From 1df85ff80049db52f4884babc346d5e89f7ed3e0 Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Mon, 26 Aug 2019 11:37:39 +0200 Subject: [PATCH] Add default certificates relation handlers These where moved up to this layer from ``layer-openstack-api``, removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d Guard the default handlers behind check for 'charms.openstack.do-default-certificates.available' flag. This flag is activated when the consumer charm makes a call to charm.use_defaults('certificates.available') from its reactive handler. Previously it was always activated for all consumers of the ``openstack-api`` layer, it should be up to the charm implementation to choose. We do not add back ``layer-tls-client``, the reason being that the reactive bits in ``layer-openstack`` in conjunction with helpers in ``charms.openstack`` is managing both the server and CA certificates and rely on the same flags to detect changes. If we one day offload those tasks to the ``layer-tls-client`` we should add it back in conjunction with removing our code for this. At the time of this writing it would not be possible as ``layer-tls-client`` is not spaces aware. With the above mentioned change we can stop relying on the now deprecated ``certificates.batch.cert.available`` flag. We also do not add back the Keystone certificates handling code as this has been removed from the Keystone charm reference: openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615 Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1 Closes-Bug: #1840899 Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f --- config.yaml | 21 ++++++++++++++++++++- layer.yaml | 2 +- metadata.yaml | 3 +++ reactive/layer_openstack.py | 36 +++++++++++++++++++++++++++++++++++- 4 files changed, 59 insertions(+), 3 deletions(-) diff --git a/config.yaml b/config.yaml index b4201ae..3204d0a 100644 --- a/config.yaml +++ b/config.yaml @@ -19,8 +19,27 @@ options: Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible. + ssl_cert: + type: string + default: + description: | + TLS certificate to install and use for any listening services. + . + __NOTE__: This configuration option will take precedence over any + certificates received over the ``certificates`` relation. + ssl_key: + type: string + default: + description: | + TLS key to use with certificate specified as ``ssl_cert``. + . + __NOTE__: This configuration option will take precedence over any + certificates received over the ``certificates`` relation. ssl_ca: type: string default: description: | - SSL CA to use to communicate with other OpenStack cloud components. + TLS CA to use to communicate with other components in a deployment. + . + __NOTE__: This configuration option will take precedence over any + certificates received over the ``certificates`` relation. diff --git a/layer.yaml b/layer.yaml index e88eccb..f1a1722 100644 --- a/layer.yaml +++ b/layer.yaml @@ -1,2 +1,2 @@ -includes: ['layer:basic'] +includes: ['layer:basic', 'interface:tls-certificates'] repo: 'https://github.com/openstack/charm-layer-openstack' diff --git a/metadata.yaml b/metadata.yaml index d478242..7e5ea87 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -6,3 +6,6 @@ description: | tags: - openstack series: [] +requires: + certificates: + interface: tls-certificates diff --git a/reactive/layer_openstack.py b/reactive/layer_openstack.py index 21f0220..627c900 100644 --- a/reactive/layer_openstack.py +++ b/reactive/layer_openstack.py @@ -1,8 +1,9 @@ +import charms.reactive as reactive + import charmhelpers.core.unitdata as unitdata import charms_openstack.charm as charm import charms_openstack.charm.defaults as defaults -import charms.reactive as reactive @reactive.when_not('charm.installed') @@ -89,3 +90,36 @@ def default_post_series_upgrade(): """ with charm.provide_charm_instance() as instance: instance.series_upgrade_complete() + + +@reactive.when('certificates.available', + 'charms.openstack.do-default-certificates.available') +def default_request_certificates(): + """When the certificates interface is available, this default handler + requests TLS certificates. + """ + tls = reactive.endpoint_from_flag('certificates.available') + with charm.provide_charm_instance() as instance: + for cn, req in instance.get_certificate_requests().items(): + tls.add_request_server_cert(cn, req['sans']) + tls.request_server_certs() + instance.assess_status() + + +@reactive.when('charms.openstack.do-default-certificates.available') +@reactive.when_any( + 'certificates.ca.changed', + 'certificates.certs.changed') +def default_configure_certificates(): + """When the certificates interface is available, this default handler + updates on-disk certificates and switches on the TLS support. + """ + tls = reactive.endpoint_from_flag('certificates.available') + with charm.provide_charm_instance() as instance: + instance.configure_tls(tls) + # make charms.openstack required relation check happy + reactive.set_flag('certificates.connected') + for flag in 'certificates.ca.changed', 'certificates.certs.changed': + if reactive.is_flag_set(flag): + reactive.clear_flag(flag) + instance.assess_status()