The keystone midleware is the one responsible for adding the headers
HTTP_X_USER and HTTP_X_TENANT to the "environ" dict while handling
requests in the nova-api-proxy [1]. Currently, some log statements
inside the APIController class of the nova-api-proxy is accessing the
"environ" dict keys directly, without using environ.get(key, val).
Because of this, a KeyError exception is launched and nova requests fail
when the nova-api-proxy pipeline is configured without using the
keystone middleware.
Since Nova requests will be authenticated at the final nova endpoints,
the usage of keystone middleware in the request handling pipeline of
nova-api-proxy should not be mandatory. Actually, the user is already
allowed to setup the pipeline without keystone middleware by applying a
custom user override to the nova-api-proxy chart at
"conf.paste.pipeline:nova-api-proxy.pipeline". Although this scenario
wasn't being explored so far, it's now required by [2] to fix an issue
related to intermittent failures on Nova actions.
To enable the setup of nova-api-proxy paste pipeline without the
keystone middleware, the access to HTTP_X_USER and HTTP_X_TENANT keys
of the "environ" dict was changed to use environ.get(key, val) with
"val=UNDEFINED".
Since Nova requests will be authenticated at the final nova endpoints,
the usage of keystone middleware in the request handling pipeline of
nova-api-proxy should not be mandatory.
[1] https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html
[2] https://review.opendev.org/c/starlingx/openstack-armada-app/+/932607
Test Plan:
nova-api-proxy setup using the keystone middleware:
- PASS: Build and upload nova-api-proxy image to a duplex system
- PASS: Override the openstack app to use the custom image and apply it
- PASS: Use openstack CLI to perform instance actions (suspend/resume)
nova-api-proxy setup without the keystone middleware:
- PASS: Override the nova-api-proxy chart to remove keystone middleware
- PASS: Re-apply the app and send instance actions (suspend/resume)
Related-Bug: #2083934
Related-Bug: #2083608
Change-Id: Iec3b92fc5fd85b594b6c3eac3fd97b045e7c8e0c
Signed-off-by: Alex Figueiredo <alex.fernandesfigueiredo@windriver.com>
Co-authored-by: José Pires <joseclaudio.paespires@windriver.com>
Co-authored-by: Romulo Leite <romulo.leite@windriver.com>
381ada9b07