How to unset value of "fernet-secret-id"?

ferruum · 29 February 2024 07:31

wrsadmin@pek-studio-1:~/openstack/keystone$ juju show-unit -m openstack keystone/0
keystone/0:
  opened-ports: []
  charm: ch:amd64/jammy/keystone-k8s-148
  leader: true
  life: alive
  relation-info:
  - relation-id: 60
    endpoint: peers
    related-endpoint: peers
    application-data:
      credential-keys-secret-id: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn9hralcnms6iig40
      credentials__charm-keystone-admin: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn8hralcnms6iig30
      credentials_admin: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosnd9ralcnms6iig4g
      credentials_horizon: secret://28a63850-0466-4758-8db3-359ccfe49820/cmoso99ralcnms6iig7g
      credentials_openstack-hypervisor: secret://28a63850-0466-4758-8db3-359ccfe49820/cmotah1ralcnms6iig8g
      credentials_svc_cinder: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosnjhralcnms6iig50
      credentials_svc_glance: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosnq1ralcnms6iig5g
      credentials_svc_neutron: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosnu1ralcnms6iig60
      credentials_svc_nova: secret://28a63850-0466-4758-8db3-359ccfe49820/cmoso69ralcnms6iig70
      credentials_svc_placement: secret://28a63850-0466-4758-8db3-359ccfe49820/cmoso29ralcnms6iig6g
      fernet-secret-id: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn9hralcnms6iig3g
      leader_ready: "true"
      old_service_users: '[]'
...

For the last secret “fernet-secret-id: secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn9hralcnms6iig3g”, which is deleted accidentally by my colleague.

Is there a way to unset the “fernet-secret-id” to get keystone to recreate a new fernet secret?

For now, it reports an error:

[container-agent] 2024-02-29 00:17:17 INFO juju.worker.uniter.operation runhook.go:186 ran "start" hook (via hook dispatching script: dispatch)
[container-agent] 2024-02-29 00:17:18 INFO juju-log Entering guarded section: 'Bootstrapping'
[container-agent] 2024-02-29 00:17:19 WARNING juju-log Not running db-sync, it has run previously for this unit
[container-agent] 2024-02-29 00:17:19 ERROR juju-log Exception raised in section 'Bootstrapping': 
[container-agent] 2024-02-29 00:17:19 ERROR juju-log Traceback (most recent call last):
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops/model.py", line 2946, in _run
[container-agent]     result = subprocess.run(args, **kwargs)  # type: ignore
[container-agent]   File "/usr/lib/python3.10/subprocess.py", line 526, in run
[container-agent]     raise CalledProcessError(retcode, process.args,
[container-agent] subprocess.CalledProcessError: Command '('/var/lib/juju/tools/unit-keystone-0/secret-get', 'secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn9hralcnms6iig3g', '--format=json')' returned non-zero exit status 1.
[container-agent] 
[container-agent] The above exception was the direct cause of the following exception:
[container-agent] 
[container-agent] Traceback (most recent call last):
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops/model.py", line 3302, in secret_get
[container-agent]     result = self._run('secret-get', *args, return_output=True, use_json=True)
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops/model.py", line 2948, in _run
[container-agent]     raise ModelError(e.stderr) from e
[container-agent] ops.model.ModelError: ERROR secret "secret://28a63850-0466-4758-8db3-359ccfe49820/cmosn9hralcnms6iig3g" not found
[container-agent] 
[container-agent] 
[container-agent] The above exception was the direct cause of the following exception:
[container-agent] 
[container-agent] Traceback (most recent call last):
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops_sunbeam/guard.py", line 91, in guard
[container-agent]     yield
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops_sunbeam/charm.py", line 291, in configure_charm
[container-agent]     self.configure_unit(event)
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/./src/charm.py", line 1459, in configure_unit
[container-agent]     self.update_fernet_keys_from_peer()
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/./src/charm.py", line 537, in update_fernet_keys_from_peer
[container-agent]     fernet_secret = self.model.get_secret(id=fernet_secret_id)
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops/model.py", line 276, in get_secret
[container-agent]     content = self._backend.secret_get(id=id, label=label)
[container-agent]   File "/var/lib/juju/agents/unit-keystone-0/charm/venv/ops/model.py", line 3305, in secret_get
[container-agent]     raise SecretNotFoundError() from e
[container-agent] ops.model.SecretNotFoundError
[container-agent] 
[container-agent] 2024-02-29 00:17:19 INFO juju.worker.uniter.operation runhook.go:186 ran "keystone-pebble-ready" hook (via hook dispatching script: dispatch)

hemanth-n · 6 March 2024 01:49

This can be resolved by clearing the corresponding key in peer relation data using relation-set. I have raised a bug [1] to better deal this scenario in the charm.

[1] Bug #2056242 “keystone in error with SecretNotFoundError” : Bugs : Sunbeam Charms