Commit Graph

291 Commits

Author SHA1 Message Date
selcem 8413b3f9ee Add crl-distribution-point to upload-signed-csr action
New configuration parameter updates URI for CRL Distribution points
inside Vault, to a publicly-accessible location. The purpose is not
to impact all users, so I did not add a global configuration
parameter. Instead, only 'upload_signed_csr' action was updated
with an optional parameter introduced named 'crl-distribution-point'.

Closes-bug: #2048237
Change-Id: I8dbfc0deb9f547100bb63bd6b20737734e97667b
2024-01-18 16:11:32 +03:00
Trung Thanh Phan e00cb3f3f4 Remove 'tls_insecure_skip_verify' in vault config
This commit removes the tls_insecure_skip_verify field in the vault
config template. This was added as a workaround for a bug in the vault's
etcd client before 1.4.0 release. Since all channels now uses 1.5 or
newer versions of vault, this line can be removed.


Change-Id: I64f1c2c9ced8ae4dff2bf232c6e673b596f84a14
Closes-Bug: #1979582
2023-10-04 11:34:05 +00:00
Felipe Reyes 8d72e64d84 Fix path to vault charm in testing bundles
Change-Id: I41437d989b38e8c5424dabd72eceb1704e95a28c
2023-08-10 21:26:01 +00:00
Zuul 44970e7038 Merge "Fix broken v4 caching due to leader-get asymmetry" 2023-08-09 16:34:45 +00:00
David Negreira 3c6194d536 Add support for lunar
As lunar introduces python3.11, psycopg2 version needs to be at least
version 2.9.5 to support it.
Modify the tests to run on Lunar and remove the Kinetic ones.

Closes-Bug: #2025983

Change-Id: Iaf459368a092f09d3455b014289eca6e7bf4d047
Signed-off-by: David Negreira <david.negreira@canonical.com>
2023-08-07 13:12:53 -04:00
Alex Kavanagh d925ac7566 Fix broken v4 caching due to leader-get asymmetry
leader-get decodes using json, but leader-set just sets the keys. This
wasn't taken into consideration when fetching all the keys to filter for
cached keys when a relation is leaving.  This is resolved in this patch.

Change-Id: I2d44ec0c43c1ecffd9ac77a1162ead4e4a01aabe
2023-08-07 11:37:52 +01:00
Zuul e40b8bdc56 Merge "Add mantic support" 2023-08-04 19:42:56 +00:00
Corey Bryant bb08c78cb1 Add mantic support
Change-Id: I1099f1a47a2f2f59732ba52699070bdba24eebc1
2023-08-03 13:58:24 -04:00
Martin Kalcok 1a1953b0ef Implement cert cache for vault units (v4)
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.

This patch is mostly the same as
I18aa6c9193379ea454851b6f60a8f331ef88a980
but improved to avoid LP#1896542 by removing
the section where a certificate can be reused
from cache during create_certs.

Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>
Co-Authored-By: Alex Kavanagh <alex.kavanagh@canonical.com>

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1084

Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
Related-Bug: #1896542
Change-Id: I0cca13d2042d61ffc6a7c13eccb0ec8c292020c9
2023-07-26 08:54:22 +00:00
Alex Kavanagh c331210e22 Convert the charm to binary wheel builds
Converting the charm to binary builds provides two benefits:

 - build time issues are moved to testing rather than (failing) at the
   install time, which can often happen after the charm is pushed to the
   charmhub.
 - the install time is much, much faster. This means upgrades take < 1m
   rather 3-4m.

Change-Id: Ib4f4a8acf807de0406b9588d32750e3a48ff2841
2023-07-20 16:44:47 +01:00
Jadon Naas ecd78eb53c Add docs key and point at Discourse
Add the 'docs' key and point it at a Discourse topic
previously populated with the charm's README contents.

When the new charm revision is released to the Charmhub,
this Discourse-based content will be displayed there. In
the absense of the this new key, the Charmhub's default
behaviour is to display the value of the charm's
'description' key.

