Nova keypair for triple0 octavia deployment

Bug #1907112 reported by Rohit Londhe
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tripleo
Triaged
Critical
Rohit Londhe

Bug Description

TripleO deployment for Octavia getting failed because there is no valid Nova keypair
Considering the removal of Nova from undercloud/director node, there is no one who can generate a keypair, and the current Octavia deployment still thinks that it should get a keypair from Nova to work.

Below is the error message which we getting during deployment:

~~~
**kwargs)\n\n File \"/usr/lib/python3.6/site-packages/heat/engine/stack.py\", line 920, in validate\n result = res.validate()\n\n File \"/usr/lib/python3.6/site-packages/heat/engine/resources/template_resource.py\", line 267, in val
idate\n result = super(TemplateResource, self).validate()\n\n File \"/usr/lib/python3.6/site-packages/heat/engine/resources/stack_resource.py\", line 65, in validate\n self.validate_nested_stack()\n\n File \"/usr/lib/python3.6/sit
e-packages/heat/engine/resources/stack_resource.py\", line 81, in validate_nested_stack\n ex, path=[self.stack.t.RESOURCES, path])\n\nheat.common.exception.StackValidationFailed: EndpointNotFound: resources.ControllerServiceChain<https
://192.168.24.2:13808/v1/AUTH_81e8b5c8134447fc9adc3c1025cdfb32/overcloud/common/services/controller-role.yaml>.resources.ServiceChain<nested_stack>.resources.30<https://192.168.24.2:13808/v1/AUTH_81e8b5c8134447fc9adc3c1025cdfb32/overcloud
/deployment/octavia/octavia-deployment-config.yaml>.resources.default_key_pair: publicURL endpoint for compute service in regionOne region not found\n", "success": false}
~~~

Deployment command:
~~~
[stack@standalone ~]$ sudo openstack tripleo deploy \
  --templates \
  --local-ip=<IP>/24 \
  -e /usr/share/openstack-tripleo-heat-templates/environments/standalone/standalone-tripleo.yaml \
  -r /usr/share/openstack-tripleo-heat-templates/roles/Standalone.yaml \
  -e /usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml \
  -e $HOME/containers-prepare-parameters.yaml \
  -e $HOME/standalone_parameters.yaml \
  --output-dir $HOME \
  --standalone
~~~

The highlighted section from the URL is getting called out for generating the keypair, https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/octavia/octavia-deployment-config.j2.yaml#L207-L212
https://github.com/openstack/tripleo-heat-templates/blob/b01b1a7f7211e1f542bf39e63458934fa5c623b6/docker/services/octavia/octavia-deployment-config.yaml#L150-L153

There are a couple of workarounds like manually providing a public key or comment-out the keypair generation part itself.

Looking for a solution where we can seamlessly deploy Octavia

 Additional details:

 1. Provider driver - Amphora
 2. Facing problem for standalone/non-standalone deployments

Rohit Londhe (rohitl512)
Changed in tripleo:
assignee: nobody → Rohit Londhe (rohitl512)
tags: added: tripleo-heat-templates
Revision history for this message
Brendan Shephard (bshephar) wrote :

So the problem is that we don't have Nova on the Director node in Tripleo. So we fail here:
https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/octavia/octavia-deployment-config.j2.yaml#L208-L212

When we try to reach out to the non existent API endpoint. Then we use that param here:
https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/octavia/octavia-deployment-config.j2.yaml#L227-L229

So this whole mechanism needs to be removed and replaced with something. I guess we would ideally do it with Ansible and generate a new key, then use that key during the deployment?

Changed in tripleo:
importance: Undecided → Critical
status: New → Triaged
milestone: none → wallaby-2
Changed in tripleo:
milestone: wallaby-2 → wallaby-3
Revision history for this message
Rohit Londhe (rohitl512) wrote :
Changed in tripleo:
milestone: wallaby-3 → wallaby-rc1
Revision history for this message
Brent Eagles (beagles) wrote :

@Brendan I agree. There is a documentation burden for admin's that want to access load balancer VMs via ssh but having Octavia specific ssh keys seems a better idea anyways.

