Bug 1558058 – Barbican not working in OSP13 deployment

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1558058 - Barbican not working in OSP13 deployment

Summary:	Barbican not working in OSP13 deployment

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates (Show other bugs)
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assigned To:	Ade Lee
QA Contact:	Prasanth Anbalagan
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:	1365571 1374375 1412823 1419556
	Show dependency tree / graph

Reported:	2018-03-19 10:23 EDT by Prasanth Anbalagan
Modified:	2018-09-20 06:51 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	openstack-tripleo-heat-templates-8.0.0-0.20180304031150.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-06-27 09:47:45 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	549852	None	stable/queens: MERGED	tripleo-heat-templates: Add step to run secret_store_sync before instance startup (Ibe4e5023b8773ee70ee914118628acc5c149...	2018-03-29 12:15 EDT
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 09:49 EDT

Groups: None (edit)

Description Prasanth Anbalagan 2018-03-19 10:23:48 EDT

Description of problem:
=======================

Barbican tempest tests ("barbican_tempest_plugin.tests.scenario.test_volume_encryption.VolumeEncryptionTest.test_encrypted_cinder_volumes_cryptsetup) fails since barbican is not up on OSP13 deployment.

[heat-admin@controller-0 ~]$ source overcloudrc 
(overcloud) [heat-admin@controller-0 ~]$ openstack secret list
Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url.
Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",))
(overcloud) [heat-admin@controller-0 ~]$ 


Version-Release number of selected component (if applicable):
==============================================================

(overcloud) [heat-admin@controller-0 ~]$ yum list installed | grep barbican
openstack-barbican-api.noarch       6.0.0-0.20180216020456.5b525f6.el7ost
openstack-barbican-common.noarch    6.0.0-0.20180216020456.5b525f6.el7ost
puppet-barbican.noarch              12.3.1-0.20180221115057.7067770.el7ost
python-barbican.noarch              6.0.0-0.20180216020456.5b525f6.el7ost
python2-barbicanclient.noarch       4.6.0-0.20180211180442.262025b.el7ost

How reproducible:
=================
Always

Steps to Reproduce:
====================
1. Deploy OSP13 w/Barbican enabled (by including the following .yaml)
  --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \
  --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \
2. On the controller, execute 'openstack secret list'
3.

Actual results:
===============

Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url.
Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",))

Comment 1 Prasanth Anbalagan 2018-03-20 10:24:19 EDT

Updating the status - jaosorior observed that the parameter 'BarbicanSimpleCryptoGlobalDefault' in /usr/share/openstack-tripleo-heat-templates/puppet/services/barbican-backend-simple-crypto.yaml was set to 'false'. After changing it to 'true' and redeploying overcloud, the command 'openstack secret list' returns empty output (as expected). But logs still showed "No preferred secret store found for project". jaosorior/alee found that this was due to the https://review.openstack.org/#/c/549852/ missing in downstream puddles.

Comment 2 Prasanth Anbalagan 2018-03-26 05:48:56 EDT

Updating workaround for the bug (until fix is available downstream)

-----------------------------------------------------------------------------
sudo docker exec barbican_api /usr/bin/barbican-manage db sync_secret_stores verbose
-----------------------------------------------------------------------------

Comment 3 Jon Schlueter 2018-03-28 09:07:54 EDT

What are we waiting for moving this from PENDING to MODIFIED?

Comment 7 Tzach Shefi 2018-04-03 03:24:47 EDT

Verified on:
openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost.noarch

After adding both yamls on overcloud_deploy.sh
-e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \

And fetching/uploading Barbican's docker image, needed due to infrared not pulling all images by default. 

(overcloud) [stack@undercloud-0 ~]$ openstack secret list
+------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+
| Secret href                                                            | Name | Created                   | Status | Content types                             | Algorithm | Bit length | Secret type | Mode | Expiration                |
+------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+
| http://10.0.0.101:9311/v1/secrets/c0503c63-c097-483d-afa4-7e11090217cf | test | 2018-04-03T06:34:51+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | RSA       |        256 | certificate | cbc  | 2019-01-31T00:00:00+00:00 |
| http://10.0.0.101:9311/v1/secrets/b76330a9-ced4-40d3-81e8-9b5f351c3e8d | None | 2018-04-03T06:00:08+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes       |        256 | symmetric   | None | None                      |
+------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+

This looks OK to verify,
Just approve with Prasanth before I actually verify on his behalf.

Comment 8 Tzach Shefi 2018-04-07 17:10:41 EDT

Prasanth said it looks good to verify.

Comment 10 errata-xmlrpc 2018-06-27 09:47:45 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.