Change-Id: I51e3ce5347f2036165429145075e15c9801a26af
2023-07-11 16:56:36 -04:00
Robert Gildein 9e927889d0 Improve snap channel refresh mechanism
- stop vault.service before refresing it
- added a warning note that changing the channel config option will
  cause the vault to be sealed

Related-Bug: 2007587
Change-Id: I240ebb4bd14932a6bf95f41da3f2cd7776742266
2023-06-22 17:13:30 +02:00
Zuul 3957514679 Merge "Add lunar and drop kinetic" 2023-04-20 15:20:50 +00:00
Zuul e86e6dd493 Merge "Revert "Implement cert cache for vault units (v3)"" 2023-04-18 02:04:15 +00:00
Alex Kavanagh 38e00f460d Revert "Implement cert cache for vault units (v3)"
This reverts commit 04a237660b.

Reason for revert:

The bug in [1] caused all the yoga tests to fail in integration testing.  Testing with a version of the charm without this commit allowed tests to complete.  Thus reverting this until a more complete solution can be found to the original bug(s) [2..4]

[1] https://bugs.launchpad.net/charm-keystone/+bug/2015103
[2] LP #1940549
[3] LP #1983269
[4] LP #1845961

Change-Id: I8a794fbb30e921e5322e9023b891d5e17e0e6e8b
2023-04-14 18:03:42 +00:00
Corey Bryant d4f2c7b199 Add lunar and drop kinetic
Add 23.04 run-on base and add lunar to metadata.yaml.
Drop 22.10 run-on base and drop kinetic from metadata.yaml.

Change-Id: Ie6e5f106e8dfbd61402dc8376dde57e48ff4993b
2023-04-12 15:29:40 -04:00
Felipe Reyes 2c10c15132 Rebuild the charm
Rebuild the charm to pick up charms.reactive-1.5.2 which includes a fix
for application is single unit.

Adding libpython3-dev to be able to build Cython

Related-Pr: https://github.com/juju-solutions/charms.reactive/pull/243
Change-Id: Ief281586efde5303c66bd7b0432589c9735c7f86
2023-04-06 15:04:15 -04:00
Liam Young 457a51377d Add `force` flag to get-csr
As bug/1947265 notes running the get-csr actions can result in the
CA being wiped from the leader DB. This change attempts to make
it more clear to the user that this action be destructive.

* Deprecate the `get-csr` action and replace it with
  `regenerate-intermediate-ca`. They are functionally equivalent but
  the new name makes it clearer that the CA may be destroyed.

* Adds `force` option to the action. The force action must be used
  if a CA already exists.

* The functional test of rerunning the `regenerate-intermediate-ca`
  action is now included in the vault tests so no need to run the
  tests twice now.

Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/974
Change-Id: Ie01dd7ec0e9134689518b37b5d70c8dd5a556241
Closes-Bug: #1947265
2023-02-23 12:43:12 +00:00
Zuul 5f689e8f76 Merge "Rebuild to pickup charms.reactive update" 2023-02-14 14:06:17 +00:00
Rodrigo Barbieri 0ee53b3337 Rebuild to pickup charms.reactive update
Charms.reactive 1.5.2 containing fix
1db5d0ae59

Change-Id: Iee498357720a23525d72345f406a34dad13daa45
2023-02-13 14:01:39 -03:00
Corey Bryant d8f084028e Add kinetic support
Add 22.10 run-on base and add kinetic to metadata.yaml.

Change-Id: Ifc8412cf43d8cd6ff6426f9911f8264e364576cf
2023-01-31 10:12:31 -05:00
Zuul 15ab73ea72 Merge "Implement cert cache for vault units (v3)" 2023-01-23 11:13:22 +00:00
Andreas Hamacher 1ea06f6819 ssl certificate expiery check added to nagios relation
see https://bugs.launchpad.net/vault-charm/+bug/1998174

Change-Id: Ie56cd9b49f13bd2cd323c440a0e1a7f6d7d499b2
2023-01-18 11:07:39 +11:00
Liam Young 5bae2979e5 Fix charm for tox4 compatibility
Related-Bug: 2002788
Change-Id: Ib3d4f7ab7f884b47ce196c16357bffa11796cecc
2023-01-16 19:10:28 +00:00
Martin Kalcok 04a237660b Implement cert cache for vault units (v3)
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.

This patch is mostly the same as
f55055b878
but improved to avoid LP#1983269 by breaking
down the cert cache into separate key-value pairs
for each remote unit and avoiding a race-condition
caused by get-csr action. Instead of using
leader-settings, this patch is now using
application data bag provided by a new vault-ha
relation implementation.

Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>

Change-Id: I18aa6c9193379ea454851b6f60a8f331ef88a980
Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
2023-01-12 11:51:12 -03:00
Tom Haddon 0188275580 Fix multiline notes and update obsolete add-relation juju command in README
Change-Id: I0326abbfe972062c9807083ebc3e0e80194d60a8
2022-11-25 10:44:46 +01:00
Corey Bryant d6789e7afd Re-enable cluster tests to osci.yaml
Commit 0b7d041279 removed focal
tests and added jammy/kinetic tests in support of the Zed release.
The jammy/kinetic cluster tests weren't added to osci.yaml, so
they are added back in this change.

Remaining focal bundles are also dropped in this change.

Change-Id: Ic53d71bc7ddb25bc6735a2cfe36b78a5d8f30648
2022-09-16 11:01:41 -04:00
Corey Bryant 0b7d041279 Add Kinetic and Zed support
* sync charm-helpers to classic charms
* change openstack-origin/source default to zed
* align testing with zed
* add new zed bundles
* add zed bundles to tests.yaml
* add zed tests to osci.yaml and .zuul.yaml
* update build-on and run-on bases
* add bindep.txt for py310
* sync tox.ini and requirements.txt for ruamel
* use charmcraft_channel 2.0/stable
* drop reactive plugin overrides
* move interface/layer env vars to charmcraft.yaml

Change-Id: I577fff942606ded9885e9ba6f29040ba3fc7fb27
2022-08-26 18:40:45 +00:00
Samuel Walladge 61fdf9ca77 Add embedded raft cluster storage support
Add support for using the embedded raft storage and ha storage engine,
and related management actions and config.

Closes-Bug: #1883242

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/827

Change-Id: I66a9315844ddb67d43e3e1c002073ed315b3b851
2022-08-10 15:20:11 +09:30
Alex Kavanagh 9bf2a4cb3c Revert "Implement cert cache for vault units (v2)"
This reverts commit f55055b878.

Reason for revert:

This patch breaks when issuing many certificates in large models due to CLI leader-set being overwhelmed: https://bugs.launchpad.net/vault-charm/+bug/1983269

Change-Id: I4854839b5278d1b4db325e44b78b1815b2751728
2022-08-01 18:08:35 +01:00
Samuel Walladge 212d2a7dba Fix use of get_chain
A recent change[1] switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_certificate() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.

This means that for the call sites here, we need to catch InvalidPath,
instead of the TypeError.
The original reason for TypeError was that the function
would end up calling None['key'] if read_certificate failed.

[1]: https://review.opendev.org/c/openstack/charm-vault/+/848205

Change-Id: I46b93457c8a757189802ca2c2cdf31cc9c5a9516
2022-07-28 10:41:32 +09:30
Alex Kavanagh ee3271063d Fix to is_ca_ready() which used read_role() incorrectly
A recent change (1) switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_role() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.

Also updates tests and fixes a mocking issue on service_reload.

[1] https://review.opendev.org/c/openstack/charm-vault/+/848205

Change-Id: Id3d112104b1aa45b242e402709fb855131d5203e
2022-07-14 12:38:18 +01:00
Samuel Walladge 68fecd9ba8 Update hvac library to latest version
Update deprecated method calls where possible,
and use new methods instead of lower level read/write calls.

Change-Id: I991435cdf8d36016e75c46823ec47f3290a42fe4
2022-07-04 09:34:33 +09:30
Samuel Walladge 4fccd71076 Reload vault on configure
Always reload reload on configure.
This ensures any certificates changed on disk will be reloaded.
(Such as the tcp listener certificate files.)

Closes-Bug: #1912261
Change-Id: Ic254f38d86c0e8323ed10a2eaa22462797d48605
2022-06-17 14:37:26 +09:30
Zuul 0da8001c12 Merge "Implement cert cache for vault units (v2)" 2022-05-17 06:17:30 +00:00
Zuul dde7c9b288 Merge "Add *.charm to gitignore" 2022-05-09 15:58:38 +00:00
Martin Kalcok f55055b878 Implement cert cache for vault units (v2)
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.

