octavia

[SRU] Loadbalacer stuck in status PENDING_DELETE if TLS storage unavailable in cascade deletion

Bug #2077348 reported by Evgeniy Bykov on 2024-08-19

This bug affects 3 people

	Status	Importance	Assigned to
Ubuntu Cloud Archive	Status tracked in Epoxy
Antelope	In Progress	Undecided	Hua Zhang
Bobcat	In Progress	Undecided	Unassigned
Caracal	New	Undecided	Unassigned
Dalmatian	Fix Released	Undecided	Unassigned
Epoxy	Fix Released	Undecided	Unassigned
Yoga	New	Undecided	Unassigned
octavia	Fix Released	Undecided	Evgeniy Bykov
octavia (Ubuntu)	Status tracked in Plucky
Focal	Won't Fix	Undecided	Unassigned
Jammy	In Progress	Undecided	Hua Zhang
Noble	In Progress	Undecided	Hua Zhang
Oracular	Fix Released	Undecided	Unassigned
Plucky	Fix Released	Undecided	Unassigned

Bug Description

[Impact]

Loadbalacer stuck in status PENDING_DELETE if TLS cert unavailable

[Test Case]

Pls refer to [Test steps] section below.

[Regression Potential]

The fix is already in the upstream main, stable/2024.1, stable/2023.2, stable/2023.1 branches, so it is a clean backport and might be helpful for deployments using octavia.

I also test this fix, it works well - https://paste.ubuntu.com/p/s4MsMjV6mP/

[Others]

Original Bug Description Below
===========

Loadbalacer stuck in status PENDING_DELETE if TLS cert unavailable

1. Create load balancer with TERMINATED_HTTPS listener
2. Disable your TLS storage, or delete cert from storage
3. Try to delete loadbalancer with cascade flag

Error on logs:

```
Unable to retrieve certificate(s) due to Could not retrieve certificate: <some id>
Exception during message handling
```

```
Traceback (most recent call last):
File "/var/lib/openstack/lib/python3.10/site-packages/oslo_messaging/rpc/server.py", line 165, in _process_incoming, res = self.dispatcher.dispatch(message),
File "/var/lib/openstack/lib/python3.10/site-packages/oslo_messaging/rpc/dispatcher.py", line 309, in dispatch, return self._do_dispatch(endpoint, method, ctxt, args),
File "/var/lib/openstack/lib/python3.10/site-packages/oslo_messaging/rpc/dispatcher.py", line 229, in _do_dispatch, result = func(ctxt, **new_args),
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/controller/queue/v2/endpoints.py", line 56, in delete_load_balancer, self.worker.delete_load_balancer(loadbalancer, cascade),
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/controller/worker/v2/controller_worker.py", line 387, in delete_load_balancer, listeners = flow_utils.get_listeners_on_lb(db_lb),
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/controller/worker/v2/flows/flow_utils.py", line 52, in get_listeners_on_lb, prov_listener = provider_utils.db_listener_to_provider_listener(),
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/api/drivers/utils.py", line 182, in db_listener_to_provider_listener, new_listener_dict = listener_dict_to_provider_dict(),
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/api/drivers/utils.py", line 261, in listener_dict_to_provider_dict, with excutils.save_and_reraise_exception() as ctxt:,
File "/var/lib/openstack/lib/python3.10/site-packages/oslo_utils/excutils.py", line 227, in __exit__, self.force_reraise(),
File "/var/lib/openstack/lib/python3.10/site-packages/oslo_utils/excutils.py", line 200, in force_reraise, raise self.value,
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/api/drivers/utils.py", line 258, in listener_dict_to_provider_dict, cert_dict = cert_parser.load_certificates_data(cert_manager)
File "/var/lib/openstack/lib/python3.10/site-packages/octavia/common/tls_utils/cert_parser.py", line 381, in load_certificates_data, raise exceptions.CertificateRetrievalException(, octavia.common.exceptions.CertificateRetrievalException: Could not retrieve certificate: ]

