placement not loading CA if vault is deployed in HA configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Placement Charm |
New
|
Undecided
|
Unassigned |
Bug Description
When deploying placement charm in a bundle with Vault in HA configuration (with hacluster), placement charm is getting stuck on running hooks with the following error:
Traceback (most recent call last):
File "/var/lib/
_render(
File "/var/lib/
charmhelper
File "/var/lib/
content = template.
File "/var/lib/
self.
File "/var/lib/
raise rewrite_
File "templates/
{% if options.endpoints -%}
File "/var/lib/
return getattr(obj, attribute)
File "/var/lib/
int_port = ch_cluster.
File "/var/lib/
if https():
File "/var/lib/
cert_
File "/var/lib/
'ca': data['ca'],
KeyError: 'ca'
This happens when the vault leader is not the first vault charm in the related_units(rid) list, because only the leader charm contains the CA and certificates information.
$juju status placement --relations
Model Controller Cloud/Region Version SLA Timestamp
openstack maas-controller maas/default 2.9.43 unsupported 16:32:29+03:00
App Version Status Scale Charm Channel Rev Exposed Message
placement 9.0.0 error 1 placement 2023.1/stable 87 no hook failed: "shared-
placement-
Unit Workload Agent Machine Public address Ports Message
placement/9* error idle 3/lxd/20 172.30.193.62 8778/tcp hook failed: "shared-
placement-
Machine State Address Inst id Series AZ Message
3 started 172.30.191.11 cloud1 jammy default Deployed
3/lxd/20 started 172.30.193.62 juju-b1ca20-
Relation provider Requirer Interface Type Message
keystone:
mysql-innodb-
placement-
placement:cluster placement:cluster openstack-ha peer
placement:placement nova-cloud-
vault:certificates placement:
$ juju status vault --relations
Model Controller Cloud/Region Version SLA Timestamp
openstack maas-controller maas/default 2.9.43 unsupported 16:35:17+03:00
App Version Status Scale Charm Channel Rev Exposed Message
vault 1.7.9 active 3 vault 1.7/stable 107 no Unit is ready (active: true, mlock: disabled)
vault-hacluster active 3 hacluster 2.4/stable 120 no Unit is ready and clustered
vault-mysql-router 8.0.33 active 3 mysql-router 8.0/stable 90 no Unit is ready
Unit Workload Agent Machine Public address Ports Message
vault/0 active idle 3/lxd/14 172.30.193.40 8200/tcp Unit is ready (active: true, mlock: disabled)
vault-hacluster/1 active idle 172.30.193.40 Unit is ready and clustered
vault-
vault/1 active idle 4/lxd/13 172.30.193.48 8200/tcp Unit is ready (active: false, mlock: disabled)
vault-hacluster/2 active idle 172.30.193.48 Unit is ready and clustered
vault-
vault/2* active idle 5/lxd/13 172.30.193.2 8200/tcp Unit is ready (active: false, mlock: disabled)
vault-
vault-
Machine State Address Inst id Series AZ Message
3 started 172.30.191.11 cloud1 jammy default Deployed
3/lxd/14 started 172.30.193.40 juju-b1ca20-
4 started 172.30.191.12 cloud2 jammy default Deployed
4/lxd/13 started 172.30.193.48 juju-b1ca20-
5 started 172.30.191.13 cloud3 jammy default Deployed
5/lxd/13 started 172.30.193.2 juju-b1ca20-
Relation provider Requirer Interface Type Message
etcd:db vault:etcd etcd regular
mysql-innodb-
vault-hacluster:ha vault:ha hacluster subordinate
vault-hacluster
vault-mysql-
vault:certificates ceph-radosgw:
vault:certificates cinder:certificates tls-certificates regular
vault:certificates glance:certificates tls-certificates regular
vault:certificates keystone:
vault:certificates mysql-innodb-
vault:certificates neutron-
vault:certificates neutron-
vault:certificates nova-cloud-
vault:certificates openstack-
vault:certificates ovn-central:
vault:certificates placement:
vault:cluster vault:cluster vault-ha peer
$juju run -u placement/9 -- relation-get -r 126 - vault/0
egress-subnets: 172.30.193.40/32
ingress-address: 172.30.193.40
private-address: 172.30.193.40
