Merge "Add default certificates relation handlers"

config.yaml

@@ -19,8 +19,27 @@ options:
       Openstack mostly defaults to using public endpoints for
       internal communication between services. If set to True this option
       will configure services to use internal endpoints where possible.
+  ssl_cert:
+    type: string
+    default:
+    description: |
+      TLS certificate to install and use for any listening services.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
+  ssl_key:
+    type: string
+    default:
+    description: |
+      TLS key to use with certificate specified as ``ssl_cert``.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
   ssl_ca:
     type: string
     default:
     description: |
-      SSL CA to use to communicate with other OpenStack cloud components.
+      TLS CA to use to communicate with other components in a deployment.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.

layer.yaml

@@ -1,2 +1,2 @@
-includes: ['layer:basic']
+includes: ['layer:basic', 'interface:tls-certificates']
 repo: 'https://github.com/openstack/charm-layer-openstack'

metadata.yaml

@@ -6,3 +6,6 @@ description: |
 tags:
   - openstack
 series: []
+requires:
+  certificates:
+    interface: tls-certificates

reactive/layer_openstack.py

@@ -1,8 +1,9 @@
+import charms.reactive as reactive
+
 import charmhelpers.core.unitdata as unitdata
 
 import charms_openstack.charm as charm
 import charms_openstack.charm.defaults as defaults
-import charms.reactive as reactive
 
 
 @reactive.when_not('charm.installed')
@@ -89,3 +90,36 @@ def default_post_series_upgrade():
     """
     with charm.provide_charm_instance() as instance:
         instance.series_upgrade_complete()
+
+
+@reactive.when('certificates.available',
+               'charms.openstack.do-default-certificates.available')
+def default_request_certificates():
+    """When the certificates interface is available, this default handler
+    requests TLS certificates.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        for cn, req in instance.get_certificate_requests().items():
+            tls.add_request_server_cert(cn, req['sans'])
+        tls.request_server_certs()
+        instance.assess_status()
+
+
+@reactive.when('charms.openstack.do-default-certificates.available')
+@reactive.when_any(
+    'certificates.ca.changed',
+    'certificates.certs.changed')
+def default_configure_certificates():
+    """When the certificates interface is available, this default handler
+    updates on-disk certificates and switches on the TLS support.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        instance.configure_tls(tls)
+        # make charms.openstack required relation check happy
+        reactive.set_flag('certificates.connected')
+        for flag in 'certificates.ca.changed', 'certificates.certs.changed':
+            if reactive.is_flag_set(flag):
+                reactive.clear_flag(flag)
+        instance.assess_status()