Add receive-ca-cert relation to openstack-hypervisor
Add receive-ca-cert relation. Update the CA bundle to snap config ca.bundle Update nova configuration. Change-Id: I7008d6525f38d1b6f2f74782f8488b3a95b43efb
This commit is contained in:
Hemanth Nakkina
parent
97bcf3dce6
commit
f120968772
@ -20,8 +20,6 @@ archive_policy = low
|
|||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
{% include "parts/identity-data-id-creds" %}
|
{% include "parts/identity-data-id-creds" %}
|
||||||
|
|
||||||
{% include "parts/section-service-user-from-identity-credentials" %}
|
|
||||||
|
|
||||||
{% include "parts/section-service-credentials-from-identity-service" %}
|
{% include "parts/section-service-credentials-from-identity-service" %}
|
||||||
|
|
||||||
{% include "parts/section-oslo-messaging-rabbit" %}
|
{% include "parts/section-oslo-messaging-rabbit" %}
|
||||||
|
|||||||
@ -20,6 +20,9 @@ service_type = image
|
|||||||
service_name = glance
|
service_name = glance
|
||||||
valid_interfaces = admin
|
valid_interfaces = admin
|
||||||
region_name = {{ options.region }}
|
region_name = {{ options.region }}
|
||||||
|
{% if receive_ca_cert and receive_ca_cert.ca_bundle -%}
|
||||||
|
cafile = /usr/local/share/ca-certificates/ca-bundle.pem
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
{% include "parts/section-identity" %}
|
{% include "parts/section-identity" %}
|
||||||
region_name = {{ options.region }}
|
region_name = {{ options.region }}
|
||||||
|
|||||||
@ -23,6 +23,9 @@ requires:
|
|||||||
ceph-access:
|
ceph-access:
|
||||||
interface: cinder-ceph-key
|
interface: cinder-ceph-key
|
||||||
optional: true
|
optional: true
|
||||||
|
receive-ca-cert:
|
||||||
|
interface: certificate_transfer
|
||||||
|
optional: true
|
||||||
|
|
||||||
provides:
|
provides:
|
||||||
cos-agent:
|
cos-agent:
|
||||||
|
|||||||
@ -35,6 +35,7 @@ from typing import (
|
|||||||
import charms.operator_libs_linux.v2.snap as snap
|
import charms.operator_libs_linux.v2.snap as snap
|
||||||
import ops.framework
|
import ops.framework
|
||||||
import ops_sunbeam.charm as sunbeam_charm
|
import ops_sunbeam.charm as sunbeam_charm
|
||||||
|
import ops_sunbeam.core as sunbeam_core
|
||||||
import ops_sunbeam.guard as sunbeam_guard
|
import ops_sunbeam.guard as sunbeam_guard
|
||||||
import ops_sunbeam.ovn.relation_handlers as ovn_relation_handlers
|
import ops_sunbeam.ovn.relation_handlers as ovn_relation_handlers
|
||||||
import ops_sunbeam.relation_handlers as sunbeam_rhandlers
|
import ops_sunbeam.relation_handlers as sunbeam_rhandlers
|
||||||
@ -465,10 +466,24 @@ class HypervisorOperatorCharm(sunbeam_charm.OSBaseOperatorCharm):
|
|||||||
logger.debug("ceilometer_service relation not integrated")
|
logger.debug("ceilometer_service relation not integrated")
|
||||||
snap_data.update({"telemetry.enable": self.enable_telemetry})
|
snap_data.update({"telemetry.enable": self.enable_telemetry})
|
||||||
|
|
||||||
|
snap_data.update(self._handle_receive_ca_cert(contexts))
|
||||||
|
|
||||||
self.set_snap_data(snap_data)
|
self.set_snap_data(snap_data)
|
||||||
self.ensure_services_running()
|
self.ensure_services_running()
|
||||||
self._state.unit_bootstrapped = True
|
self._state.unit_bootstrapped = True
|
||||||
|
|
||||||
|
def _handle_receive_ca_cert(
|
||||||
|
self, context: sunbeam_core.OPSCharmContexts
|
||||||
|
) -> dict:
|
||||||
|
if hasattr(context.receive_ca_cert, "ca_bundle"):
|
||||||
|
return {
|
||||||
|
"ca.bundle": base64.b64encode(
|
||||||
|
context.receive_ca_cert.ca_bundle.encode()
|
||||||
|
).decode()
|
||||||
|
}
|
||||||
|
|
||||||
|
return {"ca.bundle": None}
|
||||||
|
|
||||||
def handle_ceilometer_events(self, event: ops.framework.EventBase) -> None:
|
def handle_ceilometer_events(self, event: ops.framework.EventBase) -> None:
|
||||||
"""Handle ceilometer events."""
|
"""Handle ceilometer events."""
