Add default certificates relation handlers
These where moved up to this layer from ``layer-openstack-api``,
removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d
Guard the default handlers behind check for
'charms.openstack.do-default-certificates.available' flag. This
flag is activated when the consumer charm makes a call to
charm.use_defaults('certificates.available') from its reactive
handler. Previously it was always activated for all consumers of
the ``openstack-api`` layer, it should be up to the charm
implementation to choose.
We do not add back ``layer-tls-client``, the reason being that
the reactive bits in ``layer-openstack`` in conjunction with
helpers in ``charms.openstack`` is managing both the server and CA
certificates and rely on the same flags to detect changes.
If we one day offload those tasks to the ``layer-tls-client``
we should add it back in conjunction with removing our code for
this. At the time of this writing it would not be possible as
``layer-tls-client`` is not spaces aware.
With the above mentioned change we can stop relying on the now
deprecated ``certificates.batch.cert.available`` flag.
We also do not add back the Keystone certificates handling code
as this has been removed from the Keystone charm reference:
openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615
Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d
Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1
Closes-Bug: #1840899
Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f
This commit is contained in:
Frode Nordahl
21
config.yaml
21
config.yaml
@@ -19,8 +19,27 @@ options:
|
||||
Openstack mostly defaults to using public endpoints for
|
||||
internal communication between services. If set to True this option
|
||||
will configure services to use internal endpoints where possible.
|
||||
ssl_cert:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
TLS certificate to install and use for any listening services.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
ssl_key:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
TLS key to use with certificate specified as ``ssl_cert``.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
ssl_ca:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
SSL CA to use to communicate with other OpenStack cloud components.
|
||||
TLS CA to use to communicate with other components in a deployment.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
includes: ['layer:basic']
|
||||
includes: ['layer:basic', 'interface:tls-certificates']
|
||||
repo: 'https://github.com/openstack/charm-layer-openstack'
|
||||
|
||||
@@ -6,3 +6,6 @@ description: |
|
||||
tags:
|
||||
- openstack
|
||||
series: []
|
||||
requires:
|
||||
certificates:
|
||||
interface: tls-certificates
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
import charms.reactive as reactive
|
||||
|
||||
import charmhelpers.core.unitdata as unitdata
|
||||
|
||||
import charms_openstack.charm as charm
|
||||
import charms_openstack.charm.defaults as defaults
|
||||
import charms.reactive as reactive
|
||||
|
||||
|
||||
@reactive.when_not('charm.installed')
|
||||
@@ -89,3 +90,36 @@ def default_post_series_upgrade():
|
||||
"""
|
||||
with charm.provide_charm_instance() as instance:
|
||||
instance.series_upgrade_complete()
|
||||
|
||||
|
||||
@reactive.when('certificates.available',
|
||||
'charms.openstack.do-default-certificates.available')
|
||||
def default_request_certificates():
|
||||
"""When the certificates interface is available, this default handler
|
||||
requests TLS certificates.
|
||||
"""
|
||||
tls = reactive.endpoint_from_flag('certificates.available')
|
||||
with charm.provide_charm_instance() as instance:
|
||||
for cn, req in instance.get_certificate_requests().items():
|
||||
tls.add_request_server_cert(cn, req['sans'])
|
||||
tls.request_server_certs()
|
||||
instance.assess_status()
|
||||
|
||||
|
||||
@reactive.when('charms.openstack.do-default-certificates.available')
|
||||
@reactive.when_any(
|
||||
'certificates.ca.changed',
|
||||
'certificates.certs.changed')
|
||||
def default_configure_certificates():
|
||||
"""When the certificates interface is available, this default handler
|
||||
updates on-disk certificates and switches on the TLS support.
|
||||
"""
|
||||
tls = reactive.endpoint_from_flag('certificates.available')
|
||||
with charm.provide_charm_instance() as instance:
|
||||
instance.configure_tls(tls)
|
||||
# make charms.openstack required relation check happy
|
||||
reactive.set_flag('certificates.connected')
|
||||
for flag in 'certificates.ca.changed', 'certificates.certs.changed':
|
||||
if reactive.is_flag_set(flag):
|
||||
reactive.clear_flag(flag)
|
||||
instance.assess_status()
|
||||
|
||||
Reference in New Issue
Block a user