-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding QDR basic auth to smoke tests #492
Conversation
Co-authored-by: Leif Madsen <lmadsen@redhat.com>
...and adheres to the rules for label text
(Failed) TESTINGCollectd is failing to do the auth, but ceilometer doesn't have any problem.
Collectd shows this
and the matching message from the QDR
The "mech=none" and "Client skipped authentication" suggest it's not even trying to plaintext auth, but it has at least engaged the sasl layer. Ceilometer used to show a similar message, but installing the cyrus-sasl-plain package fixed it.
Here is the collectd config
The password appears to match the secret AND the file in the QDR container
Here is the code responsible for enabling auth: https://github.com/collectd/collectd/blob/ef1e157de1a4f2cff10f6f902002066d0998232c/src/amqp1.c#L265 And here is what the API docs have to say about it: https://qpid.apache.org/releases/qpid-proton-0.39.0/proton/c/api/group__connection.html#gafb84dd2ef7551ad864be08cb31010d19 Likely causeThere is a hint in the docs associated with pn_sasl_set_allow_insecure_mechs() "By default the SASL layer is configured not to allow mechanisms that disclose the clear text of the password over an unencrypted AMQP connection." https://qpid.apache.org/releases/qpid-proton-0.39.0/proton/c/api/group__sasl.html#gaf472325bc055bb18a5a6f5ca03eda315 If we look all the way back up at the QDR connection, we can see it says Here is the QDR config for the port 5671 listener:
and the associated sslProfile
So AFAICT, despite the fact that the listener has an SSL profile, and that we use those certs in the OSP -> STF connection, both ceilometer and collectd are connecting without SSL enabled. My hunch is that the python proton library doesn't care and does the auth anyways, but the C proton library is more strict. It may be that a call to pn_transport_require_encryption() would be required in the amqp1 plugin in order to get this to work. I tried to enable SSL on the ceilometer link by using |
oc delete is openstack-collectd:latest | ||
oc delete buildconfig openstack-ceilometer-notification | ||
oc delete is openstack-ceilometer-notification |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One of the oc delete is
has a tag and the other does not. Missed tag, or superfluous tag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The first one is probably superfluous/wrong
oc new-build -D $'FROM quay.io/tripleomaster/openstack-collectd:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm' | ||
oc new-build -D $'FROM quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty sure this is fine in downstream testing as well... does CVP run this? Pretty sure the lack of pulling is simply a build system thing, so shouldn't be an issue. Just thinking out loud for possible gotchas.
* Initial changes for QDR basicAuth * Update roles/servicetelemetry/tasks/pre.yml Co-authored-by: Leif Madsen <lmadsen@redhat.com> * correct API version on secret * Touchups from fresh environment test * swap ansible_date_time for a filter that doesnt required facts ...and adheres to the rules for label text * Update CSV * Disable qdr auth in smoketests See: #492 --------- Co-authored-by: Leif Madsen <lmadsen@redhat.com>
This came up again today and I want to suggest a pretty easy solution - add a second QDR into the test so that it can be set up the same way the OSP QDR is (with tls+auth being use between the QDRs instead of from the collectors) |
Can the branch associated with this closed issue be deleted? |
NOTE: This doesn't work