openstack/sunbeam-charms
Code Issues Proposed changes

initial push

Browse Source
This commit is contained in:
Guillaume Boutry 2023-09-06 11:21:56 +02:00
commit c02fa7bf33
23 changed files with 1493 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
charms/designate-bind-k8s/.gitignore vendored Normal file
View File

@ -0,0 +1,11 @@
venv/
build/
*.charm
.tox/
.coverage
__pycache__/
*.py[cod]
.idea
.vscode/
*.swp
.stestr/

3
charms/designate-bind-k8s/.stestr.conf Normal file
View File

@ -0,0 +1,3 @@
[DEFAULT]
test_path=./tests/unit
top_dir=./tests

51
charms/designate-bind-k8s/CONTRIBUTING.md Normal file
View File

@ -0,0 +1,51 @@
# bind9-k8s
## Developing
Create and activate a virtualenv with the development requirements:
virtualenv -p python3 venv
source venv/bin/activate
pip install -r requirements.txt
## Code overview
Get familiarise with [Charmed Operator Framework](https://juju.is/docs/sdk)
and [Sunbeam documentation](sunbeam-docs).
bind9-k8s charm uses the ops\_sunbeam library and extends
OSBaseOperatorAPICharm from the library.
## Intended use case
bind9-k8s charm deploys and configures OpenStack Identity service
on a kubernetes based environment.
## Roadmap
TODO
## Testing
The Python operator framework includes a very nice harness for testing
operator behaviour without full deployment. Run tests using command:
tox -e py3
## Deployment
This project uses tox for building and managing. To build the charm
run:
tox -e build
To deploy the local test instance:
juju deploy ./bind9-k8s_ubuntu-20.04-amd64.charm --trust --resource bind9-image=ghcr.io/openstack-snaps/bind9:2023.1
<!-- LINKS -->
[bind9-k8s-libs-docs]: https://charmhub.io/sunbeam-bind9-operator/libraries/identity_service
[sunbeam-docs]: https://opendev.org/openstack/charm-ops-sunbeam/src/branch/main/README.rst

202
charms/designate-bind-k8s/LICENSE Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2023 Canonical Ltd.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

26
charms/designate-bind-k8s/README.md Normal file
View File

@ -0,0 +1,26 @@
<!--
Avoid using this README file for information that is maintained or published elsewhere, e.g.:
* metadata.yaml > published on Charmhub
* documentation > published on (or linked to from) Charmhub
* detailed contribution guide > documentation or CONTRIBUTING.md
Use links instead.
-->
# charm-bind9
Charmhub package name: operator-template
More information: https://charmhub.io/charm-bind9
Describe your charm in one or two sentences.
## Other resources
<!-- If your charm is documented somewhere else other than Charmhub, provide a link separately. -->
- [Read more](https://example.com)
- [Contributing](CONTRIBUTING.md) <!-- or link to other contribution documentation -->
- See the [Juju SDK documentation](https://juju.is/docs/sdk) for more information about developing and improving charms.

2
charms/designate-bind-k8s/actions.yaml Normal file
View File

@ -0,0 +1,2 @@
# NOTE: no actions yet!
{ }

30
charms/designate-bind-k8s/charmcraft.yaml Normal file
View File

@ -0,0 +1,30 @@
type: charm
bases:
- build-on:
- name: ubuntu
channel: "22.04"
run-on:
- name: ubuntu
channel: "22.04"
parts:
update-certificates:
plugin: nil
override-build: |
apt update
apt install -y ca-certificates
update-ca-certificates
charm:
after: [update-certificates]
build-packages:
- git
- libffi-dev
- libssl-dev
- rustc
- cargo
- pkg-config
charm-binary-python-packages:
- cryptography
- jsonschema
- jinja2
- git+https://opendev.org/openstack/charm-ops-sunbeam#egg=ops_sunbeam

5
charms/designate-bind-k8s/config.yaml Normal file
View File

@ -0,0 +1,5 @@
options:
debug:
default: False
description: Enable debug logging.
type: boolean

3
charms/designate-bind-k8s/fetch-libs.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
echo "INFO: Fetching libs from charmhub."