This patch is the same as
1159e547dd
but improved to avoid LP#1970888

Change-Id: Ic4dd009cc18c52e1667391b00ebba9928acc5937
Closes-Bug: #1940549
Closes-Bug: #1970888
2022-05-09 17:35:44 +02:00
Zuul f0116ae12e Merge "Revert "Implement cert cache for vault units."" 2022-04-29 12:57:46 +00:00
gnuoy 1956b5e680 Revert "Implement cert cache for vault units."
This reverts commit 1159e547dd.

Reason for revert: https://bugs.launchpad.net/vault-charm/+bug/1970888

Change-Id: I1770ea46c39f7f20f5d88d5aa65109d8b48740d2
2022-04-29 08:19:02 +00:00
Zuul 6da7d6f873 Merge "Implement cert cache for vault units." 2022-04-25 15:55:46 +00:00
Alex Kavanagh 34722f9b7a Add *.charm to gitignore
This patch adds *.charm to the .gitignore to ensure that any built
artifacts are ignored.

Change-Id: Ic3fce4ad7d81201b0053cde75972fce274a9b4a6
2022-04-25 15:50:42 +01:00
Martin Kalcok 1159e547dd Implement cert cache for vault units.
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.

Closes-Bug: #1940549
Change-Id: Iac989b30948fa43fe23851995a8ed00b08126587
2022-04-08 15:05:21 +02:00
James Page 0012b14c46 Updates for jammy enablement
- charmcraft: build-on 20.04 -> run-on 20.04/22.04 [*archs]
- Refresh tox targets
- Drop impish bundles and OSCI testing
- Add jammy metadata
- Set default channel to 1.8/stable

Change-Id: Ia9f2af61428f23dcccb9ca9966c42608a4738408
2022-04-05 15:42:53 +01:00
Jeff Hillman d8bfff76e4 Add action to generate certificate against the PKI.
Created action to utilize the existing
generate_certificate function for on demand
certificates agains the existing vault PKI.

Closes-Bug: #1948837
Change-Id: Ia1a169623c81d6aede7dc52eabd2de94007fde80
2022-02-23 11:10:42 -06:00
Alex Kavanagh b797fcfcbf Update to build using charmcraft
Due to a build problem with the reactive plugin, this change falls back
on overriding the steps and doing a manual build, but it also ensures
the CI system builds the charm using charmcraft.  Changes:

- add a build-requirements.txt
- modify charmcraft.yaml
- modify osci.yaml
    -> indicate build with charmcraft
- modify tox.ini
    -> tox -e build does charmcraft build/rename
    -> tox -e build-reactive does the reactive build
- modify bundles to use the <charm>.charm artifact in tests.
  and fix deprecation warning re: prefix
- tox inception to enable tox -e func-test in the CI

Change-Id: Icb73919f247c60a9e18cc2e563f0fda9c620cb14
Co-authored-by: Aurelien Lourot <aurelien.lourot@canonical.com>
2022-02-03 14:58:43 +01:00
Alex Kavanagh c9fad3c4f0 Migrate charm to charmhub latest/edge track
Change-Id: I3614053d865b50310eac3657c86a561b136ff7df
2022-01-27 22:16:29 +00:00
Zuul 485d41dd38 Merge "Use unittest.mock instead of mock" 2021-12-16 10:26:17 +00:00
Hervé Beraud 1de27bc18f Use unittest.mock instead of mock
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.

Note that https://github.com/openstack/charms.openstack is used during tests
and he need `mock`, unfortunatelly it doesn't declare `mock` in its
requirements so it retrieve mock from other charm project (cross dependency).
So we depend on charms.openstack first and when
Ib1ed5b598a52375e29e247db9ab4786df5b6d142 will be merged then CI
will pass without errors.

Depends-On: Ib1ed5b598a52375e29e247db9ab4786df5b6d142
Change-Id: I1d7de2bd4d704ffc331fdeacea725e903890f296
2021-12-15 11:38:28 +00:00
Felipe Reyes 2b115c8d48 Register previous vip set for deletion.
When the vip is changed the ones that are no longer present need to be
registered for deletion from pacemaker's configuration. This change
relies on hookenv.config.changed() to determine what vip(s) are no
longer present in the configuration ask hacluster to remove them.

Closes-Bug: #1952363
Change-Id: I7b77cd4f57e1770faf92860ee7846bf480efdb9e
2021-11-29 20:49:16 -03:00
Zuul 0a03b2b36d Merge "Surround IPv6 addresses with []" 2021-11-23 21:28:54 +00:00