vault stops answering barbican-vault's token request
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Barbican-Vault Charm |
New
|
Undecided
|
Unassigned |
Bug Description
Vault can find its way into situations where barbican's CIDR/secrets_
This leaves the barbican unit unable to answer requests for secrets. The logs in barbican-api.log leave a lot to be desired [1]. Essentially, there's nothing catching bad responses for a token from vault. See this [2]
To debug the issue, we had to issue our own curl from the barbican unit:
cat /etc/barbican/
secret=<secret>
role=<role>
vault_url=
curl -vv -XPOST $vault_
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 10.191.5.28...
* TCP_NODELAY set
* Connected to 10.191.5.28 (10.191.5.28) port 8200 (#0)
> POST /v1/auth/
> Host: 10.191.5.28:8200
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 104
>
* upload completely sent off: 104 out of 104 bytes
< HTTP/1.1 400 Bad Request
< Cache-Control: no-store
< Content-Type: application/json
< Date: Wed, 07 Apr 2021 20:27:47 GMT
< Content-Length: 119
<
{"errors":["source address \"10.191.5.91\" unauthorized through CIDR restrictions on the secret ID: \u003cnil\u003e"]}
As you can see, vault is rejecting the barbican unit. The only workaround was to deploy a new barbican unit and remove the old one
```
juju config hacluster-barbican cluster_count=4
juju add-unit barbican --to lxd:<bad-
# wait for stable
juju remove-unit barbican/<bad-unit>
juju config hacluster-barbican cluster_count=3
# wait for stable
```
[1] https:/
[2] https:/