Add default certificates relation handlers

These where moved up to this layer from ``layer-openstack-api``, removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d Guard the default handlers behind check for 'charms.openstack.do-default-certificates.available' flag. This flag is activated when the consumer charm makes a call to charm.use_defaults('certificates.available') from its reactive handler. Previously it was always activated for all consumers of the ``openstack-api`` layer, it should be up to the charm implementation to choose. We do not add back ``layer-tls-client``, the reason being that the reactive bits in ``layer-openstack`` in conjunction with helpers in ``charms.openstack`` is managing both the server and CA certificates and rely on the same flags to detect changes. If we one day offload those tasks to the ``layer-tls-client`` we should add it back in conjunction with removing our code for this. At the time of this writing it would not be possible as ``layer-tls-client`` is not spaces aware. With the above mentioned change we can stop relying on the now deprecated ``certificates.batch.cert.available`` flag. We also do not add back the Keystone certificates handling code as this has been removed from the Keystone charm reference: openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615 Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1 Closes-Bug: #1840899 Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f
2019-08-26 11:37:39 +02:00 · 2019-08-26 11:37:39 +02:00 · 1df85ff800
parent aa5bc57aea
commit 1df85ff800
4 changed files with 59 additions and 3 deletions
--- a/config.yaml
+++ b/config.yaml
@ -19,8 +19,27 @@ options:
      Openstack mostly defaults to using public endpoints for
      internal communication between services. If set to True this option
      will configure services to use internal endpoints where possible.
+  ssl_cert:
+    type: string
+    default:
+    description: |
+      TLS certificate to install and use for any listening services.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
+  ssl_key:
+    type: string
+    default:
+    description: |
+      TLS key to use with certificate specified as ``ssl_cert``.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
  ssl_ca:
    type: string
    default:
    description: |
-      SSL CA to use to communicate with other OpenStack cloud components.
+      TLS CA to use to communicate with other components in a deployment.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
--- a/layer.yaml
+++ b/layer.yaml
@ -1,2 +1,2 @@
-includes: ['layer:basic']
+includes: ['layer:basic', 'interface:tls-certificates']
 repo: 'https://github.com/openstack/charm-layer-openstack'
--- a/metadata.yaml
+++ b/metadata.yaml
@ -6,3 +6,6 @@ description: |
 tags:
  - openstack
 series: []
+requires:
+  certificates:
+    interface: tls-certificates
--- a/reactive/layer_openstack.py
+++ b/reactive/layer_openstack.py
@ -1,8 +1,9 @@
+import charms.reactive as reactive
+
 import charmhelpers.core.unitdata as unitdata

 import charms_openstack.charm as charm
 import charms_openstack.charm.defaults as defaults
-import charms.reactive as reactive


@reactive.when_not('charm.installed')
@ -89,3 +90,36 @@ def default_post_series_upgrade():
    """
    with charm.provide_charm_instance() as instance:
        instance.series_upgrade_complete()
+
+
+@reactive.when('certificates.available',
+               'charms.openstack.do-default-certificates.available')
+def default_request_certificates():
+    """When the certificates interface is available, this default handler
+    requests TLS certificates.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        for cn, req in instance.get_certificate_requests().items():
+            tls.add_request_server_cert(cn, req['sans'])
+        tls.request_server_certs()
+        instance.assess_status()
+
+
+@reactive.when('charms.openstack.do-default-certificates.available')
+@reactive.when_any(
+    'certificates.ca.changed',
+    'certificates.certs.changed')
+def default_configure_certificates():
+    """When the certificates interface is available, this default handler
+    updates on-disk certificates and switches on the TLS support.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        instance.configure_tls(tls)
+        # make charms.openstack required relation check happy
+        reactive.set_flag('certificates.connected')
+        for flag in 'certificates.ca.changed', 'certificates.certs.changed':
+            if reactive.is_flag_set(flag):
+                reactive.clear_flag(flag)
+        instance.assess_status()