1899761 – Barbican at edge: Director does not configure barbican parameters in glance-api.conf for Edge site

Bug 1899761 - Barbican at edge: Director does not configure barbican parameters in glance-api.conf for Edge site

Summary: Barbican at edge: Director does not configure barbican parameters in glance-a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	z4
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Alan Bishop
QA Contact:	Marian Krcmarik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-19 23:07 UTC by Marian Krcmarik
Modified:	2021-03-17 15:36 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-1.20201114031847.el8ost
Doc Type:	Bug Fix
Doc Text:	Before this update, when deployed at an edge site the Image (glance) service was not configured to access the Key Manager (barbican) service running on the central site's control plane. This resulted in the Image services running on edge sites being unable to access encryption keys stored in the Key Manager service. With this update, Image services running on edge sites are now configured to access the encryption keys stored in the Key Manager service.
Clone Of:
Environment:
Last Closed:	2021-03-17 15:35:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1905439	None	None	None	2020-11-24 17:20:39 UTC
OpenStack gerrit	766231	None	MERGED	Fix barbican settings missing from glance Edge nodes	2021-02-02 13:56:02 UTC
Red Hat Product Errata	RHBA-2021:0817	None	None	None	2021-03-17 15:36:05 UTC

Description Marian Krcmarik 2020-11-19 23:07:12 UTC

Description of problem:
The glance-api.conf is not configured correctly with all needed barbican parameters at an Edge site. The tht which is included in overcloud deloy command:
/usr/share/openstack-tripleo-heat-templates/environments/services/barbican-edge.yaml
The glance-api.conf misses some items such as:
[key_manager]
backend=barbican
[barbican]
barbican_endpoint=https://overcloud.internalapi.redhat.local:9311
auth_endpoint=https://overcloud.internalapi.redhat.local:5000

The solution seems to be in fixing barbican-client-puppet.yaml as following:
5c55
<         glance_api: &glance_barbican_config
---
>         glance_api:
61d60
<         glance_api_edge: *glance_barbican_config

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-11.3.2-1.20200914170172.el8ost.noarch

How reproducible:
always

Steps to Reproduce:
1. Deploy barbican at an edge site (especially by including barbican-edge.yaml)
at an edge site with ceph storage and glance multistore (with enabled glance image signature verification)
2. Check glance-api.conf at edge site

Actual results:
barbican not configured

Expected results:
barbican configured (with its endpoints)

Additional info:

Comment 19 errata-xmlrpc 2021-03-17 15:35:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817

Note You need to log in before you can comment on or make changes to this bug.