Add receive-ca-cert relation to openstack-hypervisor

Add receive-ca-cert relation. Update the CA bundle to snap config ca.bundle Update nova configuration. Change-Id: I7008d6525f38d1b6f2f74782f8488b3a95b43efb
2024-02-15 15:57:55 +05:30 · 2024-02-15 15:57:55 +05:30 · f120968772
commit f120968772
parent 97bcf3dce6
9 changed files with 35 additions and 33 deletions
--- a/charms/ceilometer-k8s/src/templates/ceilometer.conf
+++ b/charms/ceilometer-k8s/src/templates/ceilometer.conf
@ -20,8 +20,6 @@ archive_policy = low
 [keystone_authtoken]
 {% include "parts/identity-data-id-creds" %}

-{% include "parts/section-service-user-from-identity-credentials" %}
-
 {% include "parts/section-service-credentials-from-identity-service" %}

 {% include "parts/section-oslo-messaging-rabbit" %}
--- a/charms/nova-k8s/src/templates/nova.conf.j2
+++ b/charms/nova-k8s/src/templates/nova.conf.j2
@ -20,6 +20,9 @@ service_type = image
 service_name = glance
 valid_interfaces = admin
 region_name = {{ options.region }}
+{% if receive_ca_cert and receive_ca_cert.ca_bundle -%}
+cafile = /usr/local/share/ca-certificates/ca-bundle.pem
+{% endif -%}

 {% include "parts/section-identity" %}
 region_name = {{ options.region }}
--- a/charms/openstack-hypervisor/metadata.yaml
+++ b/charms/openstack-hypervisor/metadata.yaml
@ -23,6 +23,9 @@ requires:
  ceph-access:
    interface: cinder-ceph-key
    optional: true
+  receive-ca-cert:
+    interface: certificate_transfer
+    optional: true

 provides:
  cos-agent:
--- a/charms/openstack-hypervisor/src/charm.py
+++ b/charms/openstack-hypervisor/src/charm.py
@ -35,6 +35,7 @@ from typing import (
 import charms.operator_libs_linux.v2.snap as snap
 import ops.framework
 import ops_sunbeam.charm as sunbeam_charm
+import ops_sunbeam.core as sunbeam_core
 import ops_sunbeam.guard as sunbeam_guard
 import ops_sunbeam.ovn.relation_handlers as ovn_relation_handlers
 import ops_sunbeam.relation_handlers as sunbeam_rhandlers
@ -465,10 +466,24 @@ class HypervisorOperatorCharm(sunbeam_charm.OSBaseOperatorCharm):
            logger.debug("ceilometer_service relation not integrated")
            snap_data.update({"telemetry.enable": self.enable_telemetry})

+        snap_data.update(self._handle_receive_ca_cert(contexts))
+
        self.set_snap_data(snap_data)
        self.ensure_services_running()
        self._state.unit_bootstrapped = True

+    def _handle_receive_ca_cert(
+        self, context: sunbeam_core.OPSCharmContexts
+    ) -> dict:
+        if hasattr(context.receive_ca_cert, "ca_bundle"):
+            return {
+                "ca.bundle": base64.b64encode(
+                    context.receive_ca_cert.ca_bundle.encode()
+                ).decode()
+            }
+
+        return {"ca.bundle": None}
+
    def handle_ceilometer_events(self, event: ops.framework.EventBase) -> None:
        """Handle ceilometer events."""
        if isinstance(event, CeilometerConfigChangedEvent):
--- a/charms/openstack-hypervisor/tests/unit/test_charm.py
+++ b/charms/openstack-hypervisor/tests/unit/test_charm.py
@ -165,6 +165,7 @@ class TestCharm(test_utils.CharmTestCase):
            "node.ip-address": "10.0.0.10",
            "rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
            "telemetry.enable": False,
+            "ca.bundle": None,
        }
        hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)

@ -258,5 +259,6 @@ class TestCharm(test_utils.CharmTestCase):
            "rabbitmq.url": "rabbit://hypervisor:rabbit.pass@10.0.0.13:5672/openstack",
            "telemetry.enable": True,
            "telemetry.publisher-secret": "FAKE_SECRET",
+            "ca.bundle": None,
        }
        hypervisor_snap_mock.set.assert_any_call(expect_settings, typed=True)
--- a/common.sh
+++ b/common.sh
@ -140,6 +140,7 @@ EXTERNAL_OPENSTACK_HYPERVISOR_LIBS=(
 	"rabbitmq_k8s"
        "traefik_k8s"
        "tls_certificates_interface"
+	"certificate_transfer_interface"
 )

 EXTERNAL_SUNBEAM_CLUSTERD_LIBS=(
@ -184,7 +185,6 @@ CONFIG_TEMPLATES_CEILOMETER=(
 	"parts/identity-data-id-creds"
 	"parts/section-oslo-messaging-rabbit"
 	"parts/section-service-credentials-from-identity-service"
-	"parts/section-service-user-from-identity-credentials"
 	"ca-bundle.pem.j2"
 )

--- a/ops-sunbeam/ops_sunbeam/charm.py
+++ b/ops-sunbeam/ops_sunbeam/charm.py
@ -188,6 +188,14 @@ class OSBaseOperatorCharm(ops.charm.CharmBase):
                "ceph-access" in self.mandatory_relations,
            )
            handlers.append(self.ceph_access)
+        if self.can_add_handler("receive-ca-cert", handlers):
+            self.receive_ca_cert = (
+                sunbeam_rhandlers.CertificateTransferRequiresHandler(
+                    self, "receive-ca-cert", self.configure_charm
+                )
+            )
+            handlers.append(self.receive_ca_cert)
+
        return handlers

    def get_sans_ips(self) -> List[str]:
@ -540,21 +548,6 @@ class OSBaseOperatorCharmK8S(OSBaseOperatorCharm):
        super().__init__(framework)
        self.pebble_handlers = self.get_pebble_handlers()

-    def get_relation_handlers(
-        self, handlers: List[sunbeam_rhandlers.RelationHandler] = None
-    ) -> List[sunbeam_rhandlers.RelationHandler]:
-        """Relation handlers for the service."""
-        handlers = handlers or []
-        if self.can_add_handler("receive-ca-cert", handlers):
-            self.receive_ca_cert = (
-                sunbeam_rhandlers.CertificateTransferRequiresHandler(
-                    self, "receive-ca-cert", self.configure_charm
-                )
-            )
-            handlers.append(self.receive_ca_cert)
-
-        return super().get_relation_handlers(handlers)
-
    def get_pebble_handlers(self) -> List[sunbeam_chandlers.PebbleHandler]:
        """Pebble handlers for the operator."""
        return [
--- a/templates/parts/section-service-user
+++ b/templates/parts/section-service-user
@ -14,4 +14,7 @@ user_domain_id = {{ identity_service.service_domain_id }}
 project_name = {{ identity_service.service_project_name }}
 username = {{ identity_service.service_user_name }}
 password = {{ identity_service.service_password }}
+{% if receive_ca_cert and receive_ca_cert.ca_bundle -%}
+cafile = /usr/local/share/ca-certificates/ca-bundle.pem
+{% endif -%}
 {% endif -%}
--- a/templates/parts/section-service-user-from-identity-credentials
+++ b/templates/parts/section-service-user-from-identity-credentials
@ -1,15 +0,0 @@
-{% if identity_credentials.project_domain_id -%}
-[service_user]
-{% if identity_credentials.internal_auth_url -%}
-auth_url = {{ identity_credentials.internal_auth_url }}
-{% elif identity_credentials.internal_host -%}
-auth_url = {{ identity_credentials.internal_protocol }}://{{ identity_credentials.internal_host }}:{{ identity_credentials.internal_port }}
-{% endif -%}
-send_service_user_token = true
-auth_type = password
-project_domain_id = {{ identity_credentials.project_domain_id }}
-user_domain_id = {{ identity_credentials.user_domain_id }}
-project_name = {{ identity_credentials.project_name }}
-username = {{ identity_credentials.username }}
-password = {{ identity_credentials.password }}
-{% endif -%}