From f1a602ca41af1d0ed2f42f17e3ac7c9316fb2628 Mon Sep 17 00:00:00 2001
From: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed, 12 May 2021 10:44:24 +0200
Subject: [PATCH] Retrieve chassis certificates from subordinate relation

When OVN provider driver is enabled, retrieve chassis
certificates from subordinate.

While a principal and subordinate charm executes in the same
environment, the payload usually execute under different service
accounts and as such it is impractical and may be less secure to
attempt to provide direct on-disk file access.

Also reverts commit bc0f83fee6af481324f2f9c7e8f01a5c3bde991c.

Closes-Bug: #1918271
Related-Bug: #1885936
Change-Id: I4bc65ea1fcf3c01b68ed92b31e91a64940afe10e
---
 src/lib/charm/openstack/octavia.py         | 21 ++++++++++++++-------
 src/templates/victoria/octavia.conf        |  6 +++---
 src/templates/victoria/ovn_ca_cert.pem     |  3 +++
 src/templates/victoria/ovn_certificate.pem |  3 +++
 src/templates/victoria/ovn_private_key.pem |  3 +++
 5 files changed, 26 insertions(+), 10 deletions(-)
 create mode 100644 src/templates/victoria/ovn_ca_cert.pem
 create mode 100644 src/templates/victoria/ovn_certificate.pem
 create mode 100644 src/templates/victoria/ovn_private_key.pem

diff --git a/src/lib/charm/openstack/octavia.py b/src/lib/charm/openstack/octavia.py
index dff1d478..67dc6e0c 100644
--- a/src/lib/charm/openstack/octavia.py
+++ b/src/lib/charm/openstack/octavia.py
@@ -422,13 +422,6 @@ class BaseOctaviaCharm(ch_plugins.PolicydOverridePlugin,
                  'examine documentation')]
         return states_to_check
 
-    def custom_assess_status_check(self):
-        """Check required configuration options are set"""
-        if (reactive.is_flag_set('charm.octavia.enable-ovn-driver') and not
-                reactive.is_flag_set('certificates.available')):
-            return "blocked", "Certificates missing"
-        return None, None
-
     def get_amqp_credentials(self):
         """Configure the AMQP credentials for Octavia."""
         return ('octavia', 'openstack')
@@ -508,3 +501,17 @@ class VictoriaOctaviaCharm(BaseOctaviaCharm):
         if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
             _services.extend(['octavia-driver-agent'])
         return _services
+
+    @property
+    def restart_map(self):
+        _restart_map = super().restart_map
+        if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
+            _restart_map.update({
+                os.path.join(OCTAVIA_DIR, 'ovn_ca_cert.pem'): [
+                    'octavia-driver-agent'],
+                os.path.join(OCTAVIA_DIR, 'ovn_certificate.pem'): [
+                    'octavia-driver-agent'],
+                os.path.join(OCTAVIA_DIR, 'ovn_private_key.pem'): [
+                    'octavia-driver-agent'],
+            })
+        return _restart_map
diff --git a/src/templates/victoria/octavia.conf b/src/templates/victoria/octavia.conf
index 08c61101..e878b34d 100644
--- a/src/templates/victoria/octavia.conf
+++ b/src/templates/victoria/octavia.conf
@@ -10,9 +10,9 @@ enabled_provider_drivers = amphora:The Octavia Amphora driver,ovn:Octavia OVN dr
 
 [ovn]
 ovn_nb_connection={{ ','.join(ovsdb_cms.db_nb_connection_strs) }}
-ovn_nb_private_key=/etc/apache2/ssl/{{ options.service_name }}/key_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_certificate=/etc/apache2/ssl/{{ options.service_name }}/cert_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_ca_cert=/etc/ssl/certs/ca-certificates.crt
+ovn_nb_private_key=/etc/octavia/ovn_private_key.pem
+ovn_nb_certificate=/etc/octavia/ovn_certificate.pem
+ovn_nb_ca_cert=/etc/octavia/ovn_ca_cert.pem
 
 [driver_agent]
 enabled_provider_agents = ovn
diff --git a/src/templates/victoria/ovn_ca_cert.pem b/src/templates/victoria/ovn_ca_cert.pem
new file mode 100644
index 00000000..2a7e74bc
--- /dev/null
+++ b/src/templates/victoria/ovn_ca_cert.pem
@@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('ca_cert', '') }}
+{% endif -%}
diff --git a/src/templates/victoria/ovn_certificate.pem b/src/templates/victoria/ovn_certificate.pem
new file mode 100644
index 00000000..ff7a7eec
--- /dev/null
+++ b/src/templates/victoria/ovn_certificate.pem
@@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('certificate', '') }}
+{% endif -%}
diff --git a/src/templates/victoria/ovn_private_key.pem b/src/templates/victoria/ovn_private_key.pem
new file mode 100644
index 00000000..4f2c95c1
--- /dev/null
+++ b/src/templates/victoria/ovn_private_key.pem
@@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('private_key', '') }}
+{% endif -%}