vault is not using vip to communicate with other services
Bug #1878035 reported by
Ashley Lai
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Fix Released
|
Medium
|
David Ames |
Bug Description
On the deployment, barbican-vault is communicating with vault using the internal IP instead of the vip.
2020-05-09 19:01:08 INFO juju-log secrets-storage:53: Retrieving secret-id from vault (https:/
artifacts can be found on the bottom of the link:
https:/
summary: |
- vault is not using vip to communicate with others services + vault is not using vip to communicate with other services |
Changed in vault-charm: | |
assignee: | nobody → David Ames (thedac) |
Changed in vault-charm: | |
status: | In Progress → Fix Committed |
Changed in vault-charm: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The log message is from barbican-vault which simply uses a URL from the interface code
https:/ /opendev. org/openstack/ charm-barbican- vault/src/ commit/ 5eb8923ec028d9f 480fa97f281c54c 38c8dc09ef/ src/reactive/ barbican_ vault_handlers. py#L41
The interface code simply passes it through as well: /github. com/openstack- charmers/ charm-interface -vault- kv/blob/ 5e71b61c1ddb6ec aade2b6675a5d8c f26655d7b0/ requires. py#L92- L98 /github. com/openstack- charmers/ charm-interface -vault- kv/blob/ 5e71b61c1ddb6ec aade2b6675a5d8c f26655d7b0/ provides. py#L41- L60
https:/
https:/
At the vault side, the content of a published URL depends on whether a relation to charm-hacluster is present or not:
https:/ /opendev. org/openstack/ charm-vault/ src/commit/ 324d5f638110876 993d6b584e9b222 0558049a10/ src/reactive/ vault_handlers. py#L504- L525
I think it is safe to say that if a VIP is configured and the ha.available flag is not set then we should not expose a URL and wait until ha.available is set.
Triaging based on the above.