DC: subcloud platform-integ-apps reapply failed at retrieving central registry credential
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Andy |
Bug Description
Brief Description
-----------------
On DC subclouds, platform-integ-apps fails on any reapply.
It fails at retrieving barbecan secret, due to the original keystone user that was used to create the barbecan secret - was created before DC sync and was then replaced by the new admin user synced down from central.
Severity
--------
Critical
Steps to Reproduce
------------------
- Install and configure DC
- Do something that triggers reapply of platform-
Expected Behavior
------------------
- platform-integ-apps reapplied successfully
Actual Behavior
----------------
- platform-integ-apps apply-failed with error: Unable to get the credentials to access registry registry.central:
Reproducibility
---------------
Reproducible
System Configuration
-------
Distributed Cloud system
Branch/Pull Time/Commit
-------
20191102
Last Pass
---------
None
This issue was uncovered when subcloud started to pull images from registry.central. However, this issue would have been seen with any private registry even without the registry.central change.
Timestamp/Logs
--------------
Analysis from Angie Wang:
Barbican secrets are created by admin user under admin project at subcloud bootstrap time. Subcloud admin user/project is created by subcloud keystone during bootstrap. After system is unlocked, dbdcsync is up, it syncs keystone admin user/project between system controller and subcloud, so the subcloud admin user/project ‘s id s become same as the ids of the system controller. The original admin user/project of subcloud get deleted. When applying application, it will fail to find the barbican secret as it’s created by/under the original subcloud admin.
The user/project has not been synced during the initial platform-form-integ apply, so it passed at the first time.
# System controller
[sysadmin@
+------
| ID | Name |
+------
| 08c71a9bc01d426
| a62f1b82df40453
| c143937dfee94f8
| 20c0b85e0fcf4d4
| 71a55e59fb6042a
| 5487a452d6764e0
| 39818c1597454c4
| 818dc89581ad40c
| d81cea56313f438
| 97364a317b64471
| 2c160aae50ef42b
+------
[sysadmin@
+------
| ID | Name |
+------
| 5f933f67321c428
| 805d22cd9c88499
+------
# Subcloud 6
Secrets were created by admin user with id “de0cab3b648e48
barbican=# select * from secrets where id='4cf054c3-
project_id
-------
-------
4cf054c3-
7a9-ad0e-
(1 row)
After dbdcsync, Ids changed on subcloud.
[sysadmin@
+------
| ID | Name |
+------
| f92e321bda7f495
| f0699ea2db96444
| 018621060fbb452
| c143937dfee94f8
| 08c71a9bc01d426
| 20c0b85e0fcf4d4
| 71a55e59fb6042a
| 5487a452d6764e0
| 39818c1597454c4
+------
[sysadmin@
+------
| ID | Name |
+------
| 5f933f67321c428
| 805d22cd9c88499
+------
Secret get will fail
[sysadmin@
4xx Client error: Forbidden: Secret payload retrieval attempt not allowed - please review your user/project privileges
Forbidden: Secret payload retrieval attempt not allowed - please review your user/project privileges
Test Activity
-------------
Regression Testing
summary: |
- DC private registry: subcloud platform-integ-apps reapply failed at - retrieving central registry credential + DC: subcloud platform-integ-apps reapply failed at retrieving central + registry credential |
tags: | added: stx.retestneeded |
Marking as stx.3.0 / high priority - issue w/ Distributed Cloud