When trying the glance image signing feature (which requires Barbican), the default settings in /etc/glance/glance-api.conf make glance try to authenticate against http://localhost:5000/v3 with the following logs:
2019-01-09 08:46:17.030 14723 INFO eventlet.wsgi.server [req-7f96961a-13c3-48bc-869a-9ee2dc859e11 d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] 10.0.8.135 - - [09/Jan/2019 08:46:17] "POST /v2/images HTTP/1.1" 201 1311 0.086067
2019-01-09 08:46:17.088 14723 WARNING keystoneauth.identity.generic.base [req-23ce6884-c5e9-4604-8038-e7d16474185e d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] Failed to discover available identity versions when contacting http://localhost/identity/v3. Att$mpting to parse version from URL.: keystoneauth1.exceptions.http.NotFound: Not Found (HTTP 404)
2019-01-09 08:46:17.089 14723 ERROR castellan.key_manager.barbican_key_manager [req-23ce6884-c5e9-4604-8038-e7d16474185e d06010a8e709443e9c8de03f41907aba e9aa552c6bec4047bc0428e19bb2b315 - 86bc519f2c18421aa13832e4442e5d5c 86bc519f2c18421aa13832e4442e5d5c] Error creating Barbican client: Could not find versioned identity endpoints when attemptin$ to authenticate. Please check that your auth_url is correct. Not Found (HTTP 404): keystoneauth1.exceptions.discovery.DiscoveryFailure: Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. Not Found (HTTP 404)
To reproduce:
- Deploy the minimal bundle attached
- Try the example usage section from: https://docs.openstack.org/glance/rocky/user/signature.html#example-usage
- Try to upload an image with the signing options will fail
Workaround:
- Stop the jujud-unit-glance-0.service
- Modify /etc/glance/glance-api.conf to add a [barbican] section as described in https://docs.openstack.org/glance/rocky/user/signature.html#configuration
- Restart glance-api service
Reviewed: https:/ /review. openstack. org/630278 /git.openstack. org/cgit/ openstack/ charm-glance/ commit/ ?id=10ce2f862b4 f34aa0b26c485a7 16362829f97bf0
Committed: https:/
Submitter: Zuul
Branch: master
commit 10ce2f862b4f34a a0b26c485a71636 2829f97bf0
Author: Nicolas Pochet <email address hidden>
Date: Fri Jan 11 15:44:44 2019 +0100
Enable the image signature verification feature
The rationale behind this change is to allow the use of the glance image glance- api.conf` with
signature verification feature.
In order to do so, it is necessary to:
* Add the [barbican] section to `/etc/glance/
keystone endpoint
Change-Id: I1ec0864b0a4ad6 381532032830ac4 948b74f7771
Closes-Bug: 1811067