org
    [m]
    @TomEros: could you give an estimation on when it would be solved ?
    TomEros
    @TomEros
    @dbartz:matrix.org Hello,
    Normally today or tomorrow
    dbartz
    @dbartz:matrix.org
    [m]
    oki thanks for the update
    TomEros
    @TomEros
    Hello,
    A first Fix have been deploy
    dbartz
    @dbartz:matrix.org
    [m]
    OK, seems to be working properly now. Thank you Tom
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    image.png
    @TomEros Any way we can disable weak ciphers?
    TomEros
    @TomEros
    Ah i will have a look
    Ok it's in Octavia config, I'm going to change that
    TomEros
    @TomEros
    You can define the TLS ciphers you want on the listener
    openstack loadbalancer listener set --tls-ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 <id_loadbalancer>
    It is while waiting that I put in prod those by default
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    @dbartz:matrix.org Would you be able to run this on our LB?
    dbartz
    @dbartz:matrix.org
    [m]
    @jbvanzuylen_gitlab: done
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    @TomEros We are getting timeouts on our LB. All backends are up and running. Anything going on your side?
    TomEros
    @TomEros
    Hello @jbvanzuylen_gitlab nothing on our side, can you give the LB ID please ?
    Maxime Bourdouxhe
    @mbourdouxhe:matrix.org
    [m]
    @TomEros: LB ID: e783188a-6a75-461a-beba-1e2455efee19
    TomEros
    @TomEros
    Thanks @mbourdouxhe:matrix.org, @jbvanzuylen_gitlab also gave it to me
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    Problem is fixed now. Thanks @TomEros for the help
    Jean-Bernard van Zuylen
    @jbvanzuylen_gitlab
    @TomEros 30 minutes ago our LB just stopped working and is now throwing "503 Service Unavailable" errors. Anything happening on your side?
    TomEros
    @TomEros
    Hello @jbvanzuylen_gitlab
    I'm checking
    Grounz
    @Grounz
    Hi, can we use octaviaLoadbalancer for exposed kubernetes private cluster in vrack without must install an instance with a reverse proxy ?
    TomEros
    @TomEros
    1 reply