Revision history for this message
Gregory Thiemonge (gthiemonge) wrote :

I started working on creating ssh keys for Octavia in tripleo-ansible:
https://review.opendev.org/c/openstack/tripleo-ansible/+/783824

Changed in tripleo:
milestone: wallaby-rc1 → xena-1
Changed in tripleo:
milestone: xena-1 → xena-2
Changed in tripleo:
milestone: xena-2 → xena-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/783823
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/f0010f606f8cede21194cebfdd468e3f0113034f
Submitter: "Zuul (22348)"
Branch: master

commit f0010f606f8cede21194cebfdd468e3f0113034f
Author: Gregory Thiemonge <email address hidden>
Date: Tue Mar 30 11:26:40 2021 +0200

    Add OctaviaAmphoraSshKeyDir for ssh key creation for Octavia

    The Octavia playbook now creates a ssh key unless the user explicitly
    sets the OctaviaAmphoraSshKeyFile parameter.
    The playbook creates it in the OctaviaAmphoraSshKeyDir directory
    (default: /etc/octavia/ssh).

    Related-bug: #1907112
    Change-Id: I4f31ddc3392e70cff1187ba8b9511af12df4b063

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/783824
Committed: https://opendev.org/openstack/tripleo-ansible/commit/9970698c424718cd387f791b085e3d194900ad53
Submitter: "Zuul (22348)"
Branch: master

commit 9970698c424718cd387f791b085e3d194900ad53
Author: Gregory Thiemonge <email address hidden>
Date: Tue Mar 30 11:35:09 2021 +0200

    Generate Octavia ssh key from the octavia playbook

    Unless it is explicitly set with the OctaviaAmphoraSshKeyFile parameter,
    the Octavia ssh key is now automatically generated in the directory
    pointed by the OctaviaAmphoraSshKeyDir parameter (default:
    /etc/octavia/ssh)

    Depends-On: I4f31ddc3392e70cff1187ba8b9511af12df4b063

    Related-bug: #1907112
    Change-Id: Idfc734022d40de82f510110ba7a5260a2118cb00

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/806265

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/806266

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/806265
Committed: https://opendev.org/openstack/tripleo-ansible/commit/a7667f0f9405edc71eda945fcfe90c09a87cbf9c
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit a7667f0f9405edc71eda945fcfe90c09a87cbf9c
Author: Gregory Thiemonge <email address hidden>
Date: Tue Mar 30 11:35:09 2021 +0200

    Generate Octavia ssh key from the octavia playbook

    Unless it is explicitly set with the OctaviaAmphoraSshKeyFile parameter,
    the Octavia ssh key is now automatically generated in the directory
    pointed by the OctaviaAmphoraSshKeyDir parameter (default:
    /etc/octavia/ssh)

    NB: As mentioned in https://review.opendev.org/c/openstack/tripleo-heat-templates/+/783823
    the dep-on was wrong, so let's remove it from this review.

    Related-bug: #1907112
    Change-Id: Idfc734022d40de82f510110ba7a5260a2118cb00

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/806266
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/2123370fbc3fde0123fbffcb43ef55c4d63d5fae
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 2123370fbc3fde0123fbffcb43ef55c4d63d5fae
Author: Gregory Thiemonge <email address hidden>
Date: Tue Mar 30 11:26:40 2021 +0200

    Add OctaviaAmphoraSshKeyDir for ssh key creation for Octavia

    The Octavia playbook now creates a ssh key unless the user explicitly
    sets the OctaviaAmphoraSshKeyFile parameter.
    The playbook creates it in the OctaviaAmphoraSshKeyDir directory
    (default: /etc/octavia/ssh).

    NB: Not a clean cherry-pick some context differences in
        deployment/octavia/octavia-deployment-config.j2.yaml

    Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/806265

    Related-bug: #1907112
    Change-Id: I4f31ddc3392e70cff1187ba8b9511af12df4b063

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "James Slagle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/773616
Reason: Abandoning this patch per the TripleO Patch Abandonment guidelines
(https://specs.openstack.org/openstack/tripleo-specs/specs/policy/patch-abandonment.html).
If you wish to have this restored and cannot do so yourself, please reach out
via #tripleo on OFTC or the OpenStack Dev mailing list.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-ansible (master)

Change abandoned by "Kevin Carter <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/779488
Reason: abandoned due to age.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers