Description of problem: TLS-terminated HTTPS load balancer require a TLS container to be passed in at listener creation. Octavia needs to have permission to access the container, which it does not unless the user adds beforehand the Octavia service user to the ACL list with "openstack acl user add -u $OCTAVIA_SERVICE_USER <secret>". To do so, end-users need to know the right user to add ("octavia" in OSP). How reproducible: 100% Steps to Reproduce: 1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)" 2. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet 3. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1 Actual results: Listener provisioning will fail with ERROR. Check octavia-worker logs and you'll see Barbican denied Octavia access to the secret. Expected results: Octavia would be able to retrieve the secret and listener would be provisioned (ACTIVE). Additional info: Today, in order to create TERMINATED_HTTPS listeners users have to: 1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)" 2. openstack acl user add -u octavia $(openstack secret list | awk '/ tls_secret1 / {print $2}') 3. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet 4. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1
According to our records, this should be resolved by openstack-octavia-2.0.4-3.el7ost. This build is available now.
Verification steps: (overcloud) [stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 13 -p 2019-06-25.1 (overcloud) [stack@undercloud-0 ~]$ rpm -qa | grep octavia python2-octaviaclient-1.4.0-1.1.el7ost.noarch octavia-amphora-image-x86_64-13.0-20190621.2.el7ost.noarch octavia-amphora-image-13.0-20190621.2.el7ost.noarch puppet-octavia-12.4.0-9.el7ost.noarch (overcloud) [stack@undercloud-0 ~]$ rpm -qa | grep barbican python2-barbicanclient-4.6.1-1.el7ost.noarch puppet-barbican-12.4.1-0.20180831193736.92c6c2f.el7ost.noarch (overcloud) [stack@undercloud-0 ~]$ openstack secret list +------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | http://10.0.0.110:9311/v1/secrets/abb907f7-d24c-4caa-80c1-5b6cc9fb1acf | tls_secret1 | 2019-07-07T11:53:58+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | opaque | cbc | None | +------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ (overcloud) [stack@undercloud-0 ~]$ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer list +--------------------------------------+------+----------------------------------+-------------+---------------------+----------+ | id | name | project_id | vip_address | provisioning_status | provider | +--------------------------------------+------+----------------------------------+-------------+---------------------+----------+ | 5187e9dc-452b-44dd-aeda-597c1db0c4b5 | LB | d9f3ad6396ff49038388543f73014f4b | 10.0.1.14 | ACTIVE | octavia | +--------------------------------------+------+----------------------------------+-------------+---------------------+----------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener5 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') LB +---------------------------+------------------------------------------------------------------------+ | Field | Value | +---------------------------+------------------------------------------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-07-10T10:48:03 | | default_pool_id | None | | default_tls_container_ref | http://10.0.0.110:9311/v1/secrets/abb907f7-d24c-4caa-80c1-5b6cc9fb1acf | | description | | | id | 2c62fb94-5c3d-4cce-ad94-4d43b51057f2 | | insert_headers | None | | l7policies | | | loadbalancers | 5187e9dc-452b-44dd-aeda-597c1db0c4b5 | | name | listener5 | | operating_status | OFFLINE | | project_id | d9f3ad6396ff49038388543f73014f4b | | protocol | TERMINATED_HTTPS | | protocol_port | 443 | | provisioning_status | PENDING_CREATE | | sni_container_refs | [] | | updated_at | None | +---------------------------+------------------------------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener list +--------------------------------------+-----------------+-----------+----------------------------------+------------------+---------------+----------------+ | id | default_pool_id | name | project_id | protocol | protocol_port | admin_state_up | +--------------------------------------+-----------------+-----------+----------------------------------+------------------+---------------+----------------+ | 2c62fb94-5c3d-4cce-ad94-4d43b51057f2 | None | listener5 | d9f3ad6396ff49038388543f73014f4b | TERMINATED_HTTPS | 443 | True | +--------------------------------------+-----------------+-----------+----------------------------------+------------------+---------------+----------------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener show listener5 +---------------------------+------------------------------------------------------------------------+ | Field | Value | +---------------------------+------------------------------------------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-07-10T10:48:03 | | default_pool_id | None | | default_tls_container_ref | http://10.0.0.110:9311/v1/secrets/abb907f7-d24c-4caa-80c1-5b6cc9fb1acf | | description | | | id | 2c62fb94-5c3d-4cce-ad94-4d43b51057f2 | | insert_headers | None | | l7policies | | | loadbalancers | 5187e9dc-452b-44dd-aeda-597c1db0c4b5 | | name | listener5 | | operating_status | ONLINE | | project_id | d9f3ad6396ff49038388543f73014f4b | | protocol | TERMINATED_HTTPS | | protocol_port | 443 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | updated_at | 2019-07-10T10:48:14 | +---------------------------+------------------------------------------------------------------------+ The TERMINATED_HTTPS listener was created successfully without needing to add the octavia user to the tls secret's ACL (no need to run "openstack acl user add -u octavia $(openstack secret list | awk '/ tls_secret1 / {print $2}')") Moving the bug to VERIFIED.