Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS-9572 Correct the usage of public address #1266

Merged
merged 2 commits into from
Jul 12, 2024
Merged

CSS-9572 Correct the usage of public address #1266

merged 2 commits into from
Jul 12, 2024

Conversation

kian99
Copy link
Contributor

@kian99 kian99 commented Jul 10, 2024

Description

This PR fixes a bug when using JIMM with cross-controller relations. When a client tries to perform a cross-model/cross-controller relation it:

  1. First requests information about the application offer
  2. Then makes a call to consume the application offer.

The first call for app-offer details is a controller level call handled by JIMM here. You can see in that snippet that if the controller where the app offer is hosted has a public address, we don't return the controller's CA cert, if it doesn't have a public address we do return the controller's CA cert.

Trying the following:

  1. Spin up JIMM.
  2. Add LXD controller to JIMM
  3. Add another LXD controller to JIMM
  4. Create 2 models, one on each controller
  5. Deploy an application like postgresql and create an offer.
  6. Try to consume the offer from the other model.
  7. Run juju debug-log to see the following error:

cmr error in remote application worker for postgresql: cannot connect to external controller: opening facade to remote model: unable to connect to API: tls: failed to verify certificate: x509: cannot validate certificate for 10.16.149.235 because it doesn't contain any IP SANs

The destination controller cannot connect to the source controller via TLS because JAAS never provided the controller's CA cert. This issue arises because of our jimmctl list-controller command, here we fill the public-address field even when it's not actually a public address. That has been fixed.

The second issue that comes up is our dialer only attempts to dial IPs that have "scope"="public". The scope is a concept, part of the struct used to store controller info, where the scope is determined by this function in Juju. For example, localhost has link-local scope. Scope "local-cloud" are all private IP ranges (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), which may still be reachable from JIMM.

Engineering checklist

Check only items that apply

  • Documentation updated
  • Covered by unit tests
  • Covered by integration tests

Test instructions

Retried my steps above and was able to consume and relate two apps cross-controller.

Notes for code reviewers

Still working on tests.

@kian99 kian99 requested a review from a team as a code owner July 10, 2024 13:52
@kian99 kian99 changed the title Correct the usage of public address CSS-9572 Correct the usage of public address Jul 10, 2024
ale8k
ale8k approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@ale8k ale8k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice spot

@kian99 kian99 merged commit 50693ac into canonical:v3 Jul 12, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ale8k ale8k ale8k approved these changes

@babakks babakks babakks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kian99 @babakks @ale8k