307
charms/designate-bind-k8s/lib/charms/bind9_k8s/v0/bind_rndc.py Normal file
View File

@ -0,0 +1,307 @@
# Copyright 2023 Canonical Ltd.
# See LICENSE file for licensing details.
"""TODO: Add a proper docstring here.
This is a placeholder docstring for this charm library. Docstrings are
presented on Charmhub and updated whenever you push a new version of the
library.
Complete documentation about creating and documenting libraries can be found
in the SDK docs at https://juju.is/docs/sdk/libraries.
See `charmcraft publish-lib` and `charmcraft fetch-lib` for details of how to
share and consume charm libraries. They serve to enhance collaboration
between charmers. Use a charmer's libraries for classes that handle
integration with their charm.
Bear in mind that new revisions of the different major API versions (v0, v1,
v2 etc) are maintained independently. You can continue to update v0 and v1
after you have pushed v3.
Markdown is supported, following the CommonMark specification.
"""
import json
import logging
import secrets
from typing import (
Any,
)
import ops
logger = logging.getLogger(__name__)
# The unique Charmhub library identifier, never change it
LIBID = "0fb2f64f2a1344feb80044cee22ef3a8"
# Increment this major API version when introducing breaking changes
LIBAPI = 0
# Increment this PATCH version before using `charmcraft publish-lib` or reset
# to 0 if you are raising the major API version
LIBPATCH = 1
class BindRndcReadyEvent(ops.EventBase):
"""Bind rndc ready event."""
def __init__(
self,
handle: ops.Handle,
relation_id: int,
relation_name: str,
algorithm: str,
secret: str,
):
super().__init__(handle)
self.relation_id = relation_id
self.relation_name = relation_name
self.algorithm = algorithm
self.secret = secret
def snapshot(self) -> dict:
"""Return snapshot data that should be persisted."""
return {
"relation_id": self.relation_id,
"relation_name": self.relation_name,
"algorithm": self.algorithm,
"secret": self.secret,
}
def restore(self, snapshot: dict[str, Any]):
"""Restore the value state from a given snapshot."""
super().restore(snapshot)
self.relation_id = snapshot["relation_id"]
self.relation_name = snapshot["relation_name"]
self.algorithm = snapshot["algorithm"]
self.secret = snapshot["secret"]
class BindRndcRequirerEvents(ops.ObjectEvents):
"""List of events that the BindRndc requires charm can leverage."""
bind_rndc_ready = ops.EventSource(BindRndcReadyEvent)
class BindRndcRequires(ops.Object):
"""Class to be instantiated by the requiring side of the relation."""
on = BindRndcRequirerEvents()
_stored = ops.StoredState()
def __init__(self, charm: ops.CharmBase, relation_name: str):
super().__init__(charm, relation_name)
self.charm = charm
self.relation_name = relation_name
self._stored.set_default(nonce="")
self.framework.observe(
self.charm.on[relation_name].relation_joined,
self._on_relation_joined,
)
self.framework.observe(
self.charm.on[relation_name].relation_changed,
self._on_relation_changed,
)
def _on_relation_joined(self, event: ops.RelationJoinedEvent):
"""Handle relation joined event."""
self._request_rndc_key(event.relation)
def _on_relation_changed(self, event: ops.RelationJoinedEvent):
"""Handle relation changed event."""
host = self.host(event.relation)
rndc_key = self.get_rndc_key(event.relation)
if rndc_key is None:
self._request_rndc_key(event.relation)
return
if host is not None:
algorithm = rndc_key["algorithm"]
secret = rndc_key["secret"]
self.on.bind_rndc_ready.emit(
event.relation.id,
event.relation.name,
algorithm,
secret,
)
def host(self, relation: ops.Relation) -> str | None:
"""Return host from relation."""
if relation.app is None:
return None
return relation.data[relation.app].get("host")
def nonce(self) -> str:
"""Return nonce from stored state."""
return self._stored.nonce
def get_rndc_key(self, relation: ops.Relation) -> dict | None:
"""Get rndc keys."""
if relation.app is None:
return None
if self._stored.nonce == "":
logger.debug("No nonce set for unit yet")
return None
return json.loads(
relation.data[relation.app].get("rndc_keys", "{}")
).get(self._stored.nonce)
def _request_rndc_key(self, relation: ops.Relation):
