openstack
/
charm-layer-openstack
Code Issues Proposed changes

Add default certificates relation handlers 

These where moved up to this layer from ``layer-openstack-api``,
removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d

Guard the default handlers behind check for
'charms.openstack.do-default-certificates.available' flag.  This
flag is activated when the consumer charm makes a call to
charm.use_defaults('certificates.available') from its reactive
handler.  Previously it was always activated for all consumers of
the ``openstack-api`` layer, it should be up to the charm
implementation to choose.

We do not add back ``layer-tls-client``, the reason being that
the reactive bits in ``layer-openstack`` in conjunction with
helpers in ``charms.openstack`` is managing both the server and CA
certificates and rely on the same flags to detect changes.

If we one day offload those tasks to the ``layer-tls-client``
we should add it back in conjunction with removing our code for
this.  At the time of this writing it would not be possible as
``layer-tls-client`` is not spaces aware.

With the above mentioned change we can stop relying on the now
deprecated ``certificates.batch.cert.available`` flag.

We also do not add back the Keystone certificates handling code
as this has been removed from the Keystone charm reference:
openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615

Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d
Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1
Closes-Bug: #1840899
Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f
This commit is contained in:
Frode Nordahl 2019-08-26 11:37:39 +02:00
parent aa5bc57aea
commit 1df85ff800
No known key found for this signature in database
GPG Key ID: 6A5D59A3BA48373F
4 changed files with 59 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
config.yaml
View File

@ -19,8 +19,27 @@ options:
Openstack mostly defaults to using public endpoints for Openstack mostly defaults to using public endpoints for
internal communication between services. If set to True this option internal communication between services. If set to True this option
will configure services to use internal endpoints where possible. will configure services to use internal endpoints where possible.
ssl_cert:
type: string
default:
description: |
TLS certificate to install and use for any listening services.
.
__NOTE__: This configuration option will take precedence over any
certificates received over the ``certificates`` relation.
ssl_key:
type: string
default:
description: |
TLS key to use with certificate specified as ``ssl_cert``.
.
__NOTE__: This configuration option will take precedence over any
certificates received over the ``certificates`` relation.
ssl_ca: ssl_ca:
type: string type: string
default: default:
description: | description: |
SSL CA to use to communicate with other OpenStack cloud components. TLS CA to use to communicate with other components in a deployment.
.
__NOTE__: This configuration option will take precedence over any
certificates received over the ``certificates`` relation.

2
layer.yaml
View File

@ -1,2 +1,2 @@
includes: ['layer:basic'] includes: ['layer:basic', 'interface:tls-certificates']
repo: 'https://github.com/openstack/charm-layer-openstack' repo: 'https://github.com/openstack/charm-layer-openstack'

3
metadata.yaml
View File

@ -6,3 +6,6 @@ description: |
tags: tags:
- openstack - openstack
series: [] series: []
requires:
certificates:
interface: tls-certificates

36
reactive/layer_openstack.py
View File

@ -1,8 +1,9 @@
import charms.reactive as reactive
import charmhelpers.core.unitdata as unitdata import charmhelpers.core.unitdata as unitdata
import charms_openstack.charm as charm import charms_openstack.charm as charm
import charms_openstack.charm.defaults as defaults import charms_openstack.charm.defaults as defaults
import charms.reactive as reactive
@reactive.when_not('charm.installed') @reactive.when_not('charm.installed')
@ -89,3 +90,36 @@ def default_post_series_upgrade():
""" """
with charm.provide_charm_instance() as instance: with charm.provide_charm_instance() as instance:
instance.series_upgrade_complete() instance.series_upgrade_complete()
@reactive.when('certificates.available',
'charms.openstack.do-default-certificates.available')
def default_request_certificates():
"""When the certificates interface is available, this default handler
requests TLS certificates.
"""
tls = reactive.endpoint_from_flag('certificates.available')
with charm.provide_charm_instance() as instance:
for cn, req in instance.get_certificate_requests().items():
tls.add_request_server_cert(cn, req['sans'])
tls.request_server_certs()
instance.assess_status()
@reactive.when('charms.openstack.do-default-certificates.available')
@reactive.when_any(
'certificates.ca.changed',
'certificates.certs.changed')
def default_configure_certificates():
"""When the certificates interface is available, this default handler
updates on-disk certificates and switches on the TLS support.
"""
tls = reactive.endpoint_from_flag('certificates.available')
with charm.provide_charm_instance() as instance:
instance.configure_tls(tls)
# make charms.openstack required relation check happy
reactive.set_flag('certificates.connected')
for flag in 'certificates.ca.changed', 'certificates.certs.changed':
if reactive.is_flag_set(flag):
reactive.clear_flag(flag)
instance.assess_status()