$juju run -u placement/9 -- relation-get -r 126 - vault/1
egress-subnets: 172.30.193.48/32
ingress-address: 172.30.193.48
private-address: 172.30.193.48
(this is a test environment with vault generated certificates, so there is no sensitive information)
$ juju run -u placement/9 -- relation-get -r 126 - vault/2
ca: |-
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgA
BQAwPTE7MDkGA
KGNoYXJtLXBra
WjA9MTswOQYDV
Y2hhcm0tcGtpL
AL014CuJwXTrD
iRu/3N1cBmbfJ
e/mFO9vXoc/
VDseoxd74xG20
NskKl2eFRbD2E
/xSkDpGuTFRdc
EwEB/
IwQYMBaAFD4c0
bAMpuufkAE/
OOFkAilw/
8tXci8j0DH9T0
39mvnB7vTkOVp
ILsmpPBtd/
Vw0PJJey3Z9Ad
-----END CERTIFICATE-----
client.cert: |-
-----BEGIN CERTIFICATE-----
MIID+
BQAwPTE7MDkGA
KGNoYXJtLXBra
WjAYMRYwFAYDV
AQ8AMIIBCgKCA
/kN86+
sYsya7W2mTova
nCta9RzPJ0eur
IrXBRsRA3MZ1h
1+bjsMIdgC90i
AQH/BAQDAgOoM
Qnq9MKDJU+
BggrBgEFBQcBA
ODo4MjAwL3YxL
Y2xpZW50MEIGA
MjAwL3YxL2NoY
0cPh/
CE259VarF7Mwo
itKNiyaWJm71Y
rYrEgtzi5qwBP
MCEjL2iRzmmy/
9s7i+
-----END CERTIFICATE-----
client.key: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCA
/kN86+
sYsya7W2mTova
nCta9RzPJ0eur
IrXBRsRA3MZ1h
1+bjsMIdgC90i
ItKHveSDQO5KE
DeQNbjKzzMrIe
wDUlYHuMcjNg/
FL1Z2ymSBWP09
Gpl8U5A2xPrPc
xLq4/
Aw7OHG7jY47Th
jR6/ncDdRkqBK
/kNxhyzfcUe54
cJK3H/
z25lxcMvB0xwg
n67LJpDqBeDM1
8YVJlrj5jAMeW
BTen+
30eUrqXtiEg25
+Z3FUoN0B5MxO
UhjxyQKBgQCBU
QUwfkIGegLDRl
uTUFwD/
-----END RSA PRIVATE KEY-----
egress-subnets: 172.30.193.2/32
ingress-address: 172.30.193.2
placement_
-----BEGIN CERTIFICATE-----
MIIEHjCCAwagA
BQAwPTE7MDkGA
KGNoYXJtLXBra
WjAfMR0wGwYDV
AQEBBQADggEPA
Dagm31xHUPL/
jKAYxMATZB1Fv
ytSj4NoD1WZ0A
6N1oThm1APrHC
ZO2id3gk+
MA4GA1UdDwEB/
HQYDVR0OBBYEF
NNNqatMDAFuv7
cDovLzE3Mi4zM
A1UdEQQkMCKCF
HwQ7MDkwN6A1o
LXBraS1sb2Nhb
4FBBOjNn6/
wNIHimEn/
aYUxkNMbrjmGd
AxtiUNiW46ccu
4powNzCxhZXFT
SKc=
-----END CERTIFICATE-----
placement_
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCA
8v8eFe7s6smA8
HUW/3sjAhCb4y
ZnQAYHOJpxNrl
+scIH1uiOlnuP
Ozp96cJWD02ca
VLiS5Oz/
UT7aGydbLIO4u
jC6fjXqTtfFAH
RShsKtdISU+
js8m/
sFoPkvFBAoGBA
e7FZQCbSz/
FEZQsDMXNHYQC
R/WB/
oYg5teQBWiZvj
waTOJ0mu/
/EFUGtoudPztA
TzbAg2BIsa5jx
vsmUrqgk9NQw9
Yw+zvw/
RmC+8NqVJyW0q
E7tOyqUCgYAYY
PMpxhPXWUjtTu
FuPfpfhfqgmI1
-----END RSA PRIVATE KEY-----
private-address: 172.30.193.2
Checking the python script which is generating the error, we can see that the failure happens because there is no data['ca'] available in the first vault unit.
I have made a small modification in my /var/lib/
' if 'ca' in data.keys(): '
Original function:
def get_requests_
"""Extract any certificates data targeted at this unit down relation_name.
:param relation_name: str Name of relation to check for data.
:returns: List of bundles of certificates.
:rtype: List of dicts
"""
local_name = local_unit(
raw_certs_key = '{}.processed_
relation_name = relation_name or 'certificates'
bundles = []
for rid in relation_
sent = relation_
legacy_keys = ['certificate_
for unit in related_units(rid):
data = relation_
if data.get(
return bundles
Modified function:
def get_requests_
"""Extract any certificates data targeted at this unit down relation_name.
:param relation_name: str Name of relation to check for data.
:returns: List of bundles of certificates.
:rtype: List of dicts
"""
local_name = local_unit(
raw_certs_key = '{}.processed_
relation_name = relation_name or 'certificates'
bundles = []
for rid in relation_
sent = relation_
legacy_keys = ['certificate_
for unit in related_units(rid):
data = relation_
if 'ca' in data.keys():
if data.get(
return bundles
This "fix" would probably have been easier to do by modifying "ca: data['ca']" to "ca: data.get('ca')", but I wanted a line which I can easily comment.
Thank you for your support,
Alex
tags: | added: ca ha juju placement vault |
Hi,
An update:
This is probably a Juju issue, as I have encountered the same problem with Magnum and Gnocchi charms as well.
Regards,
Alex