OpenStack Glance-Simplestreams-Sync Charm

glance-simplestreams-sync does not support getting certificates from vault

Bug #1843482 reported by Dmitrii Shcherbakov
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Glance-Simplestreams-Sync Charm
Fix Released
High
Joe Guo
OpenStack Glance-Simplestreams-Sync Charm 19.10

Bug Description

gss charm does not support getting certificates from Vault if it is used for OpenStack TLS termination.

root@juju-4348e8-0-lxd-4:~# /usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py
Traceback (most recent call last):
  File "/usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py", line 510, in <module>
    main()
  File "/usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py", line 448, in main
    ksc = get_keystone_client(id_conf['api_version'])
  File "/usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py", line 205, in get_keystone_client
    return ksc_class(**ksc_vars)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py", line 250, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/dist-packages/keystoneclient/httpclient.py", line 578, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py", line 336, in get_raw_token_from_identity_service
    _('Authorization failed: %s') % e)
keystoneauth1.exceptions.auth.AuthorizationFailure: Authorization failed: SSL exception connecting to https://keystone.maas:5000/v3/auth/tokens: HTTPSConnectionPool(host='keystone.maas', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),))

juju status glance-simplestreams-sync
Model Controller Cloud/Region Version SLA Timestamp
openstack samaas samaas 2.6.8 unsupported 18:59:55Z

App Version Status Scale Charm Store Rev OS Notes
glance-simplestreams-sync blocked 1 glance-simplestreams-sync jujucharms 23 ubuntu
octavia-diskimage-retrofit 0.9.5 active 1 octavia-diskimage-retrofit jujucharms 2 ubuntu

Unit Workload Agent Machine Public address Ports Message
glance-simplestreams-sync/0* blocked idle 0/lxd/4 10.232.24.12 Image sync failed, retrying soon.
  octavia-diskimage-retrofit/0* active idle 10.232.24.12 Unit is ready

Machine State DNS Inst id Series AZ Message
0 started 10.232.1.78 adze bionic z1 Deployed
0/lxd/4 started 10.232.24.12 juju-4348e8-0-lxd-4 bionic z1 Container started

Tags: cdo-qa
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

cross-referencing the bug about ssl_ca & config-changed: https://bugs.launchpad.net/charm-glance-simplestreams-sync/+bug/1843484

tags: added: cdo-qa
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Subscribed field-medium as glance-simplestreams-sync usage is mentioned in the official guide for using octavia-diskimage-retrofit:

https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-octavia.html#amphora-image

Joe Guo (guoqiao)
Changed in charm-glance-simplestreams-sync:
assignee: nobody → Joe Guo (guoqiao)
David Ames (thedac)
Changed in charm-glance-simplestreams-sync:
status: New → In Progress
importance: Undecided → High
milestone: none → 19.10
Revision history for this message
Joe Guo (guoqiao) wrote :

This should have been fixed by my recent patch(merged):

https://review.opendev.org/#/c/680903/

Changed in charm-glance-simplestreams-sync:
status: In Progress → Fix Committed
David Ames (thedac)
Changed in charm-glance-simplestreams-sync:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.