tripleo

Barbican key manager settings not applied to DCN/Edge nodes

Bug #1886070 reported by Alan Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Alan Bishop
tripleo victoria-1 "tripleo victoria"

Bug Description

Consider a split stack deployment, with barbican deployed in the control plane. When cinder, glance or nova services are deployed in secondary stacks (e.g. at edge sites), their Key Manager settings are not being configured at all, and so those services are unable to reach the barbican service running in the control plane.

Here is an example of the consequence to cinder. When an encrypted volume is created, the original encryption key is created by the cinder-api service running in the control plane. But when the volume is created at an edge site, attempts to clone the volume will fail. That's because the cinder-volume service running at the edge site needs to be able to clone the volume's encryption key, but that fails because the barbican Key Manager settings are missing from the edge site's cinder.conf file.

The problem is due to how the barbican THT controls the Key Manager parameters in its service_config_settings (e.g. [1]). These service_config_settings only get applied to the control plane stack, but do *not* get applied to secondary edge site stacks.

[1] https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/barbican/barbican-api-container-puppet.yaml#L290

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/739098

Changed in tripleo:
status: Triaged → In Progress
Bogdan Dobrelya (bogdando)
tags: added: ussuri-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/739098
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5080e45fd283c795f973c86719d1959948f642e3
Submitter: Zuul
Branch: master

commit 5080e45fd283c795f973c86719d1959948f642e3
Author: Alan Bishop <email address hidden>
Date: Fri Jul 10 06:35:11 2020 -0700

    Add BarbicanClient service for configuring edge sites

    A new BarbicanClient tripleo service provides a means of configuring
    the barbican Key Manager settings for cinder, glance and nova services
    running at an edge site. This is necessary because the BarbicanApi
    tripleo service is only capable of configuring the Key Manager settings
    for services running in the control plane.

    For cinder, the BarbicanClient ensures the KeyManager settings are
    available to the cinder-volume and cinder-backup services. This is
    necessary because the Key Manager setttings are traditionally associated
    with the cinder-api service, but cinder-api is not deployed at the edge.

    Closes-Bug: #1886070
    Change-Id: I17d6c3a3af5b192b77d264ff3e94e64ef6064c77

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/742177

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/742177
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b5b2bb640b93001ffcfb2d09aaee7d586604aa62
Submitter: Zuul
Branch: stable/ussuri

commit b5b2bb640b93001ffcfb2d09aaee7d586604aa62
Author: Alan Bishop <email address hidden>
Date: Fri Jul 10 06:35:11 2020 -0700

    Add BarbicanClient service for configuring edge sites

    A new BarbicanClient tripleo service provides a means of configuring
    the barbican Key Manager settings for cinder, glance and nova services
    running at an edge site. This is necessary because the BarbicanApi
    tripleo service is only capable of configuring the Key Manager settings
    for services running in the control plane.

    For cinder, the BarbicanClient ensures the KeyManager settings are
    available to the cinder-volume and cinder-backup services. This is
    necessary because the Key Manager setttings are traditionally associated
    with the cinder-api service, but cinder-api is not deployed at the edge.

    Closes-Bug: #1886070
    Change-Id: I17d6c3a3af5b192b77d264ff3e94e64ef6064c77
    (cherry picked from commit 5080e45fd283c795f973c86719d1959948f642e3)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/743213

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/743213
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bbaded6cac3da0b7ceae6ff17aca7039ec6f3bcf
Submitter: Zuul
Branch: stable/train

commit bbaded6cac3da0b7ceae6ff17aca7039ec6f3bcf
Author: Alan Bishop <email address hidden>
Date: Fri Jul 10 06:35:11 2020 -0700

    Add BarbicanClient service for configuring edge sites

    A new BarbicanClient tripleo service provides a means of configuring
    the barbican Key Manager settings for cinder, glance and nova services
    running at an edge site. This is necessary because the BarbicanApi
    tripleo service is only capable of configuring the Key Manager settings
    for services running in the control plane.

    For cinder, the BarbicanClient ensures the KeyManager settings are
    available to the cinder-volume and cinder-backup services. This is
    necessary because the Key Manager setttings are traditionally associated
    with the cinder-api service, but cinder-api is not deployed at the edge.

    Closes-Bug: #1886070
    Change-Id: I17d6c3a3af5b192b77d264ff3e94e64ef6064c77
    (cherry picked from commit 5080e45fd283c795f973c86719d1959948f642e3)
    (cherry picked from commit b5b2bb640b93001ffcfb2d09aaee7d586604aa62)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.4.0

This issue was fixed in the openstack/tripleo-heat-templates 11.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.