Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure barbican access #609

Merged
merged 1 commit into from
Dec 6, 2023
Merged

Configure barbican access #609

merged 1 commit into from
Dec 6, 2023

Conversation

gibizer
Copy link
Contributor

@gibizer gibizer commented Nov 28, 2023
edited
Loading

This adds the barbican section to the nova.conf template so nova can access the barbican.

Depends-On: openstack-k8s-operators/openstack-operator#562 (merged)

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 28, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@gibizer
Copy link
Contributor Author

gibizer commented Nov 28, 2023
edited
Loading

/hold I need a way to test this end to end with barbican

@gibizer gibizer marked this pull request as ready for review November 28, 2023 17:10
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/758e3dc89c5b4259b7ed7373b3a2c98b

✔️ nova-operator-content-provider SUCCESS in 2h 31m 04s
✔️ nova-operator-kuttl SUCCESS in 36m 37s
nova-operator-tempest-multinode FAILURE in 2h 04m 02s

@gibizer
Copy link
Contributor Author

gibizer commented Nov 29, 2023

Something is not complete on the networking part of barbican as connection fails

❯  openstack flavor set m1.small \
    --property hw:tpm_version=2.0 \
    --property hw:tpm_model=tpm-crb
❯ openstack --os-compute-api-version 2.80 server create --flavor m1.small --image cirros --nic none vm-tmp --wait
Error creating server: vm-tmp
Error creating server

2023-11-29 16:48:30.881 2 ERROR nova.compute.manager [None req-fbe8e6a7-8201-485c-b1da-11721d804506 dc780c0be5b64a31b9c1d512dd8c2876 c367828f669f4f4fa52e08beb62ee303 - - default default] [instance: d25898c1-4173-421d-9ab4-3a63592e2dbb] Failed to build and run instance: castellan.common.exception.KeyManagerError: Key manager error: Unable to establish connection to https://barbican-public-openstack.apps-crc.testing: HTTPSConnectionPool(host='barbican-public-openstack.apps-crc.testing', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fdb307cc520>: Failed to establish a new connection: [Errno 111] ECONNREFUSED'))

@gibizer
Copy link
Contributor Author

gibizer commented Nov 30, 2023
edited
Loading

With the internal enpoint I get the same connection error from EDPM

2023-11-30 10:08:55.715 2 ERROR nova.compute.manager [None req-a4667ed6-484d-4530-a10d-7783f2592512 913be46471ec4b54a179f6afbdbca02f 88c6d2438f0249338457b0e72ae6b25d - - default default] [instance: fac7b257-c900-4b88-9e12-c277953596d7] Failed to build and run instance: castellan.common.exception.KeyManagerError: Key manager error: Unable to establish connection to http://barbican-internal.openstack.svc:9311: HTTPConnectionPool(host='barbican-internal.openstack.svc', port=9311): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff3f0651bb0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

I think the issue is that the load balancer is missing from the barbican-internal service.

❯ oc get service | grep barbican
barbican-internal              ClusterIP      10.217.4.224   <none>           9311/TCP                                         14m
barbican-public                ClusterIP      10.217.4.244   <none>           9311/TCP                                         14m
❯ oc get service | grep nova-
nova-internal                  LoadBalancer   10.217.4.116   172.17.0.80      8774:31027/TCP                                   13m
nova-metadata-internal         LoadBalancer   10.217.4.146   172.17.0.80      8775:30749/TCP                                   14m
nova-novncproxy-cell1-public   ClusterIP      10.217.4.194   <none>           6080/TCP                                         14m
nova-public                    ClusterIP      10.217.4.148   <none>           8774/TCP                                         13m

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/1a1176f88cf44388be09740684d4e206

✔️ nova-operator-content-provider SUCCESS in 2h 08m 17s
✔️ nova-operator-kuttl SUCCESS in 41m 20s
nova-operator-tempest-multinode FAILURE in 1h 51m 30s

@ASBishop ASBishop mentioned this pull request Dec 4, 2023
Merged
@gibizer
Configure barbican access
1025756 
This adds the barbican section to the nova.conf template so nova can
access the barbican.

Depends-On: openstack-k8s-operators/openstack-operator#562
@vakwetu
Copy link

vakwetu commented Dec 5, 2023

I think the barbican networking issues should be fixed by openstack-k8s-operators/openstack-operator#588

@gibizer
Copy link
Contributor Author

gibizer commented Dec 6, 2023

I think the barbican networking issues should be fixed by openstack-k8s-operators/openstack-operator#588

It works!