```

[Test steps]

1. Create load balancer with TERMINATED_HTTPS listener, eg:

secret1_id=$(openstack secret store --name='lb_tls_secret_1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < www.server1.com.p12)" -f value -c "Secret href")
octavia_user_id=$(openstack user show octavia --domain service_domain -f value -c id); echo $octavia_user_id;
openstack acl user add -u $octavia_user_id $secret1_id
subnetid=$(openstack subnet show private_subnet -f value -c id); echo $subnetid
lb_id=$(openstack loadbalancer create --name lb1 --vip-subnet-id $subnetid -f value -c id); echo $lb_id
listener_id=$(openstack loadbalancer listener create $lb_id --name https_listener --protocol-port 80 --protocol TERMINATED_HTTPS --default-tls-container=$secret1_id --sni-container-refs $secret1_id $secret2_id -f value -c id); echo $listener_id

2. Disable your TLS storage, or delete cert from storage, eg:

openstack secret delete $secret1_id

3. Try to delete loadbalancer with cascade flag

openstack loadbalancer delete lb1 --cascade

Here are the detailed steps for me to reproduce the problem - https://paste.ubuntu.com/p/wh3dJpJR9B/

See original description

Tags:

Revision history for this message

{content}

OpenStack Infra (hudson-openstack) wrote on 2024-08-19: Fix proposed to octavia (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/octavia/+/926564

Changed in octavia:
status:	New → In Progress

Evgeniy Bykov (lydina-pavuh) on 2024-08-26

Changed in octavia:
assignee:	nobody → Evgeniy Bykov (lydina-pavuh)

Revision history for this message

{content}

OpenStack Infra (hudson-openstack) wrote on 2024-09-05: Fix merged to octavia (master)

Reviewed: https://review.opendev.org/c/openstack/octavia/+/926564
Committed: https://opendev.org/openstack/octavia/commit/ec9a50599012b99deaf8bb26683fedcd381db1a6
Submitter: "Zuul (22348)"
Branch: master

commit ec9a50599012b99deaf8bb26683fedcd381db1a6
Author: Evgeniy Bykov <email address hidden>
Date: Mon Aug 19 20:20:38 2024 +0300

Fix loadbalancer stuck in cascade delete

- Fix loadbalancer stuck in PENDING_DELETE in cascade delete
with TERMINATED_HTTPS listener if TLS storage not available

    Closes-Bug: #2077348
    Change-Id: Iae2b075de5412bb183db6a21f7f8376801853e00
    Signed-off-by: Evgeniy Bykov <email address hidden>

Changed in octavia:
status:	In Progress → Fix Released

Revision history for this message

{content}

OpenStack Infra (hudson-openstack) wrote on 2024-09-06: Fix proposed to octavia (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/octavia/+/928322

Revision history for this message

{content}

OpenStack Infra (hudson-openstack) wrote on 2024-09-06: Fix proposed to octavia (stable/2023.2)

Changed in octavia (Ubuntu Plucky):
status:	New → Fix Released
Changed in octavia (Ubuntu Oracular):
status:	New → Fix Released

description:	updated
summary:	- Loadbalacer stuck in status PENDING_DELETE if TLS storage unavailable in - cascade deletion + [SRU] Loadbalacer stuck in status PENDING_DELETE if TLS storage + unavailable in cascade deletion

octavia

[SRU] Loadbalacer stuck in status PENDING_DELETE if TLS storage unavailable in cascade deletion

Bug Description

Other bug subscribers

Patches

Remote bug watches

Changed in octavia (Ubuntu Focal):
status:	New → Won't Fix

Changed in octavia (Ubuntu Jammy):
assignee:	nobody → Hua Zhang (zhhuabj)
status:	New → In Progress
Changed in octavia (Ubuntu Noble):
assignee:	nobody → Hua Zhang (zhhuabj)
status:	New → In Progress