|
||||||
if isinstance(event, CeilometerConfigChangedEvent):
|
if isinstance(event, CeilometerConfigChangedEvent):
|
||||||
|
|||||||
@ -165,6 +165,7 @@ class TestCharm(test_utils.CharmTestCase):
|
|||||||
"node.ip-address": "10.0.0.10",
|
"node.ip-address": "10.0.0.10",
|
||||||
"rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
|
"rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
|
||||||
"telemetry.enable": False,
|
"telemetry.enable": False,
|
||||||
|
"ca.bundle": None,
|
||||||
}
|
}
|
||||||
hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)
|
hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)
|
||||||
|
|
||||||
@ -258,5 +259,6 @@ class TestCharm(test_utils.CharmTestCase):
|
|||||||
"rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
|
"rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
|
||||||
"telemetry.enable": True,
|
"telemetry.enable": True,
|
||||||
"telemetry.publisher-secret": "FAKE_SECRET",
|
"telemetry.publisher-secret": "FAKE_SECRET",
|
||||||
|
"ca.bundle": None,
|
||||||
}
|
}
|
||||||
hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)
|
hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)
|
||||||
|
|||||||
@ -140,6 +140,7 @@ EXTERNAL_OPENSTACK_HYPERVISOR_LIBS=(
|
|||||||
"rabbitmq_k8s"
|
"rabbitmq_k8s"
|
||||||
"traefik_k8s"
|
"traefik_k8s"
|
||||||
"tls_certificates_interface"
|
"tls_certificates_interface"
|
||||||
|
"certificate_transfer_interface"
|
||||||
)
|
)
|
||||||
|
|
||||||
EXTERNAL_SUNBEAM_CLUSTERD_LIBS=(
|
EXTERNAL_SUNBEAM_CLUSTERD_LIBS=(
|
||||||
@ -184,7 +185,6 @@ CONFIG_TEMPLATES_CEILOMETER=(
|
|||||||
"parts/identity-data-id-creds"
|
"parts/identity-data-id-creds"
|
||||||
"parts/section-oslo-messaging-rabbit"
|
"parts/section-oslo-messaging-rabbit"
|
||||||
"parts/section-service-credentials-from-identity-service"
|
"parts/section-service-credentials-from-identity-service"
|
||||||
"parts/section-service-user-from-identity-credentials"
|
|
||||||
"ca-bundle.pem.j2"
|
"ca-bundle.pem.j2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@ -188,6 +188,14 @@ class OSBaseOperatorCharm(ops.charm.CharmBase):
|
|||||||
"ceph-access" in self.mandatory_relations,
|
"ceph-access" in self.mandatory_relations,
|
||||||
)
|
)
|
||||||
handlers.append(self.ceph_access)
|
handlers.append(self.ceph_access)
|
||||||
|
if self.can_add_handler("receive-ca-cert", handlers):
|
||||||
|
self.receive_ca_cert = (
|
||||||
|
sunbeam_rhandlers.CertificateTransferRequiresHandler(
|
||||||
|
self, "receive-ca-cert", self.configure_charm
|
||||||
|
)
|
||||||
|
)
|
||||||
|
handlers.append(self.receive_ca_cert)
|
||||||
|
|
||||||
return handlers
|
return handlers
|
||||||
|
|
||||||
def get_sans_ips(self) -> List[str]:
|
def get_sans_ips(self) -> List[str]:
|
||||||
@ -540,21 +548,6 @@ class OSBaseOperatorCharmK8S(OSBaseOperatorCharm):
|
|||||||
super().__init__(framework)
|
super().__init__(framework)
|
||||||
self.pebble_handlers = self.get_pebble_handlers()
|
self.pebble_handlers = self.get_pebble_handlers()
|
||||||
|
|
||||||
def get_relation_handlers(
|
|
||||||
self, handlers: List[sunbeam_rhandlers.RelationHandler] = None
|
|
||||||
) -> List[sunbeam_rhandlers.RelationHandler]:
|
|
||||||
"""Relation handlers for the service."""
|
|
||||||
handlers = handlers or []
|
|
||||||
if self.can_add_handler("receive-ca-cert", handlers):
|
|
||||||
self.receive_ca_cert = (
|
|
||||||
sunbeam_rhandlers.CertificateTransferRequiresHandler(
|
|
||||||
self, "receive-ca-cert", self.configure_charm
|
|
||||||
)
|
|
||||||
)
|
|
||||||
handlers.append(self.receive_ca_cert)
|
|
||||||
|
|
||||||
return super().get_relation_handlers(handlers)
|
|
||||||
|
|
||||||
def get_pebble_handlers(self) -> List[sunbeam_chandlers.PebbleHandler]:
|
def get_pebble_handlers(self) -> List[sunbeam_chandlers.PebbleHandler]:
|
||||||
"""Pebble handlers for the operator."""
|
"""Pebble handlers for the operator."""
|
||||||
return [
|
return [
|
||||||
|
|||||||
@ -14,4 +14,7 @@ user_domain_id = {{ identity_service.service_domain_id }}
|
|||||||
project_name = {{ identity_service.service_project_name }}
|
project_name = {{ identity_service.service_project_name }}
|
||||||
username = {{ identity_service.service_user_name }}
|
username = {{ identity_service.service_user_name }}
|
||||||
password = {{ identity_service.service_password }}
|
password = {{ identity_service.service_password }}
|
||||||
|
{% if receive_ca_cert and receive_ca_cert.ca_bundle -%}
|
||||||
|
cafile = /usr/local/share/ca-certificates/ca-bundle.pem
|
||||||
|
{% endif -%}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
|||||||
@ -1,15 +0,0 @@
|
|||||||
{% if identity_credentials.project_domain_id -%}
|
|
||||||
[service_user]
|
|
||||||
{% if identity_credentials.internal_auth_url -%}
|
|
||||||
auth_url = {{ identity_credentials.internal_auth_url }}
|
|
||||||
{% elif identity_credentials.internal_host -%}
|
|
||||||
auth_url = {{ identity_credentials.internal_protocol }}://{{ identity_credentials.internal_host }}:{{ identity_credentials.internal_port }}
|
|
||||||
{% endif -%}
|
|
||||||
send_service_user_token = true
|
|
||||||
auth_type = password
|
|
||||||
project_domain_id = {{ identity_credentials.project_domain_id }}
|
|
||||||
user_domain_id = {{ identity_credentials.user_domain_id }}
|
|
||||||
project_name = {{ identity_credentials.project_name }}
|
|
||||||
username = {{ identity_credentials.username }}
|
|
||||||
password = {{ identity_credentials.password }}
|
|
||||||
{% endif -%}
|
|
||||||
Loading…
Reference in New Issue
Block a user