Ensure that certificates are correctly managed.

When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.

Change-Id: Idfbdaf7919569983cdf159e44a6dad26eccfd195
Closes-Bug: #1886077
(cherry picked from commit 71b7eedfc5)

hooks/keystone_hooks.py

@@ -607,6 +607,10 @@ def ha_changed():
     if clustered:
         log('Cluster configured, notifying other services and updating '
             'keystone endpoint configuration')
+        for rid in relation_ids('certificates'):
+            if related_units(rid):
+                for unit in related_units(rid):
+                    certs_changed(rid, unit)
         if (is_db_initialised() and is_elected_leader(CLUSTER_RES) and not
                 is_unit_paused_set()):
             ensure_initial_admin(config)

unit_tests/test_keystone_hooks.py

@@ -529,6 +529,7 @@ class KeystoneRelationTests(CharmTestCase):
         hooks.ha_changed()
         self.assertTrue(configs.write_all.called)
 
+    @patch.object(hooks, 'relation_ids')
     @patch.object(hooks, 'update_all_fid_backends')
     @patch.object(hooks, 'update_all_domain_backends')
     @patch.object(hooks, 'update_all_identity_relation_units')
@@ -542,19 +543,56 @@ class KeystoneRelationTests(CharmTestCase):
                                                   mock_is_db_initialised,
                                                   update_ids,
                                                   update_domains,
-                                                  update_fids):
+                                                  update_fids,
+                                                  relation_ids):
         mock_is_db_initialised.return_value = True
         self.is_db_ready.return_value = True
         self.relation_get.return_value = True
         self.relation_ids.return_value = ['identity-service:0']
         self.related_units.return_value = ['unit/0']
-
+        relation_ids.return_value = []
         hooks.ha_changed()
         self.assertTrue(configs.write_all.called)
         update_ids.assert_called_once_with()
         update_domains.assert_called_once_with()
         update_fids.assert_called_once_with()
 
+    @patch.object(hooks, 'certs_changed')
+    @patch.object(hooks, 'related_units')
+    @patch.object(hooks, 'relation_ids')
+    @patch.object(hooks, 'update_all_fid_backends')
+    @patch.object(hooks, 'update_all_domain_backends')
+    @patch.object(hooks, 'update_all_identity_relation_units')
+    @patch.object(hooks, 'is_db_initialised')
+    @patch('keystone_utils.log')
+    @patch.object(hooks, 'identity_changed')
+    @patch.object(hooks, 'CONFIGS')
+    def test_ha_relation_changed_clustered_leader_with_certs(
+            self,
+            configs,
+            identity_changed,
+            mock_log,
+            mock_is_db_initialised,
+            update_ids,
+            update_domains,
+            update_fids,
+            relation_ids,
+            related_units,
+            certs_changed):
+        mock_is_db_initialised.return_value = True
+        self.is_db_ready.return_value = True
+        self.relation_get.return_value = True
+        self.relation_ids.return_value = ['identity-service:0']
+        self.related_units.return_value = ['unit/0']
+        relation_ids.return_value = ['1']
+        related_units.return_value = ['2']
+        hooks.ha_changed()
+        self.assertTrue(configs.write_all.called)
+        update_ids.assert_called_once_with()
+        update_domains.assert_called_once_with()
+        update_fids.assert_called_once_with()
+        certs_changed.assert_called_once_with('1', '2')
+
     @patch('keystone_utils.log')
     @patch.object(hooks, 'CONFIGS')
     def test_configure_https_enable(self, configs, mock_log):