OpenStack Base Layer

The default AMQP handler does not handle TLS

Bug #1841912 reported by Frode Nordahl
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack API Layer
Triaged
High
Unassigned
OpenStack Base Layer
Triaged
High
Unassigned
OpenStack Octavia Charm
Triaged
High
Unassigned
charms.openstack
Triaged
High
Unassigned

Bug Description

When the rabbitmq-server charm is configured with TLS it will announce this fact along with the CA certificate used over the relation.

The layer does not contain a handler for this and it should have one.

charms.openstack does contain code to handle the RabbitMQ cert that piggy backs on the handling of other TLS related events.

Without layer handling code it will not be called on changes to the relation and will then lead to situations where a charm using our stack will no longer be able to communicate with RabbitMQ when the certificate changes.

There is example in the ``neutron-dynamic-routing`` [0] charm for layer handling code for this, and this also raises the need for completing the move of the default AMQP handlers down to the ``openstack`` layer from the ``openstack-api`` layer.

0: https://review.opendev.org/#/q/topic:bug/1807233+(status:open+OR+status:merged)

Frode Nordahl (fnordahl)
Changed in charm-octavia:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Frode Nordahl (fnordahl) wrote :
Download full text (9.8 KiB)

While validating framework changes for bug 1840899 I caught this during a charm-octavia test run in a TLS enabled deployment with ``ssl=only`` configured for ``rabbitmq-server``.

From ``/var/log/octavia/octavia-worker.log``:
2019-08-29 09:53:40.572 2483 ERROR oslo.messaging._drivers.impl_rabbit [-] Connection failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) (retrying in 32.0 seconds): ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

And surely enough the data represented in ``/var/lib/charm/octavia/rabbit-client-ca.pem`` differ from what is on the relation.

root@juju-77088e-zaza-fdbdfb4a2723-8:/var/lib/charm/octavia# cat /var/lib/charm/octavia/rabbit-client-ca.pem
-----BEGIN CERTIFICATE-----
MIICdzCCAeCgAwIBAgIUAXtKq1MuovVzE6TsykohOdN0gigwDQYJKoZIhvcNAQEF
BQAwRzENMAsGA1UECgwEanVqdTE2MDQGA1UECwwtcmFiYml0bXEtc2VydmVyIHNl
cnZpY2UgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDgyOTA2MjYzOVoXDTI1
MDgyNzA2MjYzOVowRzENMAsGA1UECgwEanVqdTE2MDQGA1UECwwtcmFiYml0bXEt
c2VydmVyIHNlcnZpY2UgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC0skntKENl4jhOw8TRMWVHMBsWaulwVr51sDGNAfIV
+n92mzZEVXBNZ34JvYmXck5woZLwOh8k10vnheVM3TB1UALW0itDkQSmmrGymLGH
HdwM29r8gKYYHiyL+sg/QQmQtXbb/LBEXzD3wDXXSJZKWpZs4ClRljUHwItQh/gi
PwIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRcRSzZ3Cgb/Cub
xmYfCPAGP0KfpDAfBgNVHSMEGDAWgBRcRSzZ3Cgb/CubxmYfCPAGP0KfpDALBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAGs/kT+XqC48IvoiZ5s9SwlT9tngK
ZHAdAUSjvOpjutJl5/RUCn/OU5gSDdvjf6nhxV34DCufIeIi1wi9FIY3xfXw1deM
5R2XZsjCifSPc8gq8hPKuvJ4Xf/WwO/eoIAwi3iEaoxlNStVw6P9kv1m8tawcOXe
VDH7zZdwPJ31dA4=
-----END CERTIFICATE-----
ubuntu@test:~$ juju run --unit octavia/0 'relation-ids amqp'
amqp:26
ubuntu@test:~$ juju run --unit octavia/0 'relation-get -r amqp:26 - rabbitmq-server/0'
egress-subnets: 10.5.0.52/32
hostname: 10.5.0.52
ingress-address: 10.5.0.52
password: sMPG4nw5KC4RGz3TZNTqgpjtH6kRWL5wRXG5ZVNHSrKSW6FcF5mYSqBHC7dWwHCr
private-address: 10.5.0.52
ssl_ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4VENDQWRtZ0F3SUJBZ0lVV0xjM2NRbEJ3enFEdWhzS091cmNxYi9EUDlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BSR2wyYVc1bFFYVjBhRzl5YVhSNU1CNFhEVEU1TURneU9UQTJOVGMwTmxvWApEVEU1TURreU9EQTJOVGMwTjFvd0dqRVlNQllHQTFVRUF3d1BSR2wyYVc1bFFYVjBhRzl5YVhSNU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVId2pXMkdRUlljcGo5bFBvM05EMEo5RGdZbU8KR1RaU0grSjZvdENKMGxhUENoaDlNSzFoZTd5Rmk5b09QNkpDMUIxamNaRWxVUEdpRm1uK3JRL2MvTGVScUJrSQozS2U4R0FKcFlZT042WGU4cnkyRHR6WjJVNzNTOWNLRnZqWS8vQnkxM1JSL3kzenB0NnRNZHhSWEdyUXlaS1VPCk9nUWVXMkViMXBnMU1WekRZTE91My96RHorT1NoSFF5bUV2TEZQUFRjY1luWTFEckRFTDNYZGtuVUJwWWduQ3cKUzR6Q0thZ1czVzVTSjJJSnZmbmVGenpqbCsrVDE4aWYzSG1lcmpNVENtS3RxS3VxMnpBc0VIdlNJWHZGWElMaQpsUk9tL2NnS2dEV1llY1lyTVhxbHhCdzZkTVg0Z24xUm9PMEc2aEltWktyT1ZRdjI5TTBlRTY2ZE5RSURBUUFCCm95OHdMVEFhQmdOVkhSRUVFekFSZ2c5RWFYWnBibVZCZFhSb2IzSnBkSGt3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZPTTB2bWp2d3MwNzczaVZ3elNyMlQ5b3Q1ZnAxbkthNXkvTQpiYzhEdDcwc1dVZnptS3RQYVUzcVN3U1kyZi9tVGNEblNRVFp4MHhsL2dMeG9KL2NMOTlKMXlrc0J6a0tNMCtuCnkxU0xSVmdta2o1QmFWZVdLU2U0Qi9XWXppbVBvRDVJWENWUm5XV21NMHdiejVCcUFpQ1ZRdlNScWpZb0lHQysKendibTJKdjdydThLbUcrTWNOOTZFMGJGe...

Changed in charms.openstack:
status: New → Triaged
importance: Undecided → High
Changed in layer-openstack:
status: New → Triaged
importance: Undecided → High
Changed in layer-openstack-api:
status: New → Triaged
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.