From 822daf2794f44f61f5336a180752ba9e5482be81 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Fri, 10 May 2019 15:01:04 +0000
Subject: [PATCH] Check Apache ssl dir when determining restart map

If the certificates change then services needs to be restarted. This
change adds the SSL directory to the restart map to ensure any
certificate changes trigger a restart.

Also, if the certificates change we need to pass those on to
nova-compute.

Change-Id: I4cb2f760c26f0804d3cb7466c8aa741d5e0ec314
Closes-Bug: 1828530
---
 hooks/nova_cc_hooks.py           |  2 ++
 hooks/nova_cc_utils.py           | 10 ++++++++--
 unit_tests/test_nova_cc_hooks.py | 16 ++++++++++++++++
 unit_tests/test_nova_cc_utils.py | 15 ++++++++++++++-
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/hooks/nova_cc_hooks.py b/hooks/nova_cc_hooks.py
index 318a7977..8f534c26 100755
--- a/hooks/nova_cc_hooks.py
+++ b/hooks/nova_cc_hooks.py
@@ -1009,6 +1009,8 @@ def certs_joined(relation_id=None):
 def certs_changed(relation_id=None, unit=None):
     cert_utils.process_certificates('nova', relation_id, unit, group='nova')
     configure_https()
+    for rid in hookenv.relation_ids('cloud-compute'):
+        compute_joined(rid=rid, remote_restart=False)
 
 
 @hooks.hook('amqp-cell-relation-joined')
diff --git a/hooks/nova_cc_utils.py b/hooks/nova_cc_utils.py
index b97cf4c5..0432f386 100644
--- a/hooks/nova_cc_utils.py
+++ b/hooks/nova_cc_utils.py
@@ -104,6 +104,7 @@ NOVA_API_PASTE = '%s/api-paste.ini' % NOVA_CONF_DIR
 HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
 APACHE_CONF = '/etc/apache2/sites-available/openstack_https_frontend'
 APACHE_24_CONF = '/etc/apache2/sites-available/openstack_https_frontend.conf'
+APACHE_SSL_DIR = '/etc/apache2/ssl/nova'
 MEMCACHED_CONF = '/etc/memcached.conf'
 WSGI_NOVA_PLACEMENT_API_CONF = \
     '/etc/apache2/sites-enabled/wsgi-placement-api.conf'
@@ -348,10 +349,15 @@ def restart_map(actual_services=True):
         unit (ie. apache2) or the services defined in BASE_SERVICES
         (ie.nova-placement-api).
     '''
-    return collections.OrderedDict(
+    services = resource_map(actual_services)
+    restart_map = collections.OrderedDict(
         [(cfg, v['services'])
-         for cfg, v in resource_map(actual_services).items()
+         for cfg, v in services.items()
          if v['services']])
+    if os.path.isdir(APACHE_SSL_DIR):
+        _restart_svcs = services[NOVA_CONF]['services'] + ['apache2']
+        restart_map['{}/*'.format(APACHE_SSL_DIR)] = _restart_svcs
+    return restart_map
 
 
 def services():
diff --git a/unit_tests/test_nova_cc_hooks.py b/unit_tests/test_nova_cc_hooks.py
index 81fd0ea3..1e34bafa 100644
--- a/unit_tests/test_nova_cc_hooks.py
+++ b/unit_tests/test_nova_cc_hooks.py
@@ -982,3 +982,19 @@ class NovaCCHooksTests(CharmTestCase):
             relation_id=None,
             relation_settings={'private-address': 'foo'})
         hooks.memcached_joined()
+
+    @patch.object(utils, 'resource_map')
+    @patch.object(hooks, 'compute_joined')
+    @patch.object(hooks, 'configure_https')
+    @patch.object(hooks.cert_utils, 'process_certificates')
+    def test_certs_changed(self, process_certificates, configure_https,
+                           compute_joined, resource_map):
+        resource_map.return_value = {}
+        self.os_release.return_value = 'rocky'
+        self.relation_ids.return_value = ['relid']
+        hooks.certs_changed()
+        process_certificates.assert_called_once_with('nova', None, None,
+                                                     group='nova')
+        configure_https.assert_called_once_with()
+        compute_joined.assert_called_once_with(remote_restart=False,
+                                               rid='relid')
diff --git a/unit_tests/test_nova_cc_utils.py b/unit_tests/test_nova_cc_utils.py
index ab92ec4a..0efbd8a7 100644
--- a/unit_tests/test_nova_cc_utils.py
+++ b/unit_tests/test_nova_cc_utils.py
@@ -382,7 +382,7 @@ class NovaCCUtilsTests(CharmTestCase):
     @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
     @patch('os.path.exists')
     def test_restart_map_apache24(self, _exists, subcontext):
-        _exists.return_Value = True
+        _exists.return_value = True
         self.os_release.return_value = 'diablo'
         _map = utils.restart_map()
         self.assertTrue('/etc/apache2/sites-available/'
@@ -390,6 +390,19 @@ class NovaCCUtilsTests(CharmTestCase):
         self.assertTrue('/etc/apache2/sites-available/'
                         'openstack_https_frontend' not in _map)
 
+    @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
+    @patch('os.path.exists')
+    @patch('os.path.isdir')
+    def test_restart_map_ssl(self, _isdir, _exists, subcontext):
+        _exists.return_value = True
+        _isdir.return_value = True
+        self.os_release.return_value = 'diablo'
+        _map = utils.restart_map()
+        self.assertTrue('/etc/apache2/ssl/nova/*' in _map)
+        _isdir.return_value = False
+        _map = utils.restart_map()
+        self.assertTrue('/etc/apache2/ssl/nova/*' not in _map)
+
     def test_console_attributes_spice(self):
         _proto = utils.common.console_attributes('protocol', proto='spice')
         self.assertEqual(_proto, 'spice')