"""Request rndc key over the relation."""
if self._stored.nonce == "":
self._stored.nonce = secrets.token_hex(16)
relation.data[self.charm.unit]["nonce"] = self._stored.nonce
def reconcile_rndc_key(self, relation: ops.Relation):
"""Reconcile rndc key over the relation."""
if self._stored.nonce != relation.data[self.charm.unit].get("nonce"):
self._stored.nonce = secrets.token_hex(16)
relation.data[self.charm.unit]["nonce"] = self._stored.nonce
class NewBindClientAttachedEvent(ops.EventBase):
"""New bind client attached event."""
def __init__(
self,
handle: ops.Handle,
relation_id: int,
relation_name: str,
):
super().__init__(handle)
self.relation_id = relation_id
self.relation_name = relation_name
def snapshot(self) -> dict:
"""Return snapshot data that should be persisted."""
return {
"relation_id": self.relation_id,
"relation_name": self.relation_name,
}
def restore(self, snapshot: dict[str, Any]):
"""Restore the value state from a given snapshot."""
super().restore(snapshot)
self.relation_id = snapshot["relation_id"]
self.relation_name = snapshot["relation_name"]
class BindClientUpdatedEvent(ops.EventBase):
"""Bind client updated event."""
def __init__(
self,
handle: ops.Handle,
relation_id: int,
relation_name: str,
):
super().__init__(handle)
self.relation_id = relation_id
self.relation_name = relation_name
def snapshot(self) -> dict:
"""Return snapshot data that should be persisted."""
return {
"relation_id": self.relation_id,
"relation_name": self.relation_name,
}
def restore(self, snapshot: dict[str, Any]):
"""Restore the value state from a given snapshot."""
super().restore(snapshot)
self.relation_id = snapshot["relation_id"]
self.relation_name = snapshot["relation_name"]
class BindRndcProviderEvents(ops.ObjectEvents):
"""List of events that the BindRndc provider charm can leverage."""
new_bind_client_attached = ops.EventSource(NewBindClientAttachedEvent)
bind_client_updated = ops.EventSource(BindClientUpdatedEvent)
class BindRndcProvides(ops.Object):
"""Class to be instantiated by the providing side of the relation."""
on = BindRndcProviderEvents()
def __init__(self, charm: ops.CharmBase, relation_name: str):
super().__init__(charm, relation_name)
self.charm = charm
self.relation_name = relation_name
self.framework.observe(
self.charm.on[relation_name].relation_joined,
self._on_relation_joined,
)
self.framework.observe(
self.charm.on[relation_name].relation_changed,
self._on_relation_changed,
)
def _on_relation_joined(self, event: ops.RelationJoinedEvent):
self.on.new_bind_client_attached.emit(
event.relation.id, event.relation.name
)
if not self.charm.unit.is_leader():
return
binding = self.model.get_binding(event.relation)
if binding is None:
raise Exception("No binding found")
address = binding.network.ingress_address
event.relation.data[self.charm.app]["host"] = str(address)
def _on_relation_changed(self, event: ops.RelationChangedEvent):
self.on.bind_client_updated.emit(
event.relation.id, event.relation.name
)
def get_rndc_keys(self, relation: ops.Relation) -> dict:
"""Get rndc keys."""
return json.loads(relation.data[self.charm.app].get("rndc_keys", "{}"))
def set_rndc_client_key(
self,
relation: ops.Relation,
client: str,
algorithm: str,
secret: ops.Secret,
):
"""Add rndc key to the relation.
`rndc_keys` is a dict of dicts, keyed by client name. Each client
has an algorithm and secret property. The secret is a Juju secret id,
containing the actual secret needed to communicate over rndc.
"""
if not self.charm.unit.is_leader():
logger.debug("Not leader, skipping set_rndc_client_key")
return
keys = self.get_rndc_keys(relation)
keys[client] = {
"algorithm": algorithm,
"secret": secret.id,
}
relation.data[self.charm.app]["rndc_keys"] = json.dumps(
keys, sort_keys=True
)
def remove_rndc_client_key(
self,
relation: ops.Relation,
client: str | list[str],
):
"""Remove rndc key from the relation."""
if not self.charm.unit.is_leader():
logger.debug("Not leader, skipping remove_rndc_client_key")
return
if isinstance(client, str):
client = [client]
keys = self.get_rndc_keys(relation)
for c in client:
keys.pop(c)
relation.data[self.charm.app]["rndc_keys"] = json.dumps(
keys, sort_keys=True
)

36
charms/designate-bind-k8s/metadata.yaml Normal file
View File

@ -0,0 +1,36 @@
name: bind9-k8s
summary: OpenStack bind9 service
maintainer: OpenStack Charmers <openstack-charmers@lists.ubuntu.com>
description: |
Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another.
In this way, DNS alleviates the need to remember IP addresses. Computers that run DNS are called name servers.
Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on Linux.
version: 3
bases:
- name: ubuntu
channel: 22.04/stable
assumes:
- k8s-api
- juju >= 3.1
tags:
- openstack
source: https://opendev.org/openstack/charm-bind9-k8s
issues: https://bugs.launchpad.net/charm-bind9-k8s
containers:
bind9:
resource: bind9-image
resources:
bind9-image:
type: oci-image
description: OCI image for bind9
upstream-source: ubuntu/bind9:9.18-22.04_beta
provides:
dns-backend:
interface: bind-rndc
peers:
peers:
interface: bind-peer

39
charms/designate-bind-k8s/pyproject.toml Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2023 Canonical Ltd.
# See LICENSE file for licensing details.
# Testing tools configuration
[tool.coverage.run]
branch = true
[tool.coverage.report]
show_missing = true
[tool.pytest.ini_options]
minversion = "6.0"
log_cli_level = "INFO"
# Formatting tools configuration
[tool.black]
line-length = 79
[tool.isort]
profile = "black"
multi_line_output = 3
force_grid_wrap = true
# Linting tools configuration
[tool.flake8]
max-line-length = 79
max-doc-length = 99
max-complexity = 10
exclude = [".git", "__pycache__", ".tox", "build", "dist", "*.egg_info", "venv"]
select = ["E", "W", "F", "C", "N", "R", "D", "H"]
# Ignore W503, E501 because using black creates errors with this
# Ignore D107 Missing docstring in __init__
ignore = ["W503", "E501", "D107", "E402"]
per-file-ignores = []
docstring-convention = "google"
# Check for properly formatted copyright header in each file
copyright-check = "True"
copyright-author = "Canonical Ltd."
copyright-regexp = "Copyright\\s\\d{4}([-,]\\d{4})*\\s+%(author)s"

13
charms/designate-bind-k8s/rename.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
charm=$(grep "charm_build_name" osci.yaml | awk '{print $2}')
echo "renaming ${charm}_*.charm to ${charm}.charm"
echo -n "pwd: "
pwd
ls -al
echo "Removing bad downloaded charm maybe?"
if [[ -e "${charm}.charm" ]];
then
rm "${charm}.charm"
fi
echo "Renaming charm here."
mv ${charm}_*.charm ${charm}.charm

3
charms/designate-bind-k8s/requirements.txt Normal file
View File

@ -0,0 +1,3 @@
ops
jinja2
git+https://github.com/openstack/charm-ops-sunbeam#egg=ops_sunbeam

