On Thu, 2024-10-24 at 18:06 -0700, melanie witt wrote:

On 10/24/24 16:43, Andy Speagle wrote:

...

Hey Folks,

I'm having some trouble getting barbican to generate and/or store keys in our hashicorp vault in our charmed openstack environment. I have issues with both TPM and SSL related keys.

I get extremely generic errors back that I can't seem to figure out how to troubleshoot:

'Traceback (most recent call last):\n  File "/usr/lib/python3/dist- packages/nova/conductor/manager.py", line 688, in build_instances\n scheduler_utils.populate_retry(\n  File "/usr/lib/python3/dist- packages/nova/scheduler/utils.py", line 998, in populate_retry\n raise exception.MaxRetriesExceeded(reason=msg)\nnova.exception.MaxRetries Exce eded: Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 0c50b2d7-8ac5-41a2-90ab-1e33f7aa1c22. Last exception: Key manager error: Internal Server Error: Secret creation failure seen - please contact site administrator.\n'

Just FYI this is the generic MaxRetriesExceeded error which means that the server action failed on nova-compute(s). So you'll want to look in your nova-compute.log for the error that triggered the retries and eventual MaxRetriesExceeded.

...

I'm using barbican 14.0.2 in yoga/stable ... anyone have an ideas how to troubleshoot this?

I'm guessing in nova-compute.log you will see an error 403 forbidden for creating a barbican secret. If so, the most common reason I have seen for this is if you have in your barbican.conf [oslo.policy]enforce_new_defaults = False, then secret creates require the requester to have the 'creator' role assigned to them (you can do this by 'openstack role add <options> <role>' [1]).

When [oslo.policy]enforce_new_defaults = True, the 'creator' role is not required.

Yup... nailed it. I really appreciate the insight. :)

The tl;dr is 'enforce_new_defaults' means to use the newer secure RBAC policies and the secure RBAC changes are shown in the Wallaby release notes: