Openstack Integrator Charm

Configuring the LB with different subnets for front and back ends and different port security configs is broken

Bug #1922652 reported by Nikolay Vinogradov on 2021-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Openstack Integrator Charm	Triaged	Medium	Unassigned

Bug Description

I'm deploying Charmed Kubernetes 1.20 on top of OpenStack Bionic/Ussuri. openstack-integrator revision 102 is present in the bundle:

applications:
  openstack-integrator:
    charm: cs:~containers/openstack-integrator
    channel: candidate
    num_units: 1
    options:
      lb-subnet: b94b1f43-5d32-4d50-8c92-daa2b8a722b7
    to:
      - 15

lb-subnet is set to 'ext-subnet' that has port security on (10.254.8.0/24), Kubernetes nodes are deployed to another subnet, 'k8s-subnet' (10.254.9.0/24) with port security disabled:

This configuration, while expected to work, actually does not, because the charm does not expect member IPs and the VIP of LB to be deployed to different networks.

1) While the LB itself seems to be configured properly, e.g. its members are deployed to the correct subnet and the VIP as well, the charm tries to set port security on the member IPs, but port security is disabled on k8s-subnet (see also the attached port-security.txt):

2021-04-05 15:03:32 WARNING update-status BadRequestException: 400: Client Error for url: https://<neutron-api-url>:9696/v2.0/ports/b40f8336-3a5b-41e9-9c72-c3d73037fd7b,
Port security must be enabled and port must have an IP address in order to use security groups.
2021-04-05 15:03:32 ERROR juju-log Error updating loadbalancer
Traceback (most recent call last):
  File "lib/charms/layer/openstack.py", line 593, in update_members
    self._add_member_sg(member)
  File "lib/charms/layer/openstack.py", line 622, in _add_member_sg
    self._impl.set_port_secgrp(port_id, self.member_sg_id)
  File "lib/charms/layer/openstack.py", line 712, in set_port_secgrp
    _run_with_creds('openstack', 'port',
  File "lib/charms/layer/openstack.py", line 297, in _run_with_creds
    result = subprocess.run(args,
  File "/usr/lib/python3.8/subprocess.py", line 512, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('openstack', 'port', 'set', '--security-group', 'dabd83e9-b8e4-45c2-b3f4-5414050e9be1', 'b40f8336-3a5b-41e9-9c72-c3d73037fd7b')' returned non-zero exit status 1.

It seems that after this error, the charm will repeatedly try to update_members() and fail:

2021-04-05 15:54:09 WARNING update-status Another member on this pool is already using ip 10.254.9.237 on protocol_port 6443 (HTTP 409) (Request-ID: req-d32068ce-a6b4-45c8-abaa-8ac43d238782)
2021-04-05 15:54:10 ERROR juju-log Error updating loadbalancer
Traceback (most recent call last):
  File "lib/charms/layer/openstack.py", line 591, in update_members
    self._impl.create_member(member)
  File "lib/charms/layer/openstack.py", line 829, in create_member
    _openstack('loadbalancer', 'member', 'create',
  File "lib/charms/layer/openstack.py", line 306, in _openstack
    output = _run_with_creds('openstack', *args, '--format=yaml')
  File "lib/charms/layer/openstack.py", line 297, in _run_with_creds
    result = subprocess.run(args,
  File "/usr/lib/python3.8/subprocess.py", line 512, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('openstack', 'loadbalancer', 'member', 'create', '--name', '10.254.9.237', '--address', '10.254.9.237', '--protocol-port', '6443', '--subnet-id', 'b94b1f43-5d32-4d50-8c92-daa2b8a722b7', 'openstack-integrator-7fb693929752-kubernetes-master', '--format=yaml')' returned non-zero exit status 1.