diff -Nru octavia-7.1.2/debian/changelog octavia-7.1.2/debian/changelog --- octavia-7.1.2/debian/changelog 2022-03-02 20:07:26.000000000 +0000 +++ octavia-7.1.2/debian/changelog 2023-10-11 10:49:21.000000000 +0000 @@ -1,3 +1,11 @@ +octavia (7.1.2-0ubuntu1~cloud0ubuntu1) focal-victoria; urgency=medium + + * d/p/lp2035180-fix-barbican-client-with-application-credentials-trust.patch: + Fix barbican client when using application credentials. (LP: #2035180). + + + -- David Negreira Wed, 11 Oct 2023 10:49:21 +0000 + octavia (7.1.2-0ubuntu1~cloud0) focal-victoria; urgency=medium * New stable point release for OpenStack Victoria (LP: #1962772). diff -Nru octavia-7.1.2/debian/patches/lp2035180-fix-barbican-client-with-application-credentials-trust.patch octavia-7.1.2/debian/patches/lp2035180-fix-barbican-client-with-application-credentials-trust.patch --- octavia-7.1.2/debian/patches/lp2035180-fix-barbican-client-with-application-credentials-trust.patch 1970-01-01 00:00:00.000000000 +0000 +++ octavia-7.1.2/debian/patches/lp2035180-fix-barbican-client-with-application-credentials-trust.patch 2023-10-11 10:49:21.000000000 +0000 @@ -0,0 +1,95 @@ +From b45a1b655a07f286e415e2d84e56c8874568b3ae Mon Sep 17 00:00:00 2001 +From: Gregory Thiemonge +Date: Thu, 25 Aug 2022 10:33:21 +0200 +Subject: [PATCH] Fix barbican client with application credentials/trusts + +It seems that keystoneauth1.identity.generic.token doesn't handle +properly the application credential/trust tokens passed by the context +of the requests. When using app credentials, Octavia failed to retrieve +the certificates from barbican. +Switching to keystoneauth1.token_endpoint fixes the issue, the +auth tokens are correctly passed to the barbican client. + +Story: 2007619 +Task: 39737 +Origin: backport, https://review.opendev.org/c/openstack/octavia/+/894548 +Change-Id: Id77ce36f59b71d309f153e5c1d44059f162ee440 +(cherry picked from commit ce7f27e3b7ef6a94501ce975fb0e9dadcffb822b) +(cherry picked from commit 851510f4c74658b128790da1aab410e245355a90) +(cherry picked from commit b20bb2eb23d236421cca5a621b25ada0da3297f6) +--- + .../certificates/common/auth/barbican_acl.py | 27 ++++++++++--------- + .../common/auth/test_barbican_acl.py | 3 +-- + ...tokens-with-barbican-3b7d13283206c124.yaml | 5 ++++ + 3 files changed, 20 insertions(+), 15 deletions(-) + create mode 100644 releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml + +Index: octavia-7.1.2/octavia/certificates/common/auth/barbican_acl.py +=================================================================== +--- octavia-7.1.2.orig/octavia/certificates/common/auth/barbican_acl.py ++++ octavia-7.1.2/octavia/certificates/common/auth/barbican_acl.py +@@ -17,8 +17,8 @@ + Barbican ACL auth class for Barbican certificate handling + """ + from barbicanclient import client as barbican_client +-from keystoneauth1.identity.generic import token + from keystoneauth1 import session ++from keystoneauth1 import token_endpoint + + from oslo_config import cfg + from oslo_log import log as logging +@@ -79,20 +79,21 @@ class BarbicanACLAuth(barbican_common.Ba + + @classmethod + def get_barbican_client_user_auth(cls, context): +- # get a normal session +- ksession = keystone.KeystoneSession() +- service_auth = ksession.get_auth() ++ barbican_endpoint = CONF.certificates.endpoint ++ if not barbican_endpoint: ++ ksession = keystone.KeystoneSession().get_session() ++ endpoint_data = ksession.get_endpoint_data( ++ service_type='key-manager', ++ region_name=CONF.certificates.region_name, ++ interface=CONF.certificates.endpoint_type) ++ barbican_endpoint = endpoint_data.catalog_url ++ ++ auth_token = token_endpoint.Token(barbican_endpoint, ++ context.auth_token) + +- # make our own auth and swap it in +- user_auth = token.Token(auth_url=service_auth.auth_url, +- token=context.auth_token, +- project_id=context.project_id) + user_session = session.Session( +- auth=user_auth, ++ auth=auth_token, + verify=CONF.certificates.ca_certificates_file) +- +- # create a special barbican client with our user's session + return barbican_client.Client( + session=user_session, +- region_name=CONF.certificates.region_name, +- interface=CONF.certificates.endpoint_type) ++ endpoint=barbican_endpoint) +Index: octavia-7.1.2/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py +=================================================================== +--- octavia-7.1.2.orig/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py ++++ octavia-7.1.2/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py +@@ -91,5 +91,4 @@ class TestBarbicanACLAuth(base.TestCase) + bc = acl_auth_object.get_barbican_client_user_auth(mock.Mock()) + self.assertTrue(hasattr(bc, 'containers') and + hasattr(bc.containers, 'register_consumer')) +- self.assertEqual('publicURL', bc.client.interface) +- self.assertEqual('RegionOne', bc.client.region_name) ++ self.assertEqual('public', bc.client.interface) +Index: octavia-7.1.2/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml +=================================================================== +--- /dev/null ++++ octavia-7.1.2/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml +@@ -0,0 +1,5 @@ ++--- ++fixes: ++ - | ++ Fix an authentication error with Barbican when creating a TERMINATED_HTTPS ++ listener with application credential tokens or trust IDs. diff -Nru octavia-7.1.2/debian/patches/series octavia-7.1.2/debian/patches/series --- octavia-7.1.2/debian/patches/series 2022-03-02 20:07:26.000000000 +0000 +++ octavia-7.1.2/debian/patches/series 2023-10-11 10:47:38.000000000 +0000 @@ -1 +1,2 @@ disable-sphinxcontrib.rsvgconverter.patch +lp2035180-fix-barbican-client-with-application-credentials-trust.patch