gss relies on service_host (public api) endpoints ignoring ingress-address for the identity endpoint

Bug #1786232 reported by Dmitrii Shcherbakov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glance-simplestreams-sync (Juju Charms Collection)

Bug Description

ingress address provided by keystone is (oam-space) while service_host is (public space)

The LXD container used by GSS will only have an oam interface causing a silent connection failure as gss doesn't report anything via its status:

juju deploy cs:bionic/glance-simplestreams-sync --to lxd:4 --bind oam-space

  File "./", line 495, in <module>
  File "./", line 433, in main
    ksc = get_keystone_client(id_conf['api_version'])
  File "./", line 188, in get_keystone_client
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v3/", line 250, in __init__
  File "/usr/lib/python2.7/dist-packages/keystoneclient/", line 578, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v3/", line 336, in get_raw_token_from_identity_service
    _('Authorization failed: %s') % e)
keystoneauth1.exceptions.auth.AuthorizationFailure: Authorization failed: Unable to establish connection to

juju run --unit glance-simplestreams-sync/1 'relation-get -r identity-service:65 - keystone/0'
admin_domain_id: 24eecdf281e544ba9d41bae91299ea5a
admin_token: Cg36p9Z2VVY8kXxpw4fqMj2mr9knGhjfBRW7gdXWGtF27Y86P6dhJYzX3RB9ffhy
api_version: "3"
auth_port: "35357"
auth_protocol: http
service_domain: service_domain
service_domain_id: 2510a9c3f8984216837e55dc3e25a344
service_password: sKXt8VJkTwG8sxLtxLNnVjLYV4CNqW6Hcz7KdbHLTFLyyNjGH7dVJHz34fqsPbys
service_port: "5000"
service_protocol: http
service_tenant: services
service_tenant_id: 451a055f18b84f1c9b9b48e13bce754b
service_username: image-stream

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers