Fetching by secret container doesn't raises 404 exception

Thanks Jorge. Uploaded to Bionic unapproved queue:
https://launchpad.net/ubuntu/bionic/+queue?queue_state=1&queue_text=python-barbicanclient

SRU review:

Next time, please include dep3 headers such as Origin:. Given that you pinged in #ubuntu-devel to get this looked at, it would really help if you did the things that make SRU reviews easier. However this isn't a blocker. Apart from this the upload itself looks good.

> As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.

> This causes the code to not fall back into the legacy mode

I don't understand how this justifies this bug for an SRU. Please could you explain the actual user impact, so I can measure that against SRU criteria? See https://wiki.ubuntu.com/StableReleaseUpdates#Procedure "An explanation of the bug on users and justification for backporting the fix to the stable release"

> [Regression Potential]

This is missing "a discussion of how regressions are most likely to manifest, or may manifest even if it is unlikely, as a result of this change". See https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Please update the bug description, fixing [Impact] and [Regression Potential] as above, and then we can reconsider your upload. Thanks!

Thank you for the update! The user impact is much more understandable now.

The Regression Potential section is still missing "a discussion of how regressions are most likely to manifest, or may manifest even if it is unlikely, as a result of this change". Please can you update that also?

> Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch...

Which package update in Ubuntu caused this regression? Or was the update in the cloud archive only, which case shouldn't this backport also be going into the cloud archive and not into the main Ubuntu archive?

@racb, thank you very much for the review. I've updated description, versions and the regression potential of the SRU template.

Thanks! I think this is a rather special case. Since the Ubuntu archive isn't itself affected by this bug, it's not obvious to me that an SRU to the Ubuntu archive is justified, instead of expecting this to be fixed in UCA only. I've made a note to discuss this with the SRU team.

> I can't identify any regression potential for the fix...

I don't understand why this makes it impossible to identify the area of functionality being changed to assist with targeted testing.

Hello @racb @coreycb,

I've updated the description, testing and others sections. Is there anything left to be done at my side to continue with the SRU?

Thank you.

since this is in the Bionic unapproved upload queue already, i'm removing ubuntu-sponsors. I'm leaving sts-sponsors subscribed to help nudge the upload through until it reaches bionic-updates.

Thank you for preparing this SRU! I think I'm fine with the SRU contents-wise, but I'd like to first have some clarification on the situation here. So as I understand it correctly, users running bionic only (without UCA enabled) also experience this issue now, yes?

@sil2100 hello lukasz

I've added a **IMPACTED VERSIONS NOTE **** note in the description. Any user
running Bionic may hit this issue if running the library in standalone
and hitting the same endpoints. However, this is unlikely to be manifested
by any user, unless it is deployed with octavia (which is in the cloud-archive). This component (octavia-api) makes extensive use of the barbicanclient API and therefore any clouds >= rocky
deployed on top of Bionic will manifest the issue.

I hope this clarifies the situation further and if not, please let me know
to provide you any further details.

Hello Jorge, or anyone else affected,

Accepted python-barbicanclient into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-barbicanclient/4.6.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello,

I've verified that the current -proposed package fixes the issue for us, for the
given use case.

Using the following deployment bundle on a Bionic + Rocky cloud
http://paste.ubuntu.com/p/jnVdVvQg7k/

Without the patch, the problem is reproduced as expressed on the case description:

ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.11:9312/v1/secrets/7aa7727d-f39b-45f8-9310-f5c595ad4feb" --secret="private_key=https://10.5.0.11:9312/v1/secrets/189736d1-51d8-4cbe-9638-ceadcbb664ac" --secret="intermediates=https://10.5.0.11:9312/v1/secrets/70e2cf9c-8110-4d25-a1e3-f7b6f3950e64"

ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.11:9312/v1/containers/b548ab63-474d-4a94-b121-4eae8193fcc1" -- lb1
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-c79fbcb1-06d8-47e4-9754-8066596ba262)

With the patch applied in the following version:

root@juju-be44b9-barbican-10:/home/ubuntu# dpkg -l |grep barbican
ii python3-barbicanclient 4.6.0-0ubuntu1.1 all OpenStack Key Management API client - Python 3.x

| https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | None | 2020-05-12T21:37:32+00:00 | ACTIVE | certificate | certificate=https://10.5.0.11:9312/v1/secrets/26ed5706-5f0a-4f9f-b226-e8595031515e | None |
| | | | | | private_key=https://10.5.0.11:9312/v1/secrets/9a3bd926-6ba9-46be-8168-6b5e79e09b36 | |
+---------------------------------------------------------------------------+----------------+---------------------------+--------+-------------+--------------------------------------------------------------------------------------+-----------+

The issue isn't longer reproducible and listeners can be created.

ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener-2" --default-tls-container="https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19" -- lb2
+-----------------------------+---------------------------------------------------------------------------+
| Field | Value |
+-----------------------------+---------------------------------------------------------------------------+
| admin_state_up | True |
| connection_limit | -1 |
| created_at ...

Hello Jorge, or anyone else affected,

Accepted python-barbicanclient into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This bug was fixed in the package python-barbicanclient - 4.6.0-0ubuntu1.1

---------------
python-barbicanclient (4.6.0-0ubuntu1.1) bionic; urgency=medium

  [ Corey Bryant ]
  * d/gbp.conf: Create stable/queens branch.

  [ Jorge Niedbalski ]
  * d/p/0001-Allow-fetching-by-UUID-and-respect-interface.patch,
  * d/p/0002-Secret-payload-should-also-be-fetched-by-UUID.patch:
    Adds patches to properly support fetching by UUID (LP: #1867676).

 -- Jorge Niedbalski <email address hidden> Tue, 17 Mar 2020 11:13:24 -0300

The verification of the Stable Release Update for python-barbicanclient has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Corey,

This package is available on B, E, F, G. I don't think is strictly required to be backported into the queens cloud archive for other than having this package in the correct pocket (UCA).

As I expressed in the bug description, The combination that triggers this issue is octavia + barbican when creating listeners, but octavia only exists >= Rocky. So I doubt that this could be hit in any other situation other than a specific user using the standalone library of barbicanclient, that would be a VERY rare use case.

The particular issue reported here was reported on Bionic (LTS) >= Rocky clouds (where the UCA package was missed), and the bionic package in universe was missing the fix.

I think its OK if you want to move this very same missing package version into the UCA, but I think is safe to assume that the verification done for Bionic would apply for anyone brave enough for deploying a version of Queens barbican + Rocky Octavia.

I hope this clarifies the situation.

The verification of the Stable Release Update for python-barbicanclient has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package python-barbicanclient - 4.6.0-0ubuntu1.1~cloud0
---------------

 python-barbicanclient (4.6.0-0ubuntu1.1~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-barbicanclient (4.6.0-0ubuntu1.1) bionic; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/queens branch.
 .
   [ Jorge Niedbalski ]
   * d/p/0001-Allow-fetching-by-UUID-and-respect-interface.patch,
   * d/p/0002-Secret-payload-should-also-be-fetched-by-UUID.patch:
     Adds patches to properly support fetching by UUID (LP: #1867676).