vault-charm

vault not sending CA in relation to units

Bug #1984118 reported by Graeme Moss
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vault-charm
Incomplete
Undecided
Unassigned

Bug Description

Hi

When doing a series upgrade from bionic to focal vault has changed the data it's sending to the units.
running juju 2.9.32
all charms are up to date with stable

juju status | grep error
https://pastebin.ubuntu.com/p/mpkbcKdcFd/

Upon doing debug-hooks on ovn-central/2 and running the hook I get the following error

===
unit-ovn-central-1: 15:13:13 ERROR unit.ovn-central/1.juju-log certificates:386: Hook error:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-ovn-central-1/.venv/lib/python3.6/site-packages/charms/reactive/__init__.py", line 74, in main
    bus.dispatch(restricted=restricted_mode)
  File "/var/lib/juju/agents/unit-ovn-central-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 390, in dispatch
    _invoke(other_handlers)
  File "/var/lib/juju/agents/unit-ovn-central-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 359, in _invoke
    handler.invoke()
  File "/var/lib/juju/agents/unit-ovn-central-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 181, in invoke
    self._action(*args)
  File "/var/lib/juju/agents/unit-ovn-central-1/charm/reactive/layer_openstack.py", line 152, in default_configure_certificates
    instance.configure_tls(tls)
  File "lib/charm/openstack/ovn_central.py", line 418, in configure_tls
    crt.write(tls_object['ca'])
TypeError: write() argument must be str, not None
===

if i add the following before the error line ins ovn_central.py i can see that the data been sent from vault is missing the ca object.

===
            for tls_object in tls_objects:
                from pprint import pprint
                pprint(tls_object)
===

juju run --unit ovn-central/1 -- hooks/certificates-relation-changed
active
active
active
{'ca': None,
 'cert': '-----BEGIN CERTIFICATE-----\n'
         'MIIEQTCCAymgAwIBAgIUFsRuKovBKhRRByA1x1neaW9k7kYwDQYJKoZIhvcNAQEL\n'
         'BQAwRTFDMEEGA1UEAxM6VmF1bHQgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1\n'
         'dGhvcml0eSAoY2hhcm0tcGtpLWxvY2FsKTAeFw0yMjA4MDkxNDQ4NDBaFw0yMzA4\n'

Revision history for this message
Graeme Moss (graememoss) wrote :

I have tried the follow

remove-relation and add it back does nothing

disabled-pki and uploaded a new CA no change.

reissue certificates to try refresh them but this does nothing.

Revision history for this message
Linda Guo (lihuiguo) wrote (last edit ):

I hit similar issue, vault was related to ceph-radosgw via cross-model-relation, CA was missing with one of the vault units (vault/1). When ran certificates-relation-changed hook, it tried to get CA from vault/1, got 'NoneType' exception

$ juju show-unit ceph-radosgw/5 |grep ca: -C3
      vault/0:
        in-scope: true
        data:
          ca: |-
            -----BEGIN CERTIFICATE-----

--
      vault/2:
        in-scope: true
        data:
          ca: |-
            -----BEGIN CERTIFICATE-----

>>>>>>>juju log

unit-cross-site-rgw-ceph-radosgw-3: 01:41:30 WARNING unit.cross-site-rgw-ceph-radosgw/3.certificates-relation-changed _manage_ca_certs(ca, relation_id)
unit-cross-site-rgw-ceph-radosgw-3: 01:41:30 WARNING unit.cross-site-rgw-ceph-radosgw/3.certificates-relation-changed File "/var/lib/juju/agents/unit-cross-site-rgw-ceph-radosgw-3/charm/hooks/charmhelpers/contrib/openstack/cert_utils.py", line 351, in _manage_ca_certs
unit-cross-site-rgw-ceph-radosgw-3: 01:41:30 WARNING unit.cross-site-rgw-ceph-radosgw/3.certificates-relation-changed ca.encode(),
unit-cross-site-rgw-ceph-radosgw-3: 01:41:30 WARNING unit.cross-site-rgw-ceph-radosgw/3.certificates-relation-changed AttributeError: 'NoneType' object has no attribute 'encode'

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Hi Graeme

> When doing a series upgrade from bionic to focal vault has changed the data it's sending to the units.
> running juju 2.9.32
> all charms are up to date with stable

When you say "all charms are up to date with stable", is that the latest/stable track or different track? It would be very useful to post the "juju status" of the model and the logs for the vault unit(s) and a related charm that went into error.

Thanks.

Changed in vault-charm:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.