cannot import CA from vault

Bug #1818546 reported by Andrea Ieri on 2019-03-04
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack ceilometer charm
High
Frode Nordahl

Bug Description

In deployments that use vault as a data store for certificates, charms are expected to be able to consume a 'tls-certificates' relation in order to receive CA certificates.

$ juju status --relations vault | grep cert
vault:certificates aodh:certificates tls-certificates regular
vault:certificates ceph-radosgw:certificates tls-certificates regular
vault:certificates cinder:certificates tls-certificates regular
vault:certificates designate:certificates tls-certificates regular
vault:certificates glance:certificates tls-certificates regular
vault:certificates gnocchi:certificates tls-certificates regular
vault:certificates heat:certificates tls-certificates regular
vault:certificates keystone:certificates tls-certificates regular
vault:certificates neutron-api:certificates tls-certificates regular
vault:certificates nova-cloud-controller:certificates tls-certificates regular
vault:certificates openstack-dashboard:certificates tls-certificates regular

The ceilometer charm does not implement such a relation, and is thus unable to validate the keystone certificate.

The workaround is to explicitly set ssl_ca in the ceilometer charm for now.

Andrea Ieri (aieri) wrote :

Subscribing field-high, this affects all new deployments using vault

tags: added: cpe-onsite
James Page (james-page) on 2019-03-05
Changed in charm-ceilometer:
status: New → Triaged
importance: Undecided → High
assignee: nobody → James Page (james-page)
Frode Nordahl (fnordahl) on 2019-03-18
Changed in charm-ceilometer:
assignee: James Page (james-page) → Frode Nordahl (fnordahl)

Fix proposed to branch: master
Review: https://review.openstack.org/643951

Changed in charm-ceilometer:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/643951
Committed: https://git.openstack.org/cgit/openstack/charm-ceilometer/commit/?id=7ca09a1793dd8806adf35986160cf7c7e658fa70
Submitter: Zuul
Branch: master

commit 7ca09a1793dd8806adf35986160cf7c7e658fa70
Author: Frode Nordahl <email address hidden>
Date: Mon Mar 18 14:04:43 2019 +0100

    Add support for tls-certificates relation

    Add support for the charm to request and receive certificates from
    the tls-certificates relation.

    Add missing direct ``amqp`` relation between ``ceilometer-agent``
    and ``rabbitmq-server``

    Change-Id: I931f5d3fcbf28e85b1a8e3e7cf24d13cf741e4bd
    Closes-Bug: #1818546

Changed in charm-ceilometer:
status: In Progress → Fix Committed
James Page (james-page) on 2019-04-17
Changed in charm-ceilometer:
milestone: none → 19.04
David Ames (thedac) on 2019-04-17
Changed in charm-ceilometer:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers