It is an issue. The issue is that openstack admin password is changed in keystone, but other openstack services still have the old password in secrets, and cause the lock issue.
Here is the service list which have the admin password:
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get secrets -n openstack | grep keystone-admin
cinder-keystone-admin Opaque 9 88m
fm-keystone-admin Opaque 9 73m
glance-keystone-admin Opaque 9 90m
heat-keystone-admin Opaque 9 74m
keystone-keystone-admin Opaque 9 92m
neutron-keystone-admin Opaque 9 86m
nova-keystone-admin Opaque 9 86m
placement-keystone-admin Opaque 9 86m
Try to open the secret, we could get password in "OS_PASSWORD:". And use base64 to decode it.
We may need to monitor the password change in keystone, and update the secrets. The keystone is running in container, so it is not easy to do it.
The quick WA for it may disable the lock operation. Keystone just report error in log, but not force the lock operation. To do it, we need remove below setting in keystone container's /etc/keystone/keystone.conf:
"
[security_compliance]
lockout_duration = 1800
lockout_failure_attempts = 5
"
Don't have a good solution for it yet. Any suggestion is welcome.
It is an issue. The issue is that openstack admin password is changed in keystone, but other openstack services still have the old password in secrets, and cause the lock issue. controller- 0 ~(keystone_admin)]$ kubectl get secrets -n openstack | grep keystone-admin keystone- admin Opaque 9 88m keystone- admin Opaque 9 90m keystone- admin Opaque 9 92m keystone- admin Opaque 9 86m keystone- admin Opaque 9 86m
Here is the service list which have the admin password:
[sysadmin@
cinder-
fm-keystone-admin Opaque 9 73m
glance-
heat-keystone-admin Opaque 9 74m
keystone-
neutron-
nova-keystone-admin Opaque 9 86m
placement-
Try to open the secret, we could get password in "OS_PASSWORD:". And use base64 to decode it.
We may need to monitor the password change in keystone, and update the secrets. The keystone is running in container, so it is not easy to do it. keystone. conf: compliance] failure_ attempts = 5
The quick WA for it may disable the lock operation. Keystone just report error in log, but not force the lock operation. To do it, we need remove below setting in keystone container's /etc/keystone/
"
[security_
lockout_duration = 1800
lockout_
"
Don't have a good solution for it yet. Any suggestion is welcome.