<div dir="ltr">Hi community,<div><br></div><div>I created a loadbalancer with a listener with protocol as "TERMINATED_HTTPS" and specify --default-tls-container-ref with a ref of secret container from Barbican.</div><div>However, after I deleted the listener, the lbaas wasn't removed from barbican container consumer list.</div><div><div><br></div><div>$openstack secret container get <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4">http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a><br></div><div>+----------------+-----------------------------------------------------------------------------------------------------+</div><div>| Field          | Value                                                                                               |</div><div>+----------------+-----------------------------------------------------------------------------------------------------+</div><div>| Container href | <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4">http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a>                        |</div><div>| Name           | tls_container2                                                                                      |</div><div>| Created        | 2017-01-19 12:44:07+00:00                                                                           |</div><div>| Status         | ACTIVE                                                                                              |</div><div>| Type           | certificate                                                                                         |</div><div>| Certificate    | <a href="http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb">http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb</a>                           |</div><div>| Intermediates  | None                                                                                                |</div><div>| Private Key    | <a href="http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1">http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1</a>                           |</div><div>| PK Passphrase  | None                                                                                                |</div><div>| <b>Consumers      | {u'URL': u'lbaas://RegionOne/loadbalancer/5e7768b9-7aa9-4146-8a71-6291353b447e', u'name': u'lbaas'}</b></div></div><div><br></div><div><br></div><div>I went through the neutron-lbaas code base. We did register consumer during the creation of "TERMINATED_HTTPS" listener in [1]. But we somehow doesn't deregister it during the deletion in [1]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642</a></div><div>get_cert() register lbaas as a consumer for barbican cert_manager.  (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177</a>)</div><div>[2]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805</a></div><div>we probably need to call delete_cert from barbican cert_manager to remove the consumer. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187</a>)</div><div><br></div><div><br></div><div>My questions are:</div><div>1. is that a bug?</div><div>2. or is it a <span style="font-family:roboto,arial,sans-serif">intentional </span>design letting the vendor driver to handle it?</div><div><br></div><div>It looks more like a bug to me.</div><div><br></div><div>Any thoughts?</div><div><br></div><div><br></div><div>Best,</div><div>Jiahao</div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;margin:0px 0px 8px"><table border="0"><tbody><tr valign="top"><td style="font-family:arial,sans-serif;margin:0px"></td><td style="font-family:arial,sans-serif;margin:0px"><font size="2"><strong style="font-family:georgia,palatino;color:rgb(0,0,128);background-color:rgb(192,192,192)"><span style="background-color:rgb(255,255,255)">梁嘉豪/Jiahao LIANG</span><span style="background-color:rgb(255,255,255)"> (Frankie</span><span style="background-color:rgb(255,255,255)">)     <br></span></strong></font><span style="font-size:small"><br>Email: </span><a href="mailto:gzliangjiahao@gmail.com" style="font-size:small" target="_blank">gzliangjiahao@gmail.com</a></td></tr></tbody></table></div><br></div></div></div></div>
</div></div>