OpenStack Glance Charm

Integration with Barbican requires extra auth_endpoint field and barbican section

Bug #1811067 reported by Nicolas Pochet on 2019-01-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Glance Charm	Fix Released	Medium	Unassigned	OpenStack Glance Charm 19.04

Bug Description

When trying the glance image signing feature (which requires Barbican), the default settings in /etc/glance/glance-api.conf make glance try to authenticate against http://localhost:5000/v3 with the following logs:

2019-01-09 08:46:17.030 14723 INFO eventlet.wsgi.server [req-7f96961a-13c3-48bc-869a-9ee2dc859e11 d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] 10.0.8.135 - - [09/Jan/2019 08:46:17] "POST /v2/images HTTP/1.1" 201 1311 0.086067
2019-01-09 08:46:17.088 14723 WARNING keystoneauth.identity.generic.base [req-23ce6884-c5e9-4604-8038-e7d16474185e d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] Failed to discover available identity versions when contacting http://localhost/identity/v3. Att$mpting to parse version from URL.: keystoneauth1.exceptions.http.NotFound: Not Found (HTTP 404)
2019-01-09 08:46:17.089 14723 ERROR castellan.key_manager.barbican_key_manager [req-23ce6884-c5e9-4604-8038-e7d16474185e d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] Error creating Barbican client: Could not find versioned identity endpoints when attemptin$ to authenticate. Please check that your auth_url is correct. Not Found (HTTP 404): keystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. Not Found (HTTP 404)

To reproduce:
- Deploy the minimal bundle attached
- Try the example usage section from: https://docs.openstack.org/glance/rocky/user/signature.html#example-usage
- Try to upload an image with the signing options will fail

Workaround:
- Stop the jujud-unit-glance-0.service
- Modify /etc/glance/glance-api.conf to add a [barbican] section as described in https://docs.openstack.org/glance/rocky/user/signature.html#configuration
- Restart glance-api service

See original description

Revision history for this message

Nicolas Pochet (npochet) wrote on 2019-01-09:

minimal-glance-barbican-bundle Edit (1.3 KiB, text/plain)

Nicolas Pochet (npochet) on 2019-01-09

description:

updated

Nicolas Pochet (npochet) on 2019-01-17

no longer affects:

charm-barbican

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-17: Fix merged to charm-glance (master)

Reviewed: https://review.openstack.org/630278
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=10ce2f862b4f34aa0b26c485a716362829f97bf0
Submitter: Zuul
Branch: master

commit 10ce2f862b4f34aa0b26c485a716362829f97bf0
Author: Nicolas Pochet <email address hidden>
Date: Fri Jan 11 15:44:44 2019 +0100

Enable the image signature verification feature

    The rationale behind this change is to allow the use of the glance image
    signature verification feature.
    In order to do so, it is necessary to:
    * Add the [barbican] section to `/etc/glance/glance-api.conf` with
    keystone endpoint

Change-Id: I1ec0864b0a4ad6381532032830ac4948b74f7771
Closes-Bug: 1811067