octavia not receiving OVN updated certificates after vault re-issues them
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Octavia Charm |
In Progress
|
High
|
Felipe Reyes | ||
charm-layer-ovn |
In Progress
|
High
|
Felipe Reyes | ||
charm-ovn-chassis |
Triaged
|
High
|
Unassigned |
Bug Description
I did an Openstack Xena deployment where vault is using internal self-signed CA and issues certificates to all charms through certificates relation interface. It worked well, ovn and octavia get certificates from vault (for the APIs).
After this, I swapped the CA in vault for an intermediate externally signed. Vault re-issued certificates for all charms (I confirmed APIs now use the new one).
But octavia is now broken, and the problem seems to be that it is still trying to use the old certs to talk to OVN, which were not updated over the relation after the new certs were issued.
Just to avoid confusion -- If I understand correctly octavia uses 3 sets of certificates:
(a) - API certificates (this comes from vault "certificate" endpoint relation)
(b) - amphora CA + certs (this comes from a manual set of certs generated and passed to charm (lb-mgmt-* options).
(c) - Certs used to talk to OVN which are downloaded via relation
When I swapped the CA on vault, it re-issued (a) for both OVN and Octavia APIs. (b) is not relevant to this bug. (c) is the API certs from OVN which should have been updated in octavia via relation. I still see the old certs (ovn_ca_cert.pem ovn_certificate.pem ovn_private_
If this is the case, is there a workaround (manually copying the files -- and which files)?
Changed in charm-octavia: | |
status: | New → Triaged |
Changed in charm-octavia: | |
status: | Triaged → In Progress |
Subscribing field-critical.