Closed evildevel closed 3 years ago
Hi, the only thing suspicious is:
2020-09-29 14:39:31.544141 2020-09-29 14:39:31.543 7862 WARNING keystone.server.flask.application [req-90f4de9b-d4d8-4d7e-a839-851f8c0384e7 d3ac14c5568142db9dd5158c85cc92af 6212190dc8724fe79455dcf37c6f310e - 9b424a4b11264d418ec77460de992d18 9b424a4b11264d418ec77460de992d18] You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead.
Are you using trust identity in octavia-ingress-controller config?
Are you using trust identity in octavia-ingress-controller config?
[octavia-ingress-controller] user-id: addc8b12915043da8d1ee9dbe5e8a830 trust-id: 91326f347a2d49e0bb3bc7cec87a12b7
$ openstack user show addc8b12915043da8d1ee9dbe5e8a830
+---------------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------------+-----------------------------------------------------------------------+
| domain_id | e71ccce17e014079a682fc6142fcbb52 |
| enabled | True |
| id | addc8b12915043da8d1ee9dbe5e8a830 |
| name | 109310cf-8811-405e-a970-7d9bc8fb46cd_6212190dc8724fe79455dcf37c6f310e |
| options | {} |
| password_expires_at | None |
+---------------------+-----------------------------------------------------------------------+
$ openstack domain show e71ccce17e014079a682fc6142fcbb52
+-------------+-------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------+
| description | Owns users and projects created by magnum |
| enabled | True |
| id | e71ccce17e014079a682fc6142fcbb52 |
| name | magnum |
| options | {} |
| tags | [] |
+-------------+-------------------------------------------+
openstack trust show 91326f347a2d49e0bb3bc7cec87a12b7
+----------------------+-----------------------------------------------------------------------+
| Field | Value |
+----------------------+-----------------------------------------------------------------------+
| delegation_depth | 0 |
| deleted_at | None |
| expires_at | None |
| id | 91326f347a2d49e0bb3bc7cec87a12b7 |
| impersonation | True |
| project_id | 6212190dc8724fe79455dcf37c6f310e |
| redelegated_trust_id | None |
| redelegation_count | 0 |
| remaining_uses | None |
| roles | reader load-balancer_member member k8s_admin creator heat_stack_owner |
| trustee_user_id | addc8b12915043da8d1ee9dbe5e8a830 |
| trustor_user_id | d3ac14c5568142db9dd5158c85cc92af |
+----------------------+-----------------------------------------------------------------------+
user "d3ac14c5568142db9dd5158c85cc92af" - creator k8s cluster
Why is "trust" (91326f347a2d49e0bb3bc7cec87a12b7) not taken into account when executing a request to create a listener via Octavia?
data:
config: |
cluster-name: 109310cf-8811-405e-a970-7d9bc8fb46cd
openstack:
auth-url: http://ct1.xxx.net:5000/v3
user-id: addc8b12915043da8d1ee9dbe5e8a830
password: PYt6jZ5ZxYZYxHb4Se
trust-id: 91326f347a2d49e0bb3bc7cec87a12b7
region: ru-msk-1
ca-file: /etc/kubernetes/ca-bundle.crt
octavia:
subnet-id: 484758da-37c2-4f5d-b50e-42e68ff3ab3e
floating-network-id: a4c97db3-6080-484f-82b5-70963dc1c5c3
I've fixed the same issue for neutron client in Octavia before, but not for barbican client, ref: https://storyboard.openstack.org/#!/story/2007619. So for now, we either need to wait for someone fix the bug or don't use trust in octavia-ingress-controller config.
@lingxiankong Thanks! Can you fix this problem? I would be very grateful to you.
@lingxiankong Thanks! Can you fix this problem? I would be very grateful to you.
Unfortunately, I have no extra bandwidth for fixing that, you can either add your comment in that issue or ask someone in the Octavia team for help.
Anyway, I will close this issue as it's actually an Octavia bug.
I have the same problem. It’s possible to fix?
@guibrazlima Yes, it's possible to fix, please read the comment above.
@lingxiankong Thanks for the update. Do you know if someone in octavia team is looking to this issue?
@lingxiankong Thanks for the update. Do you know if someone in octavia team is looking to this issue?
I don't think there is someone working on this ATM.
Seems to be a good place to ask this question. I am having issues with this at the moment. I have found even after removing trust. The octavia service user still cannot access the certificate secret because the project scope does not match the creator scope. Is there something missing? I know in barbican to access secrets the user accessing the secret either needs to be in the acls/project access true and be scoped and have access to creator's project.
Has this really ever worked? All Octavia seems to do is set ACLs for the secret but even after still cannot access with the octavia user in the secret's ACLs because Octavia is "service" project scoped authed. Maybe I'm missing something does the kubernetes cluster need to also be in the service project? My users are on a seperate OpenStack domain so that is impossible in my case.
@lebonez Since Rocky, Octavia is able to set Barbican ACLs on behalf of the user automatically to enable users to create TLS-terminated listeners without having to add the Octavia keystone user id to the ACL list by themselves. Please check your Octavia version and Octavia service logs (if you have the permission)
Is this a BUG REPORT or FEATURE REQUEST?: /kind bug
What happened: I create an Ingress resource (TLS encryption) and get error (see logs from "octavia-ingress-controller")
Logs from "octavia-ingress-controller" in "octavia-ingress-controller-0"
Logs from "/var/log/octavia/octavia-api.log"
Logs from "/var/log/apache2/keystone.log"
Environment: