on leader-change, charms that require secrets-storage use token from old leader
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceph OSD Charm |
Fix Released
|
High
|
Edward Hope-Morley | ||
Charm Helpers |
Fix Released
|
High
|
Edward Hope-Morley | ||
OpenStack Barbican-Vault Charm |
Fix Released
|
High
|
Unassigned | ||
OpenStack Nova Compute Charm |
Fix Released
|
High
|
Edward Hope-Morley | ||
OpenStack Swift Storage Charm |
Fix Released
|
High
|
Edward Hope-Morley |
Bug Description
on a deployment using vault, every time refresh-secrets is issued, the tokens are refreshed and the leader sends the new tokens through relation-data.
If the vault is deployed in HA, upon switching vault leaders (let's say new leader is vault/2 and old leader is vault/0), the old token will remain in the relation data between the units that require secrets-storage (barbican-vault, ceph-osd, ...) and the old leader (vault/0). The new leader (vault/2) will issue new tokens on refresh-secrets action and provide them through relation (vault/2 <=> barbican-vault, ceph-osd), but the requiring units will read the old tokens from the relation-data of the old leader (vault/0 <=> barbican-vault, ceph-osd). Then, it causes the exception below.
The tokens should be read from the new leader (vault/2) instead. As a workaround, if the leader is switched back to vault/0, the problem goes away until vault leader is changed again.
Steps to reproduce:
1) Force vault leadership to lowest numbered unit (Vault/0)
2) Issue new tokens
3) Units will grab tokens from Vault/0 and everything will work fine
4) Force change vault leadership to a higher numbered unit (Vault/2)
5) Issue new tokens
6) Units will grab tokens from lowest value units (Vault/0) and will fail to authenticate
This happens because on both reactive and classic charms, the related unit will loop through the vault units in ascending order and will grab the token from the first unit that has one.
reactive charms: https:/
classic charms: https:/
Sample stacktrace: https:/
Changed in charm-barbican-vault: | |
assignee: | nobody → Rodrigo Barbieri (rodrigo-barbieri2010) |
status: | New → In Progress |
Changed in charm-helpers: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
tags: | added: sts |
description: | updated |
Changed in charm-helpers: | |
status: | In Progress → Fix Committed |
Changed in charm-ceph-osd: | |
milestone: | 20.01 → 20.02 |
Changed in charm-nova-compute: | |
milestone: | 20.01 → 20.02 |
Changed in charm-swift-storage: | |
milestone: | 20.01 → 20.02 |
Changed in charm-barbican-vault: | |
status: | Fix Committed → Fix Released |
Changed in charm-ceph-osd: | |
status: | Fix Committed → Fix Released |
Changed in charm-nova-compute: | |
status: | Fix Committed → Fix Released |
Changed in charm-swift-storage: | |
status: | Fix Committed → Fix Released |
Changed in charm-helpers: | |
status: | Fix Committed → Fix Released |
Changed in charm-barbican-vault: | |
status: | Fix Released → New |
assignee: | Edward Hope-Morley (hopem) → nobody |
This issue also happens on classic charms. Whenever the Vault leader changes to a higher number unit, the lower number one will have a higher priority, so the charm will get the token from the wrong unit.
In summary, the first unit to have a token will be chosen, but whenever we run the 'refresh-secrets', we need to get the information from the Vault leader.
https:/ /github. com/juju/ charm-helpers/ blob/master/ charmhelpers/ contrib/ openstack/ vaultlocker. py#L44