OpenStack Octavia Charm

Octavia is blocked with "Certificates missing" status message

Bug #1934285 reported by Przemyslaw Hausman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Octavia Charm
New
Undecided
Unassigned

Bug Description

Charm revision: 34

Octavia expects a relation with vault:certificates. If this relation is not present, octavia goes into blocked state with "Certificates missing" status message.

This makes it impossible to successfully deploy octavia in the following use cases:
- no TLS present at all (no vault:certificates relation, no ssl_* config options defined),
- TLS certificates provided with ssl_* config options.

I think this regression has been introduced by this commit: https://opendev.org/openstack/charm-octavia/commit/bc0f83fee6af481324f2f9c7e8f01a5c3bde991c

When downgraded octavia charm to revision 31 (that does not include the above commit), the problem goes away.

Revision history for this message
Przemyslaw Hausman (phausman) wrote :

I can still see this issue on a different deployment. Again, the workaround is to downgrade to charm revision 31.

Revision history for this message
Felipe Reyes (freyes) wrote :

Hi, could you share the bundle you are using?, because the commit you are reference in the description aimed to block octavia when OVN is part of the deployment since ovn requires vault/easyrsa to work, a more detailed description can be found at https://bugs.launchpad.net/charm-octavia/+bug/1885936/comments/10 and https://bugs.launchpad.net/charm-octavia/+bug/1885936/comments/12

I'm going to set the bug as incomplete, feel free to set it back to NEW once the bundle is availble ;-) .

Changed in charm-octavia:
status: New → Incomplete
Revision history for this message
Przemyslaw Hausman (phausman) wrote :

Hi Felipe, thanks for looking into that. Please see my bundle here:
https://drive.google.com/file/d/1aWlYCncDDVOLfK3WOYagb-2k7iShh3ri/view?usp=sharing

Changed in charm-octavia:
status: Incomplete → New
Revision history for this message
Felipe Reyes (freyes) wrote :

I had some discussion off band with Przemyslaw and the issue is that this environment has configured TLS for octavia using ssl_* config options since those certificates where generated by a different team/department, and Vault is only part of the environment to configure OVN services.

So this bug is effectively a duplicate of https://bugs.launchpad.net/charm-octavia/+bug/1918271 , the fix for that bug was to retrieve the certificates of the ovn chassis through the relation. This fix will be available in the 21.10 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.