414
charms/designate-bind-k8s/src/charm.py Executable file
View File

@ -0,0 +1,414 @@
#!/usr/bin/env python3
# Copyright 2023 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Bind9 Operator Charm.
This charm provide Bind9 services
"""
import base64
import hashlib
import hmac
import logging
import secrets
from typing import (
Callable,
List,
)
import charms.bind9_k8s.v0.bind_rndc as bind_rndc
import ops.charm
import ops_sunbeam.charm as sunbeam_charm
import ops_sunbeam.container_handlers as sunbeam_chandlers
import ops_sunbeam.core as sunbeam_core
import ops_sunbeam.relation_handlers as sunbeam_rhandlers
from ops.framework import (
StoredState,
)
from ops.main import (
main,
)
logger = logging.getLogger(__name__)
BIND_RNDC_RELATION = "dns-backend"
RNDC_SECRET_PREFIX = "rndc_"
RNDC_REVISION_KEY = "rndc_revision"
class BindPebbleHandler(sunbeam_chandlers.ServicePebbleHandler):
"""Pebble handler for bind9 service."""
def get_layer(self) -> dict:
"""Pebble layer for bind 9 service."""
return {
"summary": "bind9 layer",
"description": "pebble config layer for bind9",
"services": {
"bind9": {
"override": "replace",
"summary": "bind9",
"command": "/usr/sbin/named -g -u bind",
"startup": "enabled",
}
},
}
class BindRndcProvidesRelationHandler(sunbeam_rhandlers.RelationHandler):
"""Handler for managing rndc clients."""
interface: bind_rndc.BindRndcProvides
def __init__(
self,
charm: ops.charm.CharmBase,
relation_name: str,
callback_f: Callable,
mandatory: bool = True,
):
super().__init__(charm, relation_name, callback_f, mandatory)
def setup_event_handler(self) -> ops.Object:
"""Setup event handler for the relation."""
interface = bind_rndc.BindRndcProvides(self.charm, BIND_RNDC_RELATION)
self.framework.observe(
interface.on.bind_client_updated,
self._on_bind_client_updated,
)
return interface
def _on_bind_client_updated(self, event: bind_rndc.BindClientUpdatedEvent):
"""Handle bind client updated event."""
self.callback_f(event)
@property
def _relations(self) -> list[ops.Relation]:
"""Get relations."""
return self.model.relations[self.relation_name]
def keys(self, rndc_keys: dict[str, dict[str, str]]) -> str:
"""Get rndc keys formatted for named.conf allowed keys.
Format is "key1";"key2";"key3";
"""
return '"' + '";"'.join(rndc_keys.keys()) + '";'
@property
def rndc_keys(self) -> dict:
"""Get rndc keys from relations with secret rendered."""
rndc_keys = {}
for relation in self._relations:
if relation.app is None:
logger.debug(
"No remote app found for relation %r:%r,"
" skipping rendering rndc_keys",
relation.name,
str(relation.id),
)
continue
rndc_keys_secret = self.interface.get_rndc_keys(relation)
rndc_keys_current = {}
for name, value in rndc_keys_secret.items():
secret = self.charm.model.get_secret(id=value["secret"])
key_value = secret.get_content()["secret"]
name = relation.name + ":" + str(relation.id) + "_" + name
rndc_keys_current[name] = value
rndc_keys_current[name]["secret"] = key_value
rndc_keys.update(rndc_keys_current)
return rndc_keys
@property
def ready(self) -> bool:
"""Determine with the relation is ready for use."""
try:
return len(self._relations) > 0
except Exception:
return False
def context(self) -> dict:
"""Context containing the relation data to render."""
rndc_keys = self.rndc_keys
return {
"rndc_keys": rndc_keys,
"keys": self.keys(rndc_keys),
}
class BindOperatorCharm(sunbeam_charm.OSBaseOperatorCharmK8S):
"""Charm the service."""
_state = StoredState()
service_name = "bind9"
# mandatory_relations = {}
def __init__(self, *args):
super().__init__(*args)
self.framework.observe(self.on.secret_rotate, self._on_secret_rotate)
def _on_secret_rotate(self, event: ops.SecretRotateEvent):
"""Handle secret rotate event."""
if not self.unit.is_leader():
logger.debug("Not leader, skipping secret rotate")
return
if event.secret.label is None:
logger.debug("Secret %r has no label, skipping", event.secret.id)
return
if event.secret.label.startswith(RNDC_SECRET_PREFIX):
event.secret.set_content({"secret": self.generate_rndc_key()})
self.leader_set({RNDC_REVISION_KEY: self.new_rndc_revision()})
self.configure_charm(event)
@property
def container_configs(self) -> List[sunbeam_core.ContainerConfigFile]:
"""Container configuration files for the operator."""
return [
sunbeam_core.ContainerConfigFile(
"/etc/bind/named.conf",
"root",
"bind",
),
sunbeam_core.ContainerConfigFile(
"/etc/bind/named.conf.options",
"root",
"bind",
),
]
def get_pebble_handlers(self) -> List[sunbeam_chandlers.PebbleHandler]:
"""Pebble handlers for the operator."""
return [
BindPebbleHandler(
self,
self.service_name,
self.service_name,
self.container_configs,
self.template_dir,
self.configure_charm,
)
]
def get_relation_handlers(
self, handlers=None
) -> List[sunbeam_rhandlers.RelationHandler]:
"""Relation handlers for the service."""
handlers = handlers or []
if self.can_add_handler(BIND_RNDC_RELATION, handlers):
self.bind_rndc = BindRndcProvidesRelationHandler(
self,
BIND_RNDC_RELATION,
self.register_rndc_client_from_event,
BIND_RNDC_RELATION in self.mandatory_relations,
)
handlers.append(self.bind_rndc)
return super().get_relation_handlers(handlers)
@property
def service_conf(self) -> str:
"""Service default configuration file."""
return "/etc/bind/named.conf"
@property
def service_user(self) -> str:
"""Service user file and directory ownership."""
return "bind"
@property
def service_group(self) -> str:
"""Service group file and directory ownership."""
return "bind"
@property
def default_public_ingress_port(self):
"""Ingress Port for API service."""
return 53
@property
def rndc_algorithm(self) -> str:
"""Algorithm used to encode rndc secret.
:returns: str: Algorithm used to encode rndc secret
"""
return "hmac-sha256"
def open_ports(self):
"""Register ports in underlying cloud."""
self.unit.open_port("udp", self.default_public_ingress_port)
self.unit.open_port("tcp", 953) # rndc port
def can_service_requests(self) -> bool:
"""Check if unit can process client requests."""
if self.bootstrapped() and self.unit.is_leader():
logger.debug("Can service client requests")
return True
else:
logger.debug(
"Cannot service client requests. "
"Bootstrapped: {} Leader {}".format(
self.bootstrapped(), self.unit.is_leader()
)
)
return False
def generate_rndc_key(self) -> str:
"""Generate rndc key."""
key = secrets.token_bytes(10)
dig = hmac.new(
key, msg=b"RNDC Secret", digestmod=hashlib.sha256
).digest()
return base64.b64encode(dig).decode()
def register_rndc_client_from_event(
self,
event: bind_rndc.NewBindClientAttachedEvent,
):
"""Register rndc client from event."""
if self.can_service_requests():
any_change = self.register_rndc_client(
event.relation_name, event.relation_id
)
any_change |= self.cleanup_rndc_clients(
event.relation_name, event.relation_id
)
if any_change:
self.configure_charm(event)
if self.unit.is_leader():
self.leader_set(
{RNDC_REVISION_KEY: self.new_rndc_revision()}
)
def new_rndc_revision(self) -> str:
"""Compute new revision for rndc keys."""
revision = self.leader_get(RNDC_REVISION_KEY)
if revision is None:
revision = 0
else:
revision = int(revision)
return str(revision + 1)
def register_rndc_client(
self, relation_name: str, relation_id: int
) -> bool:
"""Register rndc client."""
if not self.unit.is_leader():
logger.debug("Not leader, skipping register_rndc_client")
return False
logger.debug(
"Registering rndc client on relation %s %d",
relation_name,
relation_id,
)
relation = self.framework.model.get_relation(
relation_name, relation_id
)
if relation is None:
raise
keys = self.bind_rndc.interface.get_rndc_keys(relation)
any_change = False
for unit in relation.units:
unit_name = unit.name.replace("/", "-")
nonce = relation.data[unit].get("nonce")
if nonce is None:
logger.debug("No nonce found for %s, skipping", unit.name)
continue
if nonce in keys:
logger.debug(
"Client %s already registered, skipping", unit.name
)
continue
any_change = True
secret = self._create_or_update_secret(
RNDC_SECRET_PREFIX + unit_name,
{"secret": self.generate_rndc_key()},
relation,
)
self.bind_rndc.interface.set_rndc_client_key(
relation, nonce, self.rndc_algorithm, secret
)
return any_change
def _create_or_update_secret(
self,
label: str,
content: dict[str, str],
relation: ops.Relation | None = None,
) -> ops.Secret:
"""Create or update a secret.
Registers the secret label and id in the peer relation.
"""
if not self.unit.is_leader():
raise Exception("Can only create the secret on the leader unit.")
id = self.leader_get(label)
if id is None:
secret = self.app.add_secret(
content,
label=label,
rotate=ops.SecretRotate.MONTHLY,
)
self.leader_set({label: secret.id})
else:
secret = self.model.get_secret(id=id)
secret.set_content(content)
if relation is not None:
secret.grant(relation)
return secret
def cleanup_rndc_clients(
self, relation_name: str, relation_id: int
) -> bool:
"""Cleanup rndc clients.
When a unit is upgraded the nonce will change.
Remove older rndc keys that are not used anymore.
This method compares rndc keys with unit's nonces.
"""
if not self.unit.is_leader():
logger.debug("Not leader, skipping cleanup_rndc_clients")
return False
logger.debug(
"Cleaning up rndc clients on relation %s %d",
relation_name,
relation_id,
)
relation = self.framework.model.get_relation(
relation_name, relation_id
)
if relation is None:
raise
rndc_keys = self.bind_rndc.interface.get_rndc_keys(relation)
nonces = []
for unit in relation.units:
nonce = relation.data[unit].get("nonce")
if nonce is not None:
nonces.append(nonce)
missing_nonces = list(set(rndc_keys.keys()) - set(nonces))
logger.debug("Missing nonces: %r", missing_nonces)
self.bind_rndc.interface.remove_rndc_client_key(
relation, missing_nonces
)
return bool(missing_nonces)
if __name__ == "__main__":
main(BindOperatorCharm)