❯ openstack flavor set m1.small \
    --property hw:tpm_version=2.0 \
    --property hw:tpm_model=tpm-crb
❯ openstack --os-compute-api-version 2.80 server create --flavor m1.small --image cirros --nic none vm-tmp --wait


+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                               | Value                                                                                                                                                   |
+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+
| OS-DCF:diskConfig                   | MANUAL                                                                                                                                                  |
| OS-EXT-AZ:availability_zone         | nova                                                                                                                                                    |
| OS-EXT-SRV-ATTR:host                | edpm-compute-0                                                                                                                                          |
| OS-EXT-SRV-ATTR:hostname            | vm-tmp                                                                                                                                                  |
| OS-EXT-SRV-ATTR:hypervisor_hostname | edpm-compute-0.ctlplane.example.com                                                                                                                     |
| OS-EXT-SRV-ATTR:instance_name       | instance-00000002                                                                                                                                       |
| OS-EXT-SRV-ATTR:kernel_id           |                                                                                                                                                         |
| OS-EXT-SRV-ATTR:launch_index        | 0                                                                                                                                                       |
| OS-EXT-SRV-ATTR:ramdisk_id          |                                                                                                                                                         |
| OS-EXT-SRV-ATTR:reservation_id      | r-4aum3jpl                                                                                                                                              |
| OS-EXT-SRV-ATTR:root_device_name    | /dev/vda                                                                                                                                                |
| OS-EXT-SRV-ATTR:user_data           | None                                                                                                                                                    |
| OS-EXT-STS:power_state              | Running                                                                                                                                                 |
| OS-EXT-STS:task_state               | None                                                                                                                                                    |
| OS-EXT-STS:vm_state                 | active                                                                                                                                                  |
| OS-SRV-USG:launched_at              | 2023-12-06T15:05:58.000000                                                                                                                              |
| OS-SRV-USG:terminated_at            | None                                                                                                                                                    |
| accessIPv4                          |                                                                                                                                                         |
| accessIPv6                          |                                                                                                                                                         |
| addresses                           |                                                                                                                                                         |
| adminPass                           | Z5jnQyxbmVTT                                                                                                                                            |
| config_drive                        | True                                                                                                                                                    |
| created                             | 2023-12-06T15:05:54Z                                                                                                                                    |
| description                         | None                                                                                                                                                    |
| flavor                              | disk='1', ephemeral='1', extra_specs.hw:tpm_model='tpm-crb', extra_specs.hw:tpm_version='2.0', original_name='m1.small', ram='512', swap='0', vcpus='1' |
| hostId                              | e6f3b66e36958313edaa7d41f7014cfe289424ae41fe1aebea7b9a29                                                                                                |
| host_status                         | UP                                                                                                                                                      |
| id                                  | 0d4cfeb4-a690-4375-81b6-bfc500f662f5                                                                                                                    |
| image                               | cirros (c62f7514-947f-49f5-a7f5-50b6ce7664ad)                                                                                                           |
| key_name                            | None                                                                                                                                                    |
| locked                              | False                                                                                                                                                   |
| locked_reason                       | None                                                                                                                                                    |
| name                                | vm-tmp                                                                                                                                                  |
| progress                            | 0                                                                                                                                                       |
| project_id                          | bab668ec558746a79e7c0f21f2535d9c                                                                                                                        |
| properties                          |                                                                                                                                                         |
| security_groups                     | name='default'                                                                                                                                          |
| server_groups                       | []                                                                                                                                                      |
| status                              | ACTIVE                                                                                                                                                  |
| tags                                |                                                                                                                                                         |
| trusted_image_certificates          | None                                                                                                                                                    |
| updated                             | 2023-12-06T15:05:58Z                                                                                                                                    |
| user_id                             | 75bc12b3322a4165890b6e18072a1dc3                                                                                                                        |
| volumes_attached                    |                                                                                                                                                         |
+-------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+

❯ openstack secret list
+-------------------------------------------------------------------------------------+---------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                                         | Name                                                          | Created                   | Status | Content types                           | Algorithm | Bit length | Secret type | Mode | Expiration |
+-------------------------------------------------------------------------------------+---------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| https://barbican.openstack.svc:9311/v1/secrets/23d2cbf9-ed7e-4550-b743-e234dab65b98 | vTPM secret for instance 0d4cfeb4-a690-4375-81b6-bfc500f662f5 | 2023-12-06T15:05:56+00:00 | ACTIVE | {'default': 'application/octet-stream'} | None      | None       | passphrase  | None | None       |
+-------------------------------------------------------------------------------------+---------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+

@gibizer
Copy link
Contributor Author

gibizer commented Dec 6, 2023

/unhold

@ASBishop
Copy link
Contributor

ASBishop commented Dec 6, 2023

+1 from a storage guy

SeanMooney
SeanMooney approved these changes Dec 6, 2023
View reviewed changes
Copy link
Contributor

@SeanMooney SeanMooney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work
im glad we coudl get this included quickly for the next dev preview

@openshift-ci openshift-ci bot added the lgtm label Dec 6, 2023
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 6, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gibizer, SeanMooney

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit ed9b10e into openstack-k8s-operators:main Dec 6, 2023
@fmount fmount mentioned this pull request Dec 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrkisaolamb mrkisaolamb mrkisaolamb left review comments

@ASBishop ASBishop ASBishop left review comments

@SeanMooney SeanMooney SeanMooney approved these changes

@olliewalsh olliewalsh Awaiting requested review from olliewalsh

Assignees

@SeanMooney SeanMooney

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gibizer @vakwetu @ASBishop @SeanMooney @mrkisaolamb