manage-security-groups=true breaks non-admin tenants
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Openstack Integrator Charm |
Fix Released
|
High
|
Edward Hope-Morley |
Bug Description
I have deployed Kubernetes using a non-admin tenant in Openstack (and fairly common use-case I think) and I have enabled manage-security groups to allow Kubernetes (via the openstack provider) to update security groups for services deployed e.g. to open ports. The problem is that when this is enabled, the openstack-
This fails [1] because the security group is not owned by the (non-admin in my case) project in use by the openstack-
A recent commit [2] from bug 1868062 extended this to open the port the LB is created to listen on - something that Octavia should have done automatically.
If I understand correctly both this and [2] were created for the use-case where the security group used with the loadbalancer has not been created by Octavia (and i'm not sure how that is even possible, perhaps this was with the older/deprecated neutron lbaasv2).
There is an easy way to fix this i.e. only perform these operations if the loadbalancer security group was created by the charm. I still question why the charm even needs to support that use case though because if using Octavia with all of this should have been setup by Octavia itself so the fact that it hasn't perhaps highlight a more fundamental problem.
[1] https:/
[2] https:/
tags: | added: sts |
description: | updated |
summary: |
- Charm error when trying to update port + manage-security-groups=true breaks non-admin tenants |
description: | updated |
Changed in charm-openstack-integrator: | |
assignee: | nobody → Edward Hope-Morley (hopem) |
status: | New → In Progress |
Changed in charm-openstack-integrator: | |
importance: | Undecided → High |
tags: | added: review-needed |
Changed in charm-openstack-integrator: | |
milestone: | none → 1.19 |
status: | In Progress → Fix Committed |
tags: | removed: review-needed |
Changed in charm-openstack-integrator: | |
status: | Fix Committed → Fix Released |
Patch submitted: https:/ /github. com/juju- solutions/ charm-openstack -integrator/ pull/39