28
charms/designate-bind-k8s/src/templates/named.conf.j2 Normal file
View File

@ -0,0 +1,28 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
{% if dns_backend is defined and dns_backend.rndc_keys | length > 0 -%}
{% for name, key in dns_backend.rndc_keys.items() -%}
key "{{ name }}" {
algorithm {{ key["algorithm"] }};
secret "{{ key["secret"] }}";
};
{% endfor %}
controls {
inet 127.0.0.1 allow {localhost;};
{# inet {{ option.control_listen_ip }} allow { {{ option.control_ips }}; }; #}
{% if dns_backend is defined and dns_backend.rndc_keys | length > 0 %}
inet * allow { any; } keys { {{ dns_backend.keys }} };
{% endif -%}
};
{% endif %}

37
charms/designate-bind-k8s/src/templates/named.conf.options.j2 Normal file
View File

@ -0,0 +1,37 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-new-zones yes;
request-ixfr no;
statistics-file "/var/cache/bind/named.stats";
zone-statistics yes;
};
{%- if options.debug %}
logging {
channel charm_log {
syslog daemon;
severity debug;
};
category default {
charm_log;
};
};
{%- endif %}

9
charms/designate-bind-k8s/test-requirements.txt Normal file
View File

@ -0,0 +1,9 @@
# This file is managed centrally. If you find the need to modify this as a
# one-off, please don't. Intead, consult #openstack-charms and ask about
# requirements management in charms via bot-control. Thank you.
coverage
mock
flake8
stestr
ops

8
charms/designate-bind-k8s/tests/bundles/smoke.yaml Normal file
View File

@ -0,0 +1,8 @@
bundle: kubernetes
applications:
bind9:
charm: ../../bind9-k8s.charm
scale: 1
trust: false
resources:
bind9-image: ubuntu/bind9:9.18-22.04_beta

22
charms/designate-bind-k8s/tests/tests.yaml Normal file
View File

@ -0,0 +1,22 @@
gate_bundles:
- smoke
smoke_bundles:
- smoke
configure:
- zaza.charm_tests.noop.setup.basic_setup
tests:
- smoke
tests_options:
trust:
- smoke
ignore_hard_deploy_errors:
- smoke
tempest:
default:
smoke: True
target_deploy_status:
bind9:
workload-status: active
workload-status-message-regex: '^$'

15
charms/designate-bind-k8s/tests/unit/__init__.py Normal file
View File

@ -0,0 +1,15 @@
# Copyright 2023 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Unit tests package."""

67
charms/designate-bind-k8s/tests/unit/test_bind_charm.py Normal file
View File

@ -0,0 +1,67 @@
# Copyright 2023 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Unit tests."""
import ops_sunbeam.test_utils as test_utils
import charm
class _BindTestOperatorCharm(charm.BindOperatorCharm):
"""Test Operator Charm for Bind Operator."""
def __init__(self, framework):
self.seen_events = []
super().__init__(framework)
def _log_event(self, event):
self.seen_events.append(type(event).__name__)
def configure_charm(self, event):
"""Configure charm."""
super().configure_charm(event)
self._log_event(event)
@property
def public_ingress_address(self):
return "bind.juju"
class TestCharm(test_utils.CharmTestCase):
"""Test charm."""
PATCHES = []
def setUp(self):
"""Test setup."""
self.harness = test_utils.get_harness(
_BindTestOperatorCharm, container_calls=self.container_calls
)
self.addCleanup(self.harness.cleanup)
self.harness.begin()
def test_pebble_ready_handler(self):
"""Test pebble ready handler."""
self.assertEqual(self.harness.charm.seen_events, [])
test_utils.set_all_pebbles_ready(self.harness)
self.assertEqual(len(self.harness.charm.seen_events), 1)
def test_peer_relation(self):
"""Test peer integration for operator."""
self.harness.set_leader()
test_utils.set_all_pebbles_ready(self.harness)
# this adds all the default/common relations
test_utils.add_complete_peer_relation(self.harness)
self.assertEqual(len(self.harness.charm.seen_events), 3)

