Retrieve chassis certificates from subordinate relation
When OVN provider driver is enabled, retrieve chassis
certificates from subordinate.
While a principal and subordinate charm executes in the same
environment, the payload usually execute under different service
accounts and as such it is impractical and may be less secure to
attempt to provide direct on-disk file access.
Also reverts commit bc0f83fee6
.
Closes-Bug: #1918271
Related-Bug: #1885936
Change-Id: I4bc65ea1fcf3c01b68ed92b31e91a64940afe10e
This commit is contained in:
parent
062d9971f1
commit
f1a602ca41
@ -422,13 +422,6 @@ class BaseOctaviaCharm(ch_plugins.PolicydOverridePlugin,
|
||||
'examine documentation')]
|
||||
return states_to_check
|
||||
|
||||
def custom_assess_status_check(self):
|
||||
"""Check required configuration options are set"""
|
||||
if (reactive.is_flag_set('charm.octavia.enable-ovn-driver') and not
|
||||
reactive.is_flag_set('certificates.available')):
|
||||
return "blocked", "Certificates missing"
|
||||
return None, None
|
||||
|
||||
def get_amqp_credentials(self):
|
||||
"""Configure the AMQP credentials for Octavia."""
|
||||
return ('octavia', 'openstack')
|
||||
@ -508,3 +501,17 @@ class VictoriaOctaviaCharm(BaseOctaviaCharm):
|
||||
if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
|
||||
_services.extend(['octavia-driver-agent'])
|
||||
return _services
|
||||
|
||||
@property
|
||||
def restart_map(self):
|
||||
_restart_map = super().restart_map
|
||||
if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
|
||||
_restart_map.update({
|
||||
os.path.join(OCTAVIA_DIR, 'ovn_ca_cert.pem'): [
|
||||
'octavia-driver-agent'],
|
||||
os.path.join(OCTAVIA_DIR, 'ovn_certificate.pem'): [
|
||||
'octavia-driver-agent'],
|
||||
os.path.join(OCTAVIA_DIR, 'ovn_private_key.pem'): [
|
||||
'octavia-driver-agent'],
|
||||
})
|
||||
return _restart_map
|
||||
|
@ -10,9 +10,9 @@ enabled_provider_drivers = amphora:The Octavia Amphora driver,ovn:Octavia OVN dr
|
||||
|
||||
[ovn]
|
||||
ovn_nb_connection={{ ','.join(ovsdb_cms.db_nb_connection_strs) }}
|
||||
ovn_nb_private_key=/etc/apache2/ssl/{{ options.service_name }}/key_{{ ovsdb_subordinate.chassis_name }}
|
||||
ovn_nb_certificate=/etc/apache2/ssl/{{ options.service_name }}/cert_{{ ovsdb_subordinate.chassis_name }}
|
||||
ovn_nb_ca_cert=/etc/ssl/certs/ca-certificates.crt
|
||||
ovn_nb_private_key=/etc/octavia/ovn_private_key.pem
|
||||
ovn_nb_certificate=/etc/octavia/ovn_certificate.pem
|
||||
ovn_nb_ca_cert=/etc/octavia/ovn_ca_cert.pem
|
||||
|
||||
[driver_agent]
|
||||
enabled_provider_agents = ovn
|
||||
|
3
src/templates/victoria/ovn_ca_cert.pem
Normal file
3
src/templates/victoria/ovn_ca_cert.pem
Normal file
@ -0,0 +1,3 @@
|
||||
{% if ovsdb_subordinate -%}
|
||||
{{ ovsdb_subordinate.chassis_certificates.get('ca_cert', '') }}
|
||||
{% endif -%}
|
3
src/templates/victoria/ovn_certificate.pem
Normal file
3
src/templates/victoria/ovn_certificate.pem
Normal file
@ -0,0 +1,3 @@
|
||||
{% if ovsdb_subordinate -%}
|
||||
{{ ovsdb_subordinate.chassis_certificates.get('certificate', '') }}
|
||||
{% endif -%}
|
3
src/templates/victoria/ovn_private_key.pem
Normal file
3
src/templates/victoria/ovn_private_key.pem
Normal file
@ -0,0 +1,3 @@
|
||||
{% if ovsdb_subordinate -%}
|
||||
{{ ovsdb_subordinate.chassis_certificates.get('private_key', '') }}
|
||||
{% endif -%}
|
Loading…
Reference in New Issue
Block a user