© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
<tl;dr> I think the issue is due to a discrepancy between the
check the charm uses to decide whether to configure the payload
to use https and the check used to decide whether the client
should use https when talking to the local endpoint</tl;dr>
The `https` method is used to check if an endpoint is expected to
be http or https. One of the checks it performs is to examine the
the certificates relation. If the relation is present then it looks
for the existence of a CA. However the OpenStack charms do not
switch to https until a certificate is provided via the certificates
relation. This means there can be a disconnect if the
certificate provider has provided a CA but has not yet provided
the unit specific certificates. If this happens then the payload
will still be using http but the `https` method will return True.
Steps to reproduce:
Deploy a bundle with keystone, vault, glance, mysql and mysql router but omit
these relations:
keystone <-> vault
glance <-> keystone
glance <-> vault.
For vault also ensure the charm config options:
auto-generate-
totally-
Once hooks have finished (workload status will mention these missing relations
but ignore that).
1) Start debug hooks session on keystone
2) Start debug hooks session on vault
3) juju add-relation vault keystone
4) Issue command to unlock vault with
"functest-
5) Execute all outstanding hooks in vault debug hooks session
6) Execute all outstanding hooks in keystone debug-hooks session
7) Execute hooks in vault debug hooks session until "relation-get" shows the
certificate request from keystone. DO NOT EXECUTE AND EXIT THIS HOOK
8) At this point keystone has requested a cert (but not got it) and has
received a CA verify this in keystone debug hooks session:
relation-get -r $(relation-ids certificates) - vault/0
8) juju add-relation glance keystone
9) Execute keystone hooks in debug-hooks session. The
identity-