Page MenuHomePhabricator

Cannot create magnum cluster
Closed, ResolvedPublic


Cluster failing to build:

| status_reason        | Failed to create trustee or trust for Cluster: e850f43f-59eb-48de-a65d-022397d96baf                                       |

Perhaps related to

To recreate:

export OS_PROJECT_ID=paws
openstack coe cluster create test-remove --cluster-template paws-k8s22 --master-count 1 --node-count 3

Seeing the same with the 1.23 template

Event Timeline

This is related to the role refactor, but I'm not sure how. When it comes time to create the keystone trust, keystone says that it can't find the 'member' role. Of course it can find it in all other contexts.

I think the issue with 'not found' is that it was trying to delegate a role from novadmin to the service user which novaadmin didn't have in the first place. Now that novaadmin does have those roles it gets further, but not as far as I'd like.

If I remove the [trust] roles=reader,member setting from the config then all the roles of novaadmin get delegated (including 'admin') and that seems to complete the cluster. I don't love delegating adminship though...

Andrew claimed this task.

Works for me, now! I left the config as is but made sure that novaadmin has reader + member everywhere. I'm pretty sure that for a normal non-novadmin user this bug wouldn't have appeared in the first place since every other user has those roles.

I'm seeing the same problem in codfw1dev when I try to create a cluster with terraform. Probably I haven't set up the application credential correctly, though I would need help identifying how to set it up correctly. I can create a VM, so the cred has some access.

This seems like the appropriate ticket to reopen, though I can open another ticket if preferred.

I've mirrored the role changes I made on this task in codfw1dev so this can be retested. Is terraform creating the cluster as 'novaadmin' or as a human user?

This is resolved by using a credential with the "Unrestricted (dangerous)" checkbox selected. Thank you @taavi for the solution