Add default certificates relation handlers
These where moved up to this layer from ``layer-openstack-api``, removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d Guard the default handlers behind check for 'charms.openstack.do-default-certificates.available' flag. This flag is activated when the consumer charm makes a call to charm.use_defaults('certificates.available') from its reactive handler. Previously it was always activated for all consumers of the ``openstack-api`` layer, it should be up to the charm implementation to choose. We do not add back ``layer-tls-client``, the reason being that the reactive bits in ``layer-openstack`` in conjunction with helpers in ``charms.openstack`` is managing both the server and CA certificates and rely on the same flags to detect changes. If we one day offload those tasks to the ``layer-tls-client`` we should add it back in conjunction with removing our code for this. At the time of this writing it would not be possible as ``layer-tls-client`` is not spaces aware. With the above mentioned change we can stop relying on the now deprecated ``certificates.batch.cert.available`` flag. We also do not add back the Keystone certificates handling code as this has been removed from the Keystone charm reference: openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615 Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1 Closes-Bug: #1840899 Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f
This commit is contained in:
parent
aa5bc57aea
commit
1df85ff800
21
config.yaml
21
config.yaml
|
@ -19,8 +19,27 @@ options:
|
||||||
Openstack mostly defaults to using public endpoints for
|
Openstack mostly defaults to using public endpoints for
|
||||||
internal communication between services. If set to True this option
|
internal communication between services. If set to True this option
|
||||||
will configure services to use internal endpoints where possible.
|
will configure services to use internal endpoints where possible.
|
||||||
|
ssl_cert:
|
||||||
|
type: string
|
||||||
|
default:
|
||||||
|
description: |
|
||||||
|
TLS certificate to install and use for any listening services.
|
||||||
|
.
|
||||||
|
__NOTE__: This configuration option will take precedence over any
|
||||||
|
certificates received over the ``certificates`` relation.
|
||||||
|
ssl_key:
|
||||||
|
type: string
|
||||||
|
default:
|
||||||
|
description: |
|
||||||
|
TLS key to use with certificate specified as ``ssl_cert``.
|
||||||
|
.
|
||||||
|
__NOTE__: This configuration option will take precedence over any
|
||||||
|
certificates received over the ``certificates`` relation.
|
||||||
ssl_ca:
|
ssl_ca:
|
||||||
type: string
|
type: string
|
||||||
default:
|
default:
|
||||||
description: |
|
description: |
|
||||||
SSL CA to use to communicate with other OpenStack cloud components.
|
TLS CA to use to communicate with other components in a deployment.
|
||||||
|
.
|
||||||
|
__NOTE__: This configuration option will take precedence over any
|
||||||
|
certificates received over the ``certificates`` relation.
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
includes: ['layer:basic']
|
includes: ['layer:basic', 'interface:tls-certificates']
|
||||||
repo: 'https://github.com/openstack/charm-layer-openstack'
|
repo: 'https://github.com/openstack/charm-layer-openstack'
|
||||||
|
|
|
@ -6,3 +6,6 @@ description: |
|
||||||
tags:
|
tags:
|
||||||
- openstack
|
- openstack
|
||||||
series: []
|
series: []
|
||||||
|
requires:
|
||||||
|
certificates:
|
||||||
|
interface: tls-certificates
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
|
import charms.reactive as reactive
|
||||||
|
|
||||||
import charmhelpers.core.unitdata as unitdata
|
import charmhelpers.core.unitdata as unitdata
|
||||||
|
|
||||||
import charms_openstack.charm as charm
|
import charms_openstack.charm as charm
|
||||||
import charms_openstack.charm.defaults as defaults
|
import charms_openstack.charm.defaults as defaults
|
||||||
import charms.reactive as reactive
|
|
||||||
|
|
||||||
|
|
||||||
@reactive.when_not('charm.installed')
|
@reactive.when_not('charm.installed')
|
||||||
|
@ -89,3 +90,36 @@ def default_post_series_upgrade():
|
||||||
"""
|
"""
|
||||||
with charm.provide_charm_instance() as instance:
|
with charm.provide_charm_instance() as instance:
|
||||||
instance.series_upgrade_complete()
|
instance.series_upgrade_complete()
|
||||||
|
|
||||||
|
|
||||||
|
@reactive.when('certificates.available',
|
||||||
|
'charms.openstack.do-default-certificates.available')
|
||||||
|
def default_request_certificates():
|
||||||
|
"""When the certificates interface is available, this default handler
|
||||||
|
requests TLS certificates.
|
||||||
|
"""
|
||||||
|
tls = reactive.endpoint_from_flag('certificates.available')
|
||||||
|
with charm.provide_charm_instance() as instance:
|
||||||
|
for cn, req in instance.get_certificate_requests().items():
|
||||||
|
tls.add_request_server_cert(cn, req['sans'])
|
||||||
|
tls.request_server_certs()
|
||||||
|
instance.assess_status()
|
||||||
|
|
||||||
|
|
||||||
|
@reactive.when('charms.openstack.do-default-certificates.available')
|
||||||
|
@reactive.when_any(
|
||||||
|
'certificates.ca.changed',
|
||||||
|
'certificates.certs.changed')
|
||||||
|
def default_configure_certificates():
|
||||||
|
"""When the certificates interface is available, this default handler
|
||||||
|
updates on-disk certificates and switches on the TLS support.
|
||||||
|
"""
|
||||||
|
tls = reactive.endpoint_from_flag('certificates.available')
|
||||||
|
with charm.provide_charm_instance() as instance:
|
||||||
|
instance.configure_tls(tls)
|
||||||
|
# make charms.openstack required relation check happy
|
||||||
|
reactive.set_flag('certificates.connected')
|
||||||
|
for flag in 'certificates.ca.changed', 'certificates.certs.changed':
|
||||||
|
if reactive.is_flag_set(flag):
|
||||||
|
reactive.clear_flag(flag)
|
||||||
|
instance.assess_status()
|
||||||
|
|
Loading…
Reference in New Issue