OpenStack-Ansible

Certificate creation for cluster in magnum failed maybe because of keystone/trust

Bug #1670355 reported by Kevin Lefevre on 2017-03-06

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Undecided	Kevin Lefevre
	puppet-magnum	Fix Released	Undecided	yatin

Bug Description

Hi, on OSA master when deploying magnum cluster, instances sign certificates with the Magnum API.

It failed with OSA, here are the Keystone logs :

There is either no auth token in the request or the certificate is
suer is not trusted. No auth context will be set. fill_context /openstack/venvs/keystone-master/lib/python2.7/site-packages/keystone/middleware/auth.py:203
2017-03-06 13:11:40.966 1878 INFO keystone.common.wsgi [req-3f616981-32ba-47e0-ad81-3c4d726edaf9 - - - - -] POST http://172.29.236.100:5000/v3/auth/tokens
2017-03-06 13:11:40.966 1878 WARNING keystone.common.wsgi [req-3f616981-32ba-47e0-ad81-3c4d726edaf9 - - - - -] Invalid input for field 'identity/password/user/password': None is n
ot of type 'string'

After talking with magnum team, the issues is not on devstack, the policy.json for magnum role has been updated recently which is good. I stumble across this patch https://review.openstack.org/#/c/342887/3/templates/keystone.conf.j2 but it does not resolve the issues.

After talking with the magnum team. In devstack, there is a

[keystone_auth]
auth_url = http://192.168.200.12/identity/v3
user_domain_id = default
project_domain_id = default
project_name = service
password = password
username = magnum
auth_type = password

which is not in magnum role. When I add it in magnum.conf it works. I don't really know why, but on devstack it works without this section. It might be a mix of magnum and keystone conf I don't know :/

I'm willing to continue investigating this but need some help

Tags:

Kevin Lefevre (archifleks) on 2017-03-06

summary:	- Certificate for cluster in magnum failed maybe because of - keystone/truste + Certificate for cluster in magnum failed maybe because of keystone/trust
summary:	- Certificate for cluster in magnum failed maybe because of keystone/trust + Certificate creattion for cluster in magnum failed maybe because of + keystone/trust
summary:	- Certificate creattion for cluster in magnum failed maybe because of + Certificate creation for cluster in magnum failed maybe because of keystone/trust

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-07: Fix proposed to openstack-ansible-os_magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/442321

Changed in openstack-ansible:
assignee:	nobody → Kevin Lefevre (archifleks)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-10: Fix merged to openstack-ansible-os_magnum (master)

Reviewed: https://review.openstack.org/442321
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_magnum/commit/?id=8329c257dff25686827bd1cc904506d76ad1d12f
Submitter: Jenkins
Branch: master

commit 8329c257dff25686827bd1cc904506d76ad1d12f
Author: ArchiFleKs <email address hidden>
Date: Tue Mar 7 09:51:48 2017 +0100

Fix Magnum Cluster TLS assets generation

Change-Id: If18a447a38f0b8ac9f1bf076d4124ccceb018627
Fixes-Bug: #1670355

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-13: Fix proposed to openstack-ansible-os_magnum (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/445000

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-13: Fix proposed to openstack-ansible-os_magnum (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/445001

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-15: Fix merged to openstack-ansible-os_magnum (stable/newton)

Reviewed: https://review.openstack.org/445001
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_magnum/commit/?id=c13d29d169db52476267b8a56478ae752bb47dc2
Submitter: Jenkins
Branch: stable/newton

commit c13d29d169db52476267b8a56478ae752bb47dc2
Author: ArchiFleKs <email address hidden>
Date: Tue Mar 7 09:51:48 2017 +0100

Fix Magnum Cluster TLS assets generation

    Change-Id: If18a447a38f0b8ac9f1bf076d4124ccceb018627
    Fixes-Bug: #1670355
    (cherry picked from commit 8329c257dff25686827bd1cc904506d76ad1d12f)

tags:	added: in-stable-newton
tags:	added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-15: Fix merged to openstack-ansible-os_magnum (stable/ocata)

Reviewed: https://review.openstack.org/445000
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_magnum/commit/?id=464fd73b3e51cd8124e5eb44632030e300c49adf
Submitter: Jenkins
Branch: stable/ocata

commit 464fd73b3e51cd8124e5eb44632030e300c49adf
Author: ArchiFleKs <email address hidden>
Date: Tue Mar 7 09:51:48 2017 +0100

