OpenStack Keystone Charm

identity-credentials relation data not updated (except credentials_password)

Bug #1848456 reported by Alvaro Uria
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Expired
Undecided
Unassigned

Bug Description

We have a charm [0] that uses charm-interface-keystone-credentials [1] to request a user without endpoints ("nagios") and it then configures a novarc file with the retrieved data.

When the keystone admin password is changed, identity-credentials-changed will be triggered and the new password is seen on relation_get.

However, other information like auth_host, auth_protocol or credentials_host are not updated. The code involved is [2][3].

[*] Steps followed:
juju config openstack-service-checks trusted_ssl_ca=...
juju config keystone ssl_ca=... ssl_cert=... ssl_key=... os-public-hostname=... os-admin-hostname=... os-internal-hostname=...

[*] Workaround:
(1) juju remove-application openstack-service-checks
(2) Redeploy the removed app on (1)
Note: see pastebin [4]. Removing the unit and adding it again (without removing the app) didn't work.

0. https://git.launchpad.net/charm-openstack-service-checks/tree/reactive/openstack_service_checks.py#n52
1. https://github.com/openstack/charm-interface-keystone-credentials/blob/master/requires.py
2. https://github.com/openstack/charm-keystone/blob/stable/19.07/hooks/keystone_hooks.py#L483
3. https://github.com/openstack/charm-keystone/blob/stable/19.07/hooks/keystone_utils.py#L1594
4. https://pastebin.ubuntu.com/p/krjRTJKy72/

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

I suspect that the ordering of the calls to juju is significant. i.e. if the juju config keystone is done first and allowed to settle prior to the juju config openstack-service-checks then the keystone will "know" it is SSL prior to the hook from openstack-service-checks firing.

However, there would appear be a race hazard if the above is the case. Probably both code paths (config-changed and identity-credentials-changed) should be investigated so that both end up (on keystone) triggering/writing the correct information to the relation for openstack-service-checks charm to consume properly.

Please could you check to see if keystone is done first (and settles) whether the problem clears or a different issue arises?

Changed in charm-keystone:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack keystone charm because there has been no activity for 60 days.]

Changed in charm-keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.