Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: barbican-operator, keystone-operator
Labels:
None

Story Points:
0
Epic Link:
[BugEpic]: Keystone-operator rquries rabbit mq but keystone only uses it if you enable notificaions.
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
AssignedTeam:
rhos-ops-platform-services-security
Regression:
None
Intelligence Requested:
Market:
PX Impact Score:

Severity:
Moderate

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

keystone is not a distribute service and dose not use RabbitMQ unless you enable
notification with the oslo messaging RabbitMQ driver

https://github.com/openstack/keystone/blob/master/keystone/notifications.py
https://docs.openstack.org/keystone/latest/configuration/config-options.html#oslo_messaging_notifications.transport_url

https://docs.openstack.org/keystone/latest/install/keystone-install-rdo.html
https://docs.openstack.org/keystone/latest/install/keystone-install-ubuntu.html

the keystone operator however require a rabbit instance

https://github.com/openstack-k8s-operators/keystone-operator/blob/main/api/v1beta1/keystoneapi_types.go#L185-L189

which st the uses for notification

https://github.com/openstack-k8s-operators/keystone-operator/blob/main/templates/keystoneapi/config/keystone.conf#L36-L47
however this is defaulting to the incorrect message bus and uses the wrong name

the notification message bus should be defied as`NotificationsBusInstance`

	// +kubebuilder:validation:Optional
	// NotificationsBusInstance is the name of the RabbitMqCluster CR to select
	// the Message Bus Service instance used by the Nova top level services and all cells to publish notifications.
	// If undefined, the value will be inherited from OpenStackControlPlane.
	// An empty value "" leaves the notification drivers unconfigured and emitting no notifications at all.
	// Avoid colocating it with RabbitMqClusterName, APIMessageBusInstance or CellMessageBusInstance used for RPC.
	// For particular Nova cells, notifications cannot be disabled, nor configured differently.
	NotificationsBusInstance *string `json:"notificationsBusInstance,omitempty"`

it should not have a default value as notification should be disabled by default

when its enabled we use a separate RabbitMQ instance for it called rabbit-notifications by convention

https://github.com/openstack-k8s-operators/openstack-operator/pull/1591

the rabbitMqClusterName field was added by
https://github.com/openstack-k8s-operators/keystone-operator/commit/52985536f4624d3a245d63210ab07d9553007cbd

which incorrectly reused the naem we default to for RPC traffic and make it required instead of optional which is problematic as if notification are not consumed they will pile up indefinitely in rabbit unless you configure expiration on the rabbit server for the messages.

this seams to have been introduce for Barbican integration

https://github.com/openstack-k8s-operators/barbican-operator/pull/34
however we should not assume that Barbican is deployed and it should be possible to deploy without enabling this functionality.

relates to

RHOSSTRAT-1163 Provide a shared-nothing architecture for RHOSO

Refinement

Assignee:: Unassigned

Reporter:: Sean Mooney

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/12/11 3:21 AM

Updated:: 2026/01/16 3:09 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty