New configuration parameter updates URI for CRL Distribution points
inside Vault, to a publicly-accessible location. The purpose is not
to impact all users, so I did not add a global configuration
parameter. Instead, only 'upload_signed_csr' action was updated
with an optional parameter introduced named 'crl-distribution-point'.
Closes-bug: #2048237
Change-Id: I8dbfc0deb9f547100bb63bd6b20737734e97667b
This commit removes the tls_insecure_skip_verify field in the vault
config template. This was added as a workaround for a bug in the vault's
etcd client before 1.4.0 release. Since all channels now uses 1.5 or
newer versions of vault, this line can be removed.
Change-Id: I64f1c2c9ced8ae4dff2bf232c6e673b596f84a14
Closes-Bug: #1979582
As lunar introduces python3.11, psycopg2 version needs to be at least
version 2.9.5 to support it.
Modify the tests to run on Lunar and remove the Kinetic ones.
Closes-Bug: #2025983
Change-Id: Iaf459368a092f09d3455b014289eca6e7bf4d047
Signed-off-by: David Negreira <david.negreira@canonical.com>
leader-get decodes using json, but leader-set just sets the keys. This
wasn't taken into consideration when fetching all the keys to filter for
cached keys when a relation is leaving. This is resolved in this patch.
Change-Id: I2d44ec0c43c1ecffd9ac77a1162ead4e4a01aabe
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is mostly the same as
I18aa6c9193379ea454851b6f60a8f331ef88a980
but improved to avoid LP#1896542 by removing
the section where a certificate can be reused
from cache during create_certs.
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>
Co-Authored-By: Alex Kavanagh <alex.kavanagh@canonical.com>
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1084
Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
Related-Bug: #1896542
Change-Id: I0cca13d2042d61ffc6a7c13eccb0ec8c292020c9
Converting the charm to binary builds provides two benefits:
- build time issues are moved to testing rather than (failing) at the
install time, which can often happen after the charm is pushed to the
charmhub.
- the install time is much, much faster. This means upgrades take < 1m
rather 3-4m.
Change-Id: Ib4f4a8acf807de0406b9588d32750e3a48ff2841
Add the 'docs' key and point it at a Discourse topic
previously populated with the charm's README contents.
When the new charm revision is released to the Charmhub,
this Discourse-based content will be displayed there. In
the absense of the this new key, the Charmhub's default
behaviour is to display the value of the charm's
'description' key.
Change-Id: I51e3ce5347f2036165429145075e15c9801a26af
- stop vault.service before refresing it
- added a warning note that changing the channel config option will
cause the vault to be sealed
Related-Bug: 2007587
Change-Id: I240ebb4bd14932a6bf95f41da3f2cd7776742266
This reverts commit 04a237660b.
Reason for revert:
The bug in [1] caused all the yoga tests to fail in integration testing. Testing with a version of the charm without this commit allowed tests to complete. Thus reverting this until a more complete solution can be found to the original bug(s) [2..4]
[1] https://bugs.launchpad.net/charm-keystone/+bug/2015103
[2] LP #1940549
[3] LP #1983269
[4] LP #1845961
Change-Id: I8a794fbb30e921e5322e9023b891d5e17e0e6e8b
Add 23.04 run-on base and add lunar to metadata.yaml.
Drop 22.10 run-on base and drop kinetic from metadata.yaml.
Change-Id: Ie6e5f106e8dfbd61402dc8376dde57e48ff4993b
Rebuild the charm to pick up charms.reactive-1.5.2 which includes a fix
for application is single unit.
Adding libpython3-dev to be able to build Cython
Related-Pr: https://github.com/juju-solutions/charms.reactive/pull/243
Change-Id: Ief281586efde5303c66bd7b0432589c9735c7f86
As bug/1947265 notes running the get-csr actions can result in the
CA being wiped from the leader DB. This change attempts to make
it more clear to the user that this action be destructive.
* Deprecate the `get-csr` action and replace it with
`regenerate-intermediate-ca`. They are functionally equivalent but
the new name makes it clearer that the CA may be destroyed.
* Adds `force` option to the action. The force action must be used
if a CA already exists.
* The functional test of rerunning the `regenerate-intermediate-ca`
action is now included in the vault tests so no need to run the
tests twice now.
Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/974
Change-Id: Ie01dd7ec0e9134689518b37b5d70c8dd5a556241
Closes-Bug: #1947265
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is mostly the same as
f55055b878
but improved to avoid LP#1983269 by breaking
down the cert cache into separate key-value pairs
for each remote unit and avoiding a race-condition
caused by get-csr action. Instead of using
leader-settings, this patch is now using
application data bag provided by a new vault-ha
relation implementation.
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>
Change-Id: I18aa6c9193379ea454851b6f60a8f331ef88a980
Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
Commit 0b7d041279 removed focal
tests and added jammy/kinetic tests in support of the Zed release.
The jammy/kinetic cluster tests weren't added to osci.yaml, so
they are added back in this change.
Remaining focal bundles are also dropped in this change.
Change-Id: Ic53d71bc7ddb25bc6735a2cfe36b78a5d8f30648
* sync charm-helpers to classic charms
* change openstack-origin/source default to zed
* align testing with zed
* add new zed bundles
* add zed bundles to tests.yaml
* add zed tests to osci.yaml and .zuul.yaml
* update build-on and run-on bases
* add bindep.txt for py310
* sync tox.ini and requirements.txt for ruamel
* use charmcraft_channel 2.0/stable
* drop reactive plugin overrides
* move interface/layer env vars to charmcraft.yaml
Change-Id: I577fff942606ded9885e9ba6f29040ba3fc7fb27
This reverts commit f55055b878.
Reason for revert:
This patch breaks when issuing many certificates in large models due to CLI leader-set being overwhelmed: https://bugs.launchpad.net/vault-charm/+bug/1983269
Change-Id: I4854839b5278d1b4db325e44b78b1815b2751728
A recent change[1] switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_certificate() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.
This means that for the call sites here, we need to catch InvalidPath,
instead of the TypeError.
The original reason for TypeError was that the function
would end up calling None['key'] if read_certificate failed.
[1]: https://review.opendev.org/c/openstack/charm-vault/+/848205
Change-Id: I46b93457c8a757189802ca2c2cdf31cc9c5a9516
A recent change (1) switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_role() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.
Also updates tests and fixes a mocking issue on service_reload.
[1] https://review.opendev.org/c/openstack/charm-vault/+/848205
Change-Id: Id3d112104b1aa45b242e402709fb855131d5203e
Update deprecated method calls where possible,
and use new methods instead of lower level read/write calls.
Change-Id: I991435cdf8d36016e75c46823ec47f3290a42fe4
Always reload reload on configure.
This ensures any certificates changed on disk will be reloaded.
(Such as the tcp listener certificate files.)
Closes-Bug: #1912261
Change-Id: Ic254f38d86c0e8323ed10a2eaa22462797d48605
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is the same as
1159e547dd
but improved to avoid LP#1970888
Change-Id: Ic4dd009cc18c52e1667391b00ebba9928acc5937
Closes-Bug: #1940549
Closes-Bug: #1970888
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
Closes-Bug: #1940549
Change-Id: Iac989b30948fa43fe23851995a8ed00b08126587
Created action to utilize the existing
generate_certificate function for on demand
certificates agains the existing vault PKI.
Closes-Bug: #1948837
Change-Id: Ia1a169623c81d6aede7dc52eabd2de94007fde80
Due to a build problem with the reactive plugin, this change falls back
on overriding the steps and doing a manual build, but it also ensures
the CI system builds the charm using charmcraft. Changes:
- add a build-requirements.txt
- modify charmcraft.yaml
- modify osci.yaml
-> indicate build with charmcraft
- modify tox.ini
-> tox -e build does charmcraft build/rename
-> tox -e build-reactive does the reactive build
- modify bundles to use the <charm>.charm artifact in tests.
and fix deprecation warning re: prefix
- tox inception to enable tox -e func-test in the CI
Change-Id: Icb73919f247c60a9e18cc2e563f0fda9c620cb14
Co-authored-by: Aurelien Lourot <aurelien.lourot@canonical.com>
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Note that https://github.com/openstack/charms.openstack is used during tests
and he need `mock`, unfortunatelly it doesn't declare `mock` in its
requirements so it retrieve mock from other charm project (cross dependency).
So we depend on charms.openstack first and when
Ib1ed5b598a52375e29e247db9ab4786df5b6d142 will be merged then CI
will pass without errors.
Depends-On: Ib1ed5b598a52375e29e247db9ab4786df5b6d142
Change-Id: I1d7de2bd4d704ffc331fdeacea725e903890f296
When the vip is changed the ones that are no longer present need to be
registered for deletion from pacemaker's configuration. This change
relies on hookenv.config.changed() to determine what vip(s) are no
longer present in the configuration ask hacluster to remove them.
Closes-Bug: #1952363
Change-Id: I7b77cd4f57e1770faf92860ee7846bf480efdb9e