Fix Magnum Cluster TLS assets generation

    Change-Id: If18a447a38f0b8ac9f1bf076d4124ccceb018627
    Fixes-Bug: #1670355
    (cherry picked from commit 8329c257dff25686827bd1cc904506d76ad1d12f)

Kevin Lefevre (archifleks) on 2017-05-10

Changed in magnum:
status:	New → Fix Released
assignee:	nobody → Kevin Lefevre (archifleks)
no longer affects:	magnum

yatin (yatinkarel) on 2017-08-30

Changed in packstack:
assignee:	nobody → yatin (yatinkarel)
affects:	packstack → puppet-magnum

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-30: Fix proposed to puppet-magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/499041

Changed in puppet-magnum:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-06: Fix merged to puppet-magnum (master)

Reviewed: https://review.openstack.org/499041
Committed: https://git.openstack.org/cgit/openstack/puppet-magnum/commit/?id=b7071d406cb41fab612765a566a3bd791201afeb
Submitter: Jenkins
Branch: master

commit b7071d406cb41fab612765a566a3bd791201afeb
Author: yatin <email address hidden>
Date: Wed Aug 30 12:11:23 2017 +0530

Fix magnum cluster TLS cert generation

Magnum cluster's cert creation requires admin_user, admin_password
and admin_tenant_name to be set in [keystone_authtoken] section.

Change-Id: Ice8e6537ac6796df032c4c4cf2a194d2214430fd
Closes-Bug: #1670355

Changed in puppet-magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-06: Fix proposed to puppet-magnum (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/501141

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-06: Fix proposed to puppet-magnum (stable/ocata)

#10

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/501142

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-06: Fix proposed to puppet-magnum (stable/newton)

#11

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/501143

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-07: Fix merged to puppet-magnum (stable/pike)

#12

Reviewed: https://review.openstack.org/501141
Committed: https://git.openstack.org/cgit/openstack/puppet-magnum/commit/?id=4e8d28249661bfb6fc6a5872bf586b70d8181d16
Submitter: Jenkins
Branch: stable/pike

commit 4e8d28249661bfb6fc6a5872bf586b70d8181d16
Author: yatin <email address hidden>
Date: Wed Aug 30 12:11:23 2017 +0530

Fix magnum cluster TLS cert generation

Magnum cluster's cert creation requires admin_user, admin_password
and admin_tenant_name to be set in [keystone_authtoken] section.

    Change-Id: Ice8e6537ac6796df032c4c4cf2a194d2214430fd
    Closes-Bug: #1670355
    (cherry picked from commit b7071d406cb41fab612765a566a3bd791201afeb)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-07: Fix merged to puppet-magnum (stable/ocata)

#13

Reviewed: https://review.openstack.org/501142
Committed: https://git.openstack.org/cgit/openstack/puppet-magnum/commit/?id=7884e8e1700ddc95343d50e19a32bccf06e5c9b7
Submitter: Jenkins
Branch: stable/ocata

commit 7884e8e1700ddc95343d50e19a32bccf06e5c9b7
Author: yatin <email address hidden>
Date: Wed Aug 30 12:11:23 2017 +0530

Fix magnum cluster TLS cert generation

Magnum cluster's cert creation requires admin_user, admin_password
and admin_tenant_name to be set in [keystone_authtoken] section.

    Change-Id: Ice8e6537ac6796df032c4c4cf2a194d2214430fd
    Closes-Bug: #1670355
    (cherry picked from commit b7071d406cb41fab612765a566a3bd791201afeb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-07: Fix merged to puppet-magnum (stable/newton)

#14

Reviewed: https://review.openstack.org/501143
Committed: https://git.openstack.org/cgit/openstack/puppet-magnum/commit/?id=815d7e6fd0ce02970418f2fa29c72cc7ba3b3517
Submitter: Jenkins
Branch: stable/newton

commit 815d7e6fd0ce02970418f2fa29c72cc7ba3b3517
Author: yatin <email address hidden>
Date: Wed Aug 30 12:11:23 2017 +0530

Fix magnum cluster TLS cert generation

Magnum cluster's cert creation requires admin_user, admin_password
and admin_tenant_name to be set in [keystone_authtoken] section.

    Change-Id: Ice8e6537ac6796df032c4c4cf2a194d2214430fd
    Closes-Bug: #1670355
    (cherry picked from commit b7071d406cb41fab612765a566a3bd791201afeb)