Bug 1576436

Description of problem:
In order to configure TLS termination listener we need to use barbican secret flag . 

With non cotnainerized barbican a secret id was acceptable and listener was created ( see https://bugzilla.redhat.com/show_bug.cgi?id=1553520) 

I installed containerized barbican and the secret id nor secret container di is not acceptable. 

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Deploy openstack with Octavia and containerized Barbican. 
2. Create ssl keys and certs and create Barbican secret. 
3. Try to create a https termination listener
4. Create a secret container and try to create the same listener with the container parameters. 



Actual results:
# openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb-ter-tls
Could not retrieve certificate: ['http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686'] (HTTP 400) (Request-ID: req-78a8fe3f-a34f-4a97-b1b4-fc68101d0d45)


Expected results:
Lestener should be created

Additional info:


Deployment info: 

Overcloud deploy command : 
openstack overcloud deploy \
--timeout 100 \
--templates /usr/share/openstack-tripleo-heat-templates \
--stack overcloud \
--libvirt-type kvm \
--ntp-server clock.redhat.com \
-e /home/stack/virt/config_lvm.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \
-e /home/stack/virt/network/network-environment.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/octavia.yaml \
-e /home/stack/virt/hostnames.yml \
-e /home/stack/virt/nodes_data.yaml \
--environment-file /usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \
--environment-file /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \
-e /home/stack/virt/extra_templates.yaml \
-e /home/stack/virt/docker-images.yaml \
--log-file overcloud_deployment_2.log


(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ cat /home/stack/virt/extra_templates.yaml
parameter_defaults:
    BarbicanSimpleCryptoGlobalDefault: true


SSL info: 


# openssl pkcs12 -export -inkey /tmp/octavia-ssl/client.key -in /tmp/octavia-ssl/client-.pem -certfile /tmp/octavia-ssl/ca_01.pem -passout pass:qwerty123 -out server.p12
# openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
# openstack user list | grep octav
# openstack acl user add -u d60a19f3157541e3a4a534971bc42148 $(openstack secret list | awk '/ tls_secret1 / {print $2}')
# openstack loadbalancer create --name lb-ter-tls --vip-network-id 0d8ac6f6-c7cb-4f24-b9c8-e4c56a1a17ae


The "d60a19f3157541e3a4a534971bc42148" id is octavia user id. 



The Octavia logs: 
[root@controller-0 ~]# tailf /var/log/containers/octavia/api.log 
2018-05-08 11:16:59.051 1 INFO octavia.certificates.manager.barbican [req-5c91dc92-95bd-408d-8e7e-ffa4e874353f - 467d248e3ac5410a98b3d041caa7370c - default default] Loading certificate secret http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 from Barbican.
2018-05-08 11:16:59.122 1 INFO octavia.certificates.manager.barbican_legacy [req-5c91dc92-95bd-408d-8e7e-ffa4e874353f - 467d248e3ac5410a98b3d041caa7370c - default default] Loading certificate container http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 from Barbican.
2018-05-08 11:16:59.150 1 ERROR octavia.certificates.manager.barbican_legacy [req-5c91dc92-95bd-408d-8e7e-ffa4e874353f - 467d248e3ac5410a98b3d041caa7370c - default default] Error getting cert http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686: Unknown container type "".



Saving a secret into container did not help. In the bug mentioned in the begging it worked with secret ID (reminder). Here I will try with continer id: 

I saved the secret in a container but the result is the same: 

(overcloud) [stack@undercloud-0 ~]$ openstack secret list 
+------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                            | Name        | Created                   | Status | Content types                             | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 | tls_secret1 | 2018-05-08T10:37:54+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes       |        256 | opaque      | cbc  | None       |
+------------------------------------------------------------------------+-------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
(overcloud) [stack@undercloud-0 ~]$ openstack  secret container create --name container1 --secret http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 
+----------------+---------------------------------------------------------------------------+
| Field          | Value                                                                     |
+----------------+---------------------------------------------------------------------------+
| Container href | http://10.0.0.108:9311/v1/containers/99033c41-5437-448d-80f6-de9d18ecc3d6 |
| Name           | container1                                                                |
| Created        | None                                                                      |
| Status         | ACTIVE                                                                    |
| Type           | generic                                                                   |
| Secrets        | None                                                                      |
| Consumers      | None                                                                      |
+----------------+---------------------------------------------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 lb-ter-tls
Could not retrieve certificate: ['http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686'] (HTTP 400) (Request-ID: req-b91b62a3-e0b3-44bc-be48-94ffb732c202)
(overcloud) [stack@undercloud-0 ~]$ 




Same error and logs : 

2018-05-08 15:07:56.719 1 INFO octavia.certificates.manager.barbican [req-b91b62a3-e0b3-44bc-be48-94ffb732c202 - 467d248e3ac5410a98b3d041caa7370c - default default] Loading certificate secret http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 from Barbican.
2018-05-08 15:07:57.635 1 INFO octavia.certificates.manager.barbican_legacy [req-b91b62a3-e0b3-44bc-be48-94ffb732c202 - 467d248e3ac5410a98b3d041caa7370c - default default] Loading certificate container http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686 from Barbican.
2018-05-08 15:07:57.657 1 ERROR octavia.certificates.manager.barbican_legacy [req-b91b62a3-e0b3-44bc-be48-94ffb732c202 - 467d248e3ac5410a98b3d041caa7370c - default default] Error getting cert http://10.0.0.108:9311/v1/secrets/d2fbbce2-62db-45b1-9578-e349865bd686: Unknown container type "".