Ensure that certificates are correctly managed.

When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.

There was no functional test coverage for HA and TLS
deployments so this change also add a test for
those and CMR too. Having said that, the test
initialises vault once the deployments are
complete so is unlikely to trigger #1886077 the tests
to check there is no regression of exising
functionality.

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/389

Change-Id: I7c9c81318dbbcea618ac3781b8f19e8159e56bcb
Closes-Bug: #1886077
This commit is contained in:
Liam Young 2020-08-20 07:29:38 +00:00
parent d566af19a2
commit b9905a9d32
7 changed files with 102 additions and 0 deletions

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ tags
.settings
.stestr
func-results.json
tests/keystone_juju_ca_cert.crt

View File

@ -267,6 +267,12 @@ def ha_relation_joined(relation_id=None):
relation_set(relation_id=relation_id, **settings)
@hooks.hook('ha-relation-changed')
def ha_changed():
for relid in relation_ids('certificates'):
certs_changed(relation_id=relid)
@hooks.hook('website-relation-joined')
def website_relation_joined():
relation_set(port=70,

View File

@ -0,0 +1,47 @@
series: bionic
comment:
- 'machines section to decide order of deployment. database sooner = faster'
- 'virt-type=kvm is workaround while awaiting new release of python-libjuju'
machines:
'0':
constraints: virt-type=kvm mem=3072M
'1':
constraints: virt-type=kvm
'2':
constraints: virt-type=kvm mem=3072M
'3':
constraints: virt-type=kvm mem=3072M
'4':
constraints: virt-type=kvm mem=3072M
relations:
- ["keystone:shared-db", "mysql:shared-db"]
- ["openstack-dashboard:shared-db", "mysql:shared-db"]
- ["openstack-dashboard:identity-service", "keystone:identity-service"]
- ["openstack-dashboard:ha", "hacluster:ha"]
applications:
mysql:
charm: cs:~openstack-charmers-next/percona-cluster
num_units: 1
to:
- '0'
keystone:
charm: cs:~openstack-charmers-next/keystone
num_units: 1
to:
- '1'
openstack-dashboard:
charm: ../../../openstack-dashboard
num_units: 3
to:
- '2'
- '3'
- '4'
hacluster:
charm: cs:~openstack-charmers-next/hacluster
options:
corosync_transport: unicast
cluster_count: 3

View File

@ -0,0 +1,12 @@
series: bionic
services:
vault:
num_units: 1
series: bionic
charm: cs:~openstack-charmers-next/vault
mysql:
charm: cs:~openstack-charmers-next/percona-cluster
num_units: 1
relations:
- - vault:shared-db
- mysql:shared-db

View File

@ -0,0 +1,12 @@
applications:
openstack-dashboard:
options:
vip: '{{ OS_VIP00 }}'
relations:
- - openstack-dashboard:certificates
- vault:certificates
- - keystone:certificates
- vault:certificates
saas:
vault:
url: admin/{{ vault }}.vault

View File

@ -0,0 +1,7 @@
applications:
vault:
offers:
vault:
endpoints:
- secrets
- certificates

View File

@ -6,6 +6,9 @@ comment:
smoke_bundles:
- bionic-stein
gate_bundles:
- bionic-train-gr:
- vault: bionic-vault
- dashboard: bionic-queens-cmr-vault
- trusty-mitaka
- xenial-mitaka
- xenial-ocata
@ -23,9 +26,19 @@ dev_bundles:
- groovy-victoria
configure:
- vault:
- zaza.openstack.charm_tests.vault.setup.auto_initialize_no_validation_no_wait
- dashboard:
- zaza.openstack.charm_tests.keystone.setup.wait_for_cacert
- zaza.openstack.charm_tests.keystone.setup.add_demo_user
- zaza.openstack.charm_tests.keystone.setup.add_demo_user
tests:
- vault:
- zaza.charm_tests.noop.tests.NoopTest
- dashboard:
- zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardTests
- zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests
- zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardTests
- zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests
tests_options:
@ -33,3 +46,7 @@ tests_options:
service: openstack-dashboard
force_deploy:
- groovy-victoria
target_deploy_status:
vault:
workload-status: blocked
workload-status-message: Vault needs to be initialized