Add default certificates relation handlers
These where moved up to this layer from ``layer-openstack-api``, removal counterpart: I007275c041ca5465664a6b5d441e56c0316c405d Guard the default handlers behind check for 'charms.openstack.do-default-certificates.available' flag. This flag is activated when the consumer charm makes a call to charm.use_defaults('certificates.available') from its reactive handler. Previously it was always activated for all consumers of the ``openstack-api`` layer, it should be up to the charm implementation to choose. We do not add back ``layer-tls-client``, the reason being that the reactive bits in ``layer-openstack`` in conjunction with helpers in ``charms.openstack`` is managing both the server and CA certificates and rely on the same flags to detect changes. If we one day offload those tasks to the ``layer-tls-client`` we should add it back in conjunction with removing our code for this. At the time of this writing it would not be possible as ``layer-tls-client`` is not spaces aware. With the above mentioned change we can stop relying on the now deprecated ``certificates.batch.cert.available`` flag. We also do not add back the Keystone certificates handling code as this has been removed from the Keystone charm reference: openstack/charm-keystone/commit/17b24e7fde8e4c8c276a4f392cbae0d1d0ed2615 Needed-By: I007275c041ca5465664a6b5d441e56c0316c405d Needed-By: I8a72acd451dd21e1b042b7f71f6d98e164737ac1 Closes-Bug: #1840899 Change-Id: I12f45236632b608e07fdd35d31b90b84ca92eb1f
This commit is contained in:
parent
aa5bc57aea
commit
1df85ff800
21
config.yaml
21
config.yaml
|
@ -19,8 +19,27 @@ options:
|
|||
Openstack mostly defaults to using public endpoints for
|
||||
internal communication between services. If set to True this option
|
||||
will configure services to use internal endpoints where possible.
|
||||
ssl_cert:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
TLS certificate to install and use for any listening services.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
ssl_key:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
TLS key to use with certificate specified as ``ssl_cert``.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
ssl_ca:
|
||||
type: string
|
||||
default:
|
||||
description: |
|
||||
SSL CA to use to communicate with other OpenStack cloud components.
|
||||
TLS CA to use to communicate with other components in a deployment.
|
||||
.
|
||||
__NOTE__: This configuration option will take precedence over any
|
||||
certificates received over the ``certificates`` relation.
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
includes: ['layer:basic']
|
||||
includes: ['layer:basic', 'interface:tls-certificates']
|
||||
repo: 'https://github.com/openstack/charm-layer-openstack'
|
||||
|
|
|
@ -6,3 +6,6 @@ description: |
|
|||
tags:
|
||||
- openstack
|
||||
series: []
|
||||
requires:
|
||||
certificates:
|
||||
interface: tls-certificates
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
import charms.reactive as reactive
|
||||
|
||||
import charmhelpers.core.unitdata as unitdata
|
||||
|
||||
import charms_openstack.charm as charm
|
||||
import charms_openstack.charm.defaults as defaults
|
||||
import charms.reactive as reactive
|
||||
|
||||
|
||||
@reactive.when_not('charm.installed')
|
||||
|
@ -89,3 +90,36 @@ def default_post_series_upgrade():
|
|||
"""
|
||||
with charm.provide_charm_instance() as instance:
|
||||
instance.series_upgrade_complete()
|
||||
|
||||
|
||||
@reactive.when('certificates.available',
|
||||
'charms.openstack.do-default-certificates.available')
|
||||
def default_request_certificates():
|
||||
"""When the certificates interface is available, this default handler
|
||||
requests TLS certificates.
|
||||
"""
|
||||
tls = reactive.endpoint_from_flag('certificates.available')
|
||||
with charm.provide_charm_instance() as instance:
|
||||
for cn, req in instance.get_certificate_requests().items():
|
||||
tls.add_request_server_cert(cn, req['sans'])
|
||||
tls.request_server_certs()
|
||||
instance.assess_status()
|
||||
|
||||
|
||||
@reactive.when('charms.openstack.do-default-certificates.available')
|
||||
@reactive.when_any(
|
||||
'certificates.ca.changed',
|
||||
'certificates.certs.changed')
|
||||
def default_configure_certificates():
|
||||
"""When the certificates interface is available, this default handler
|
||||
updates on-disk certificates and switches on the TLS support.
|
||||
"""
|
||||
tls = reactive.endpoint_from_flag('certificates.available')
|
||||
with charm.provide_charm_instance() as instance:
|
||||
instance.configure_tls(tls)
|
||||
# make charms.openstack required relation check happy
|
||||
reactive.set_flag('certificates.connected')
|
||||
for flag in 'certificates.ca.changed', 'certificates.certs.changed':
|
||||
if reactive.is_flag_set(flag):
|
||||
reactive.clear_flag(flag)
|
||||
instance.assess_status()
|
||||
|
|
Loading…
Reference in New Issue