+++ This bug was initially created as a clone of Bug #1569129 +++ Description of problem: TLS-terminated HTTPS load balancer require a TLS container to be passed in at listener creation. Octavia needs to have permission to access the container, which it does not unless the user adds beforehand the Octavia service user to the ACL list with "openstack acl user add -u $OCTAVIA_SERVICE_USER <secret>". To do so, end-users need to know the right user to add ("octavia" in OSP). How reproducible: 100% Steps to Reproduce: 1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)" 2. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet 3. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1 Actual results: Listener provisioning will fail with ERROR. Check octavia-worker logs and you'll see Barbican denied Octavia access to the secret. Expected results: Octavia would be able to retrieve the secret and listener would be provisioned (ACTIVE). Additional info: Today, in order to create TERMINATED_HTTPS listeners users have to: 1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)" 2. openstack acl user add -u octavia $(openstack secret list | awk '/ tls_secret1 / {print $2}') 3. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet 4. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045