From f12096877274a4b530069fda1ac970b04824d774 Mon Sep 17 00:00:00 2001 From: Hemanth Nakkina Date: Thu, 15 Feb 2024 15:57:55 +0530 Subject: [PATCH] Add receive-ca-cert relation to openstack-hypervisor Add receive-ca-cert relation. Update the CA bundle to snap config ca.bundle Update nova configuration. Change-Id: I7008d6525f38d1b6f2f74782f8488b3a95b43efb --- .../src/templates/ceilometer.conf | 2 -- charms/nova-k8s/src/templates/nova.conf.j2 | 3 +++ charms/openstack-hypervisor/metadata.yaml | 3 +++ charms/openstack-hypervisor/src/charm.py | 15 ++++++++++++ .../tests/unit/test_charm.py | 2 ++ common.sh | 2 +- ops-sunbeam/ops_sunbeam/charm.py | 23 +++++++------------ templates/parts/section-service-user | 3 +++ ...ion-service-user-from-identity-credentials | 15 ------------ 9 files changed, 35 insertions(+), 33 deletions(-) delete mode 100644 templates/parts/section-service-user-from-identity-credentials diff --git a/charms/ceilometer-k8s/src/templates/ceilometer.conf b/charms/ceilometer-k8s/src/templates/ceilometer.conf index 1a1b265e..f5b81cef 100644 --- a/charms/ceilometer-k8s/src/templates/ceilometer.conf +++ b/charms/ceilometer-k8s/src/templates/ceilometer.conf @@ -20,8 +20,6 @@ archive_policy = low [keystone_authtoken] {% include "parts/identity-data-id-creds" %} -{% include "parts/section-service-user-from-identity-credentials" %} - {% include "parts/section-service-credentials-from-identity-service" %} {% include "parts/section-oslo-messaging-rabbit" %} diff --git a/charms/nova-k8s/src/templates/nova.conf.j2 b/charms/nova-k8s/src/templates/nova.conf.j2 index a42983fa..ce45aa0a 100644 --- a/charms/nova-k8s/src/templates/nova.conf.j2 +++ b/charms/nova-k8s/src/templates/nova.conf.j2 @@ -20,6 +20,9 @@ service_type = image service_name = glance valid_interfaces = admin region_name = {{ options.region }} +{% if receive_ca_cert and receive_ca_cert.ca_bundle -%} +cafile = /usr/local/share/ca-certificates/ca-bundle.pem +{% endif -%} {% include "parts/section-identity" %} region_name = {{ options.region }} diff --git a/charms/openstack-hypervisor/metadata.yaml b/charms/openstack-hypervisor/metadata.yaml index c36ca460..e2d503b1 100644 --- a/charms/openstack-hypervisor/metadata.yaml +++ b/charms/openstack-hypervisor/metadata.yaml @@ -23,6 +23,9 @@ requires: ceph-access: interface: cinder-ceph-key optional: true + receive-ca-cert: + interface: certificate_transfer + optional: true provides: cos-agent: diff --git a/charms/openstack-hypervisor/src/charm.py b/charms/openstack-hypervisor/src/charm.py index 188ee86e..164ca1ad 100755 --- a/charms/openstack-hypervisor/src/charm.py +++ b/charms/openstack-hypervisor/src/charm.py @@ -35,6 +35,7 @@ from typing import ( import charms.operator_libs_linux.v2.snap as snap import ops.framework import ops_sunbeam.charm as sunbeam_charm +import ops_sunbeam.core as sunbeam_core import ops_sunbeam.guard as sunbeam_guard import ops_sunbeam.ovn.relation_handlers as ovn_relation_handlers import ops_sunbeam.relation_handlers as sunbeam_rhandlers @@ -465,10 +466,24 @@ class HypervisorOperatorCharm(sunbeam_charm.OSBaseOperatorCharm): logger.debug("ceilometer_service relation not integrated") snap_data.update({"telemetry.enable": self.enable_telemetry}) + snap_data.update(self._handle_receive_ca_cert(contexts)) + self.set_snap_data(snap_data) self.ensure_services_running() self._state.unit_bootstrapped = True + def _handle_receive_ca_cert( + self, context: sunbeam_core.OPSCharmContexts + ) -> dict: + if hasattr(context.receive_ca_cert, "ca_bundle"): + return { + "ca.bundle": base64.b64encode( + context.receive_ca_cert.ca_bundle.encode() + ).decode() + } + + return {"ca.bundle": None} + def handle_ceilometer_events(self, event: ops.framework.EventBase) -> None: """Handle ceilometer events.""" if isinstance(event, CeilometerConfigChangedEvent): diff --git a/charms/openstack-hypervisor/tests/unit/test_charm.py b/charms/openstack-hypervisor/tests/unit/test_charm.py index 624b979a..5ac5d75e 100644 --- a/charms/openstack-hypervisor/tests/unit/test_charm.py +++ b/charms/openstack-hypervisor/tests/unit/test_charm.py @@ -165,6 +165,7 @@ class TestCharm(test_utils.CharmTestCase): "node.ip-address": "10.0.0.10", "rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack", "telemetry.enable": False, + "ca.bundle": None, } hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True) @@ -258,5 +259,6 @@ class TestCharm(test_utils.CharmTestCase): "rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack", "telemetry.enable": True, "telemetry.publisher-secret": "FAKE_SECRET", + "ca.bundle": None, } hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True) diff --git a/common.sh b/common.sh index 0d2060d3..44c52efe 100644 --- a/common.sh +++ b/common.sh @@ -140,6 +140,7 @@ EXTERNAL_OPENSTACK_HYPERVISOR_LIBS=( "rabbitmq_k8s" "traefik_k8s" "tls_certificates_interface" + "certificate_transfer_interface" ) EXTERNAL_SUNBEAM_CLUSTERD_LIBS=( @@ -184,7 +185,6 @@ CONFIG_TEMPLATES_CEILOMETER=( "parts/identity-data-id-creds" "parts/section-oslo-messaging-rabbit" "parts/section-service-credentials-from-identity-service" - "parts/section-service-user-from-identity-credentials" "ca-bundle.pem.j2" ) diff --git a/ops-sunbeam/ops_sunbeam/charm.py b/ops-sunbeam/ops_sunbeam/charm.py index 3ea089d2..444a0c72 100644 --- a/ops-sunbeam/ops_sunbeam/charm.py +++ b/ops-sunbeam/ops_sunbeam/charm.py @@ -188,6 +188,14 @@ class OSBaseOperatorCharm(ops.charm.CharmBase): "ceph-access" in self.mandatory_relations, ) handlers.append(self.ceph_access) + if self.can_add_handler("receive-ca-cert", handlers): + self.receive_ca_cert = ( + sunbeam_rhandlers.CertificateTransferRequiresHandler( + self, "receive-ca-cert", self.configure_charm + ) + ) + handlers.append(self.receive_ca_cert) + return handlers def get_sans_ips(self) -> List[str]: @@ -540,21 +548,6 @@ class OSBaseOperatorCharmK8S(OSBaseOperatorCharm): super().__init__(framework) self.pebble_handlers = self.get_pebble_handlers() - def get_relation_handlers( - self, handlers: List[sunbeam_rhandlers.RelationHandler] = None - ) -> List[sunbeam_rhandlers.RelationHandler]: - """Relation handlers for the service.""" - handlers = handlers or [] - if self.can_add_handler("receive-ca-cert", handlers): - self.receive_ca_cert = ( - sunbeam_rhandlers.CertificateTransferRequiresHandler( - self, "receive-ca-cert", self.configure_charm - ) - ) - handlers.append(self.receive_ca_cert) - - return super().get_relation_handlers(handlers) - def get_pebble_handlers(self) -> List[sunbeam_chandlers.PebbleHandler]: """Pebble handlers for the operator.""" return [ diff --git a/templates/parts/section-service-user b/templates/parts/section-service-user index 65103693..4f897fea 100644 --- a/templates/parts/section-service-user +++ b/templates/parts/section-service-user @@ -14,4 +14,7 @@ user_domain_id = {{ identity_service.service_domain_id }} project_name = {{ identity_service.service_project_name }} username = {{ identity_service.service_user_name }} password = {{ identity_service.service_password }} +{% if receive_ca_cert and receive_ca_cert.ca_bundle -%} +cafile = /usr/local/share/ca-certificates/ca-bundle.pem +{% endif -%} {% endif -%} diff --git a/templates/parts/section-service-user-from-identity-credentials b/templates/parts/section-service-user-from-identity-credentials deleted file mode 100644 index bd32c5e3..00000000 --- a/templates/parts/section-service-user-from-identity-credentials +++ /dev/null @@ -1,15 +0,0 @@ -{% if identity_credentials.project_domain_id -%} -[service_user] -{% if identity_credentials.internal_auth_url -%} -auth_url = {{ identity_credentials.internal_auth_url }} -{% elif identity_credentials.internal_host -%} -auth_url = {{ identity_credentials.internal_protocol }}://{{ identity_credentials.internal_host }}:{{ identity_credentials.internal_port }} -{% endif -%} -send_service_user_token = true -auth_type = password -project_domain_id = {{ identity_credentials.project_domain_id }} -user_domain_id = {{ identity_credentials.user_domain_id }} -project_name = {{ identity_credentials.project_name }} -username = {{ identity_credentials.username }} -password = {{ identity_credentials.password }} -{% endif -%}