Retrieve chassis certificates from subordinate relation

When OVN provider driver is enabled, retrieve chassis certificates from subordinate. While a principal and subordinate charm executes in the same environment, the payload usually execute under different service accounts and as such it is impractical and may be less secure to attempt to provide direct on-disk file access. Also reverts commit bc0f83fee6. Closes-Bug: #1918271 Related-Bug: #1885936 Change-Id: I4bc65ea1fcf3c01b68ed92b31e91a64940afe10e
2021-05-12 10:44:24 +02:00 · 2021-05-12 10:44:24 +02:00 · f1a602ca41
parent 062d9971f1
commit f1a602ca41
5 changed files with 26 additions and 10 deletions
--- a/src/lib/charm/openstack/octavia.py
+++ b/src/lib/charm/openstack/octavia.py
@ -422,13 +422,6 @@ class BaseOctaviaCharm(ch_plugins.PolicydOverridePlugin,
                 'examine documentation')]
        return states_to_check

-    def custom_assess_status_check(self):
-        """Check required configuration options are set"""
-        if (reactive.is_flag_set('charm.octavia.enable-ovn-driver') and not
-                reactive.is_flag_set('certificates.available')):
-            return "blocked", "Certificates missing"
-        return None, None
-
    def get_amqp_credentials(self):
        """Configure the AMQP credentials for Octavia."""
        return ('octavia', 'openstack')
@ -508,3 +501,17 @@ class VictoriaOctaviaCharm(BaseOctaviaCharm):
        if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
            _services.extend(['octavia-driver-agent'])
        return _services
+
+    @property
+    def restart_map(self):
+        _restart_map = super().restart_map
+        if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
+            _restart_map.update({
+                os.path.join(OCTAVIA_DIR, 'ovn_ca_cert.pem'): [
+                    'octavia-driver-agent'],
+                os.path.join(OCTAVIA_DIR, 'ovn_certificate.pem'): [
+                    'octavia-driver-agent'],
+                os.path.join(OCTAVIA_DIR, 'ovn_private_key.pem'): [
+                    'octavia-driver-agent'],
+            })
+        return _restart_map
--- a/src/templates/victoria/octavia.conf
+++ b/src/templates/victoria/octavia.conf
@ -10,9 +10,9 @@ enabled_provider_drivers = amphora:The Octavia Amphora driver,ovn:Octavia OVN dr

 [ovn]
 ovn_nb_connection={{ ','.join(ovsdb_cms.db_nb_connection_strs) }}
-ovn_nb_private_key=/etc/apache2/ssl/{{ options.service_name }}/key_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_certificate=/etc/apache2/ssl/{{ options.service_name }}/cert_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_ca_cert=/etc/ssl/certs/ca-certificates.crt
+ovn_nb_private_key=/etc/octavia/ovn_private_key.pem
+ovn_nb_certificate=/etc/octavia/ovn_certificate.pem
+ovn_nb_ca_cert=/etc/octavia/ovn_ca_cert.pem

 [driver_agent]
 enabled_provider_agents = ovn
--- a/src/templates/victoria/ovn_ca_cert.pem
+++ b/src/templates/victoria/ovn_ca_cert.pem
@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('ca_cert', '') }}
+{% endif -%}
--- a/src/templates/victoria/ovn_certificate.pem
+++ b/src/templates/victoria/ovn_certificate.pem
@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('certificate', '') }}
+{% endif -%}
--- a/src/templates/victoria/ovn_private_key.pem
+++ b/src/templates/victoria/ovn_private_key.pem
@ -0,0 +1,3 @@
+{% if ovsdb_subordinate -%}
+{{ ovsdb_subordinate.chassis_certificates.get('private_key', '') }}
+{% endif -%}