Render SSL config when resolve_address changes
When supplying certs and keys directly to the charm then get_certs_and_keys is hardcoded to return a cn of None. However, when the certs are written to disk configure_cert checks if the cn is None and if it is sets the cn to os_ip.resolve_address(endpoint_type=os_ip.INTERNAL). This causes an issue because generating the certs and keys is gated on a change to the return of get_certs_and_keys which always sets cn to None, however when the charm is clustered os_ip.resolve_address will return the vip which should change the cn. This means that if the charm transitions from un-clustered to clustered ssl certs will not be reconfigured if they have been configured already despite the cn having changed. This patch changes the default of cn in get_certs_and_keys to be os_ip.resolve_address(endpoint_type=os_ip.INTERNAL). Although this is a change in behaviour I believe that no charms are calling get_certs_and_keys directly and the risk is very low. Change-Id: I598bc822afa535fc865a333033069cfe05d7259d Closes-Bug: #1744886
This commit is contained in:
parent
536333a47d
commit
6cfcb8b798
|
@ -509,6 +509,13 @@ class HAOpenStackCharm(OpenStackAPICharm):
|
|||
if restart:
|
||||
ch_host.service_restart('apache2')
|
||||
|
||||
def get_default_cn(self):
|
||||
"""Return the default Canonical Name to be used for SSL setup
|
||||
|
||||
@returns 'canonical_name'
|
||||
"""
|
||||
return os_ip.resolve_address(endpoint_type=os_ip.INTERNAL)
|
||||
|
||||
def configure_cert(self, cert, key, cn=None):
|
||||
"""Configure service SSL cert and key
|
||||
|
||||
|
@ -525,7 +532,8 @@ class HAOpenStackCharm(OpenStackAPICharm):
|
|||
ssl_dir = os.path.join('/etc/apache2/ssl/', self.name)
|
||||
|
||||
if not cn:
|
||||
cn = os_ip.resolve_address(endpoint_type=os_ip.INTERNAL)
|
||||
cn = self.get_default_cn()
|
||||
|
||||
ch_host.mkdir(path=ssl_dir)
|
||||
if cn:
|
||||
cert_filename = 'cert_{}'.format(cn)
|
||||
|
@ -576,7 +584,7 @@ class HAOpenStackCharm(OpenStackAPICharm):
|
|||
'cert': self.config_defined_ssl_cert.decode('utf-8'),
|
||||
'ca': (self.config_defined_ssl_ca.decode('utf-8')
|
||||
if self.config_defined_ssl_ca else None),
|
||||
'cn': None}]
|
||||
'cn': self.get_default_cn()}]
|
||||
elif keystone_interface:
|
||||
keys_and_certs = []
|
||||
for addr in self.get_local_addresses():
|
||||
|
|
|
@ -672,22 +672,24 @@ class TestHAOpenStackCharm(BaseOpenStackCharmTest):
|
|||
'ssl_cert': base64.b64encode(b'cert'),
|
||||
'ssl_ca': base64.b64encode(b'ca')}
|
||||
self.patch_target('config', new=config)
|
||||
self.patch_object(chm.os_ip, 'resolve_address', 'addr')
|
||||
self.patch_object(chm.os_utils, 'snap_install_requested',
|
||||
return_value=False)
|
||||
self.assertEqual(
|
||||
self.target.get_certs_and_keys(),
|
||||
[{'key': 'key', 'cert': 'cert', 'ca': 'ca', 'cn': None}])
|
||||
[{'key': 'key', 'cert': 'cert', 'ca': 'ca', 'cn': 'addr'}])
|
||||
|
||||
def test_get_certs_and_keys_noca(self):
|
||||
config = {
|
||||
'ssl_key': base64.b64encode(b'key'),
|
||||
'ssl_cert': base64.b64encode(b'cert')}
|
||||
self.patch_target('config', new=config)
|
||||
self.patch_object(chm.os_ip, 'resolve_address', 'addr')
|
||||
self.patch_object(chm.os_utils, 'snap_install_requested',
|
||||
return_value=False)
|
||||
self.assertEqual(
|
||||
self.target.get_certs_and_keys(),
|
||||
[{'key': 'key', 'cert': 'cert', 'ca': None, 'cn': None}])
|
||||
[{'key': 'key', 'cert': 'cert', 'ca': None, 'cn': 'addr'}])
|
||||
|
||||
def test_get_certs_and_keys_ks_interface(self):
|
||||
class KSInterface(object):
|
||||
|
|
Loading…
Reference in New Issue