** Description changed: + [Impact] + + Users of Ubuntu bionic running openstack clouds >= rocky + can't create octavia load balancers listeners anymore since the backport of the following patch: + + https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df + + This change was introduced as part of the following backports and + their posterior syncs into the current Bionic version. + + This change added a new exception handler in the code + that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing + the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a"; ) , this was originally being hidden + under the legacy code handler as can be seen here: + + https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df + + + This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the + user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned. + + The change proposed on the SRU makes the client aware of container and + secret UUID(s) and is able to split the path to distinguish a non-secret + (such as a container), in that way if a container is passed, it fails to + pass the parsing validation and the right return code (404) is returned + by the client. + + If a error 404 gets returned, then the except Exception block gets + executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy + driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds. + + This differentiation was implemented here: + + https://github.com/openstack/python- + barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468 + + As an example (this worked before the latest bionic version was pushed) + + openstack loadbalancer listener create --protocol-port 443 --protocol + "TERMINATED_HTTPS" --name "test-listener" --default-tls- + container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c- + 86eb3cc7fe1a" -- lb1 + + With the newest package upgrade this creation will fail with the + following exception: + + The PKCS12 bundle is unreadable. Please check the PKCS12 bundle + validity. In addition, make sure it does not require a pass phrase. + Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough + data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b- + 4d26-9920-72b03343596a) + + + Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371 + + + --- [Impact] As per https://storyboard.openstack.org/#!/story/2007371 we identified that ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404 error when a secret container is passed. This causes the code to not fall back into the legacy mode [Test Case] - Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/) - Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/) - Create the 3 certs at barbican - $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)" - $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)" - $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)" + 1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/) - Create a loadbalancer + 2) Create self-signed certificate, key and ca + (http://paste.ubuntu.com/p/xyyxHZGDFR/) + + + 3) Create the 3 certs at barbican + + $ openstack secret store --name "test-pk-1" --secret-type "private" + --payload-content-type "text/plain" --payload="$(cat + ./keys/controller_key.pem)" + + $ openstack secret store --name "test-ca-1" --secret-type "certificate" + --payload-content-type "text/plain" --payload="$(cat + ./keys/controller_ca.pem)" + + $ openstack secret store --name "test-pub-1" --secret-type "certificate" + --payload-content-type "text/plain" --payload="$(cat + ./keys/controller_cert.pem)" + + 4) Create a loadbalancer $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet - Create a secrets container + + 5) Create a secrets container $ openstack secret container create --type='certificate' --name "test- tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"; --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5 -4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d- b5c6-4433-a0a9-a195e2d54c57" - Create the listener + 6) Try to create the listener + + openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a"; -- lb1 - This creation will fail with the following exception: + With the newest package upgrade this creation will fail with the + following exception: The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b- 4d26-9920-72b03343596a) [Regression Potential] * Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues. * No regressions identified so far. [Discussion] The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1 All of those are part of 4.8.0 onward. ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468 ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad Corresponding reviews https://review.opendev.org/#/c/602810/ https://review.opendev.org/#/c/628046/
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867676 Title: Fetching by secret container doesn't raises 404 exception To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1867676/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
