Ask Your Question
0

why is octavia not using keystone public endpoint to validate tokens?

asked 2020-02-12 02:37:37 -0600

vedant31 gravatar image

I have deployed octavia in a container based setup.

The network design is as such that octavia can only reach openstack core services using public endpoints. I have configured keystone public endpoints under [keystone_auth]. On issuing openstack loadbalancer list command, octavia api logs shows:

CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Unable to establish connection to http://192.168.62.195/v3/auth/tokens: HTTPConnectionPool(host='192.168.62.195', port=80): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<requests.packages.urllib3.connection.httpconnection 0x7f5a795fd190="" at="" object="">: Failed to establish a new connection: [Errno 110] Connection timed out',)): ConnectFailure: Unable to establish connection to http://192.168.62.195/v3/auth/tokens: HTTPConnectionPool(host='192.168.62.195', port=80): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<requests.packages.urllib3.connection.httpconnection 0x7f5a795fd190="" at="" object="">: Failed to establish a new connection: [Errno 110] Connection timed out',))</requests.packages.urllib3.connection.httpconnection></requests.packages.urllib3.connection.httpconnection>

I am stuck at this point where I don't know which configuration would force octavia to use public endpoint to validate tokens instead of admin url. Thanks in advance.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2020-02-17 15:09:10 -0600

johnsom gravatar image

updated 2020-02-18 23:55:17 -0600

zaneb gravatar image

Hi there,

There are two settings in Octavia that you will need to set for Octavia when using an alternate keystone endpoint:

For the keystone client code, it is:

[keystone_authtoken]
auth_url = https://<ip address>/identity

(I just noticed this is not in the keystonemiddleware configuration documentation we import, how odd)

As well as:

interface = public

(however this is not as important for this section) - (https://docs.openstack.org/octavia/la...)

It is also a good practice to set www_authenticate_uri(https://docs.openstack.org/octavia/la...)

The [keystone_authtoken] section is how Octavia validates tenant tokens and comes directly from the keystone client.

You will also need to configure the [service_auth] section. This is how Octavia gets a token to use with other OpenStack services such as nova and neutron.

[service_auth]
auth_url = https://<ip address>/identity

(https://docs.openstack.org/octavia/la...)

As well as:

interface = public

Michael

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2020-02-12 02:37:37 -0600

Seen: 45 times

Last updated: Feb 18