Description of problem: glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud: Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.6-117.el7ost.noarch How reproducible: 100% Steps to Reproduce: [root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg listen glance_registry server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2 server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2 server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2
I think glance-registry doesn't need to have an SSL binding because it's not user-facing service. It is only glance-api calling it.
The issue is that there's no binding that uses the internal api vip. The config files are set up with the local ips thus the glance registry requests don't get balanced: [root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg listen glance_registry server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2 server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2 server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2 [root@overcloud-controller-0 ~]# grep registry_host /etc/glance/* /etc/glance/glance-api.conf:#registry_host=0.0.0.0 /etc/glance/glance-api.conf:registry_host=192.168.100.13 /etc/glance/glance-cache.conf:#registry_host=0.0.0.0 /etc/glance/glance-cache.conf:registry_host=192.168.100.13 /etc/glance/glance-scrubber.conf:#registry_host=0.0.0.0
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
I believe you are asking the wrong person.. (I'm Amit Aviram, aaviram)