openstack catalog list is not working because running source openrc does not get the credentials

Bug #1883591 reported by Elvis Espinal
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Bundles
Triaged
Medium
Unassigned

Bug Description

The current charm version of openstack-base have a problem trying to get the credentials from keystone issuing the command source openrc.

Line 9 of the file openrc is supposed to copy the ca.crt generated with vault to /tmp/root-ca.crt

# juju run $_juju_model_arg --unit vault/leader 'leader-get root-ca' > /tmp/root-ca.crt 2>/dev/null

Instead, /tmp/root-ca.crt is generated as empty which tries to get the credentials out of keystone using http. This new charm use vault which seems to enable https by default while talking to keysstone.

I also noticed that vault doesn't generate the ca.crt with this new charm and it needs to be generated manually with the following command after unsealing vault:
juju run-action --wait vault/leader generate-root-ca

To go around this, I commented line 9 on the openrc file, printed only the certificate authority or:
juju run --unit vault/leader 'leader-get root-ca'

And copied it to /tmp/root-ca.crt

Having Line 9 commented (to make sure that it doesn't delete the content of root-ca.crt), source openrc works and users can continue going through the charm's readme by looking that the following command:

openstack catalog list

Print the list of services

tags: added: focal ussuri
Revision history for this message
Alireza Nasri (sysnasri) wrote :

I have the exact problem but when I run juju run --unit vault/leader 'leader-get root-ca'
it does not show any output.

Changed in openstack-bundles:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Siddhit Renake (siddhit) wrote :

I faced similar issue wherein I was unable to retrieve cert using juju run-action vault/leader --wait get-root-ca. It was returning output as none. Is it expected behavior?

to retrive the cert as mentioned in initial comment I extracted cert by ssh into keystone container
/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt . Copied the same in OS_CACERT variable to make openstack client CLI work.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.