Render SSL config when resolve_address changes

When supplying certs and keys directly to the charm then get_certs_and_keys is hardcoded to return a cn of None. However, when the certs are written to disk configure_cert checks if the cn is None and if it is sets the cn to os_ip.resolve_address(endpoint_type=os_ip.INTERNAL). This causes an issue because generating the certs and keys is gated on a change to the return of get_certs_and_keys which always sets cn to None, however when the charm is clustered os_ip.resolve_address will return the vip which should change the cn. This means that if the charm transitions from un-clustered to clustered ssl certs will not be reconfigured if they have been configured already despite the cn having changed. This patch changes the default of cn in get_certs_and_keys to be os_ip.resolve_address(endpoint_type=os_ip.INTERNAL). Although this is a change in behaviour I believe that no charms are calling get_certs_and_keys directly and the risk is very low. Change-Id: I598bc822afa535fc865a333033069cfe05d7259d Closes-Bug: #1744886
2018-01-23 10:47:44 +00:00 · 2018-01-23 10:47:44 +00:00 · 6cfcb8b798
parent 536333a47d
commit 6cfcb8b798
2 changed files with 14 additions and 4 deletions
--- a/charms_openstack/charm/classes.py
+++ b/charms_openstack/charm/classes.py
@ -509,6 +509,13 @@ class HAOpenStackCharm(OpenStackAPICharm):
        if restart:
            ch_host.service_restart('apache2')

+    def get_default_cn(self):
+        """Return the default Canonical Name to be used for SSL setup
+
+        @returns 'canonical_name'
+        """
+        return os_ip.resolve_address(endpoint_type=os_ip.INTERNAL)
+
    def configure_cert(self, cert, key, cn=None):
        """Configure service SSL cert and key

@ -525,7 +532,8 @@ class HAOpenStackCharm(OpenStackAPICharm):
            ssl_dir = os.path.join('/etc/apache2/ssl/', self.name)

        if not cn:
-            cn = os_ip.resolve_address(endpoint_type=os_ip.INTERNAL)
+            cn = self.get_default_cn()
+
        ch_host.mkdir(path=ssl_dir)
        if cn:
            cert_filename = 'cert_{}'.format(cn)
@ -576,7 +584,7 @@ class HAOpenStackCharm(OpenStackAPICharm):
                'cert': self.config_defined_ssl_cert.decode('utf-8'),
                'ca': (self.config_defined_ssl_ca.decode('utf-8')
                       if self.config_defined_ssl_ca else None),
-                'cn': None}]
+                'cn': self.get_default_cn()}]
        elif keystone_interface:
            keys_and_certs = []
            for addr in self.get_local_addresses():
--- a/unit_tests/charms_openstack/charm/test_classes.py
+++ b/unit_tests/charms_openstack/charm/test_classes.py
@ -672,22 +672,24 @@ class TestHAOpenStackCharm(BaseOpenStackCharmTest):
            'ssl_cert': base64.b64encode(b'cert'),
            'ssl_ca': base64.b64encode(b'ca')}
        self.patch_target('config', new=config)
+        self.patch_object(chm.os_ip, 'resolve_address', 'addr')
        self.patch_object(chm.os_utils, 'snap_install_requested',
                          return_value=False)
        self.assertEqual(
            self.target.get_certs_and_keys(),
-            [{'key': 'key', 'cert': 'cert', 'ca': 'ca', 'cn': None}])
+            [{'key': 'key', 'cert': 'cert', 'ca': 'ca', 'cn': 'addr'}])

    def test_get_certs_and_keys_noca(self):
        config = {
            'ssl_key': base64.b64encode(b'key'),
            'ssl_cert': base64.b64encode(b'cert')}
        self.patch_target('config', new=config)
+        self.patch_object(chm.os_ip, 'resolve_address', 'addr')
        self.patch_object(chm.os_utils, 'snap_install_requested',
                          return_value=False)
        self.assertEqual(
            self.target.get_certs_and_keys(),
-            [{'key': 'key', 'cert': 'cert', 'ca': None, 'cn': None}])
+            [{'key': 'key', 'cert': 'cert', 'ca': None, 'cn': 'addr'}])

    def test_get_certs_and_keys_ks_interface(self):
        class KSInterface(object):