162
charms/designate-bind-k8s/tox.ini Normal file
View File

@ -0,0 +1,162 @@
# Operator charm (with zaza): tox.ini
[tox]
skipsdist = True
envlist = pep8,py3
sitepackages = False
skip_missing_interpreters = False
minversion = 3.18.0
[vars]
src_path = {toxinidir}/src/
tst_path = {toxinidir}/tests/
lib_path = {toxinidir}/lib/
project_lib_path = {toxinidir}/lib/charms/bind9_k8s
pyproject_toml = {toxinidir}/pyproject.toml
all_path = {[vars]src_path} {[vars]tst_path} {[vars]project_lib_path}
[testenv]
basepython = python3
setenv =
PYTHONPATH = {toxinidir}:{[vars]lib_path}:{[vars]src_path}
passenv =
HOME
PYTHONPATH
install_command =
pip install {opts} {packages}
commands = stestr run --slowest {posargs}
allowlist_externals =
git
charmcraft
{toxinidir}/fetch-libs.sh
{toxinidir}/rename.sh
deps =
-r{toxinidir}/test-requirements.txt
[testenv:fmt]
description = Apply coding style standards to code
deps =
black
isort
commands =
isort {[vars]all_path} --skip-glob {[vars]lib_path} --skip {toxinidir}/.tox
black --config {[vars]pyproject_toml} {[vars]all_path} --exclude {[vars]lib_path}
[testenv:build]
basepython = python3
deps =
commands =
charmcraft -v pack
{toxinidir}/rename.sh
[testenv:fetch]
basepython = python3
deps =
commands =
{toxinidir}/fetch-libs.sh
[testenv:py3]
basepython = python3
deps =
{[testenv]deps}
-r{toxinidir}/requirements.txt
[testenv:py38]
basepython = python3.8
deps = {[testenv:py3]deps}
[testenv:py39]
basepython = python3.9
deps = {[testenv:py3]deps}
[testenv:py310]
basepython = python3.10
deps = {[testenv:py3]deps}
[testenv:cover]
basepython = python3
deps = {[testenv:py3]deps}
setenv =
{[testenv]setenv}
PYTHON=coverage run
commands =
coverage erase
stestr run --slowest {posargs}
coverage combine
coverage html -d cover
coverage xml -o cover/coverage.xml
coverage report
[testenv:pep8]
description = Alias for lint
deps = {[testenv:lint]deps}
commands = {[testenv:lint]commands}
[testenv:lint]
description = Check code against coding style standards
deps =
black
flake8<6 # Pin version until https://github.com/savoirfairelinux/flake8-copyright/issues/19 is merged
flake8-docstrings
flake8-copyright
flake8-builtins
pyproject-flake8
pep8-naming
isort
codespell
commands =
codespell {[vars]all_path}
# pflake8 wrapper supports config from pyproject.toml
pflake8 --exclude {[vars]lib_path} --config {toxinidir}/pyproject.toml {[vars]all_path}
isort --check-only --diff {[vars]all_path} --skip-glob {[vars]lib_path}
black --config {[vars]pyproject_toml} --check --diff {[vars]all_path} --exclude {[vars]lib_path}
[testenv:func-noop]
basepython = python3
deps =
git+https://github.com/openstack-charmers/zaza.git@libjuju-3.1#egg=zaza
git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.openstack
git+https://opendev.org/openstack/tempest.git#egg=tempest
commands =
functest-run-suite --help
[testenv:func]
basepython = python3
deps = {[testenv:func-noop]deps}
commands =
functest-run-suite --keep-model
[testenv:func-smoke]
basepython = python3
deps = {[testenv:func-noop]deps}
setenv =
TEST_MODEL_SETTINGS = automatically-retry-hooks=true
TEST_MAX_RESOLVE_COUNT = 5
commands =
functest-run-suite --keep-model --smoke
[testenv:func-dev]
basepython = python3
deps = {[testenv:func-noop]deps}
commands =
functest-run-suite --keep-model --dev
[testenv:func-target]
basepython = python3
deps = {[testenv:func-noop]deps}
commands =
functest-run-suite --keep-model --bundle {posargs}
[coverage:run]
branch = True
concurrency = multiprocessing
parallel = True
source =
.
omit =
.tox/*
tests/*
src/templates/*
[flake8]
ignore=E226,W504