From c1770ca3294c9e29216eb47cfb93eac2e9474c3d Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Thu, 20 Aug 2020 07:29:38 +0000
Subject: [PATCH] Ensure that certificates are correctly managed.

When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.

There was no functional test coverage for HA and TLS
deployments so this change also add a test for
those and CMR too. Having said that, the test
initialises vault once the deployments are
complete so is unlikely to trigger #1886077 the tests
to check there is no regression of existing
functionality.

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/389

Change-Id: I7c9c81318dbbcea618ac3781b8f19e8159e56bcb
Closes-Bug: #1886077
(cherry picked from commit b9905a9d3239fa59c18b4eaa25c44d02918c5c8c)
---
 .gitignore                                    |  1 +
 hooks/horizon_hooks.py                        |  6 +++
 test-requirements.txt                         |  1 +
 tests/bundles/bionic-queens-cmr-vault.yaml    | 47 +++++++++++++++++++
 tests/bundles/bionic-vault.yaml               | 12 +++++
 .../overlays/bionic-queens-cmr-vault.yaml.j2  | 12 +++++
 tests/bundles/overlays/bionic-vault.yaml.j2   |  7 +++
 tests/tests.yaml                              | 17 +++++++
 8 files changed, 103 insertions(+)
 create mode 100644 tests/bundles/bionic-queens-cmr-vault.yaml
 create mode 100644 tests/bundles/bionic-vault.yaml
 create mode 100644 tests/bundles/overlays/bionic-queens-cmr-vault.yaml.j2
 create mode 100644 tests/bundles/overlays/bionic-vault.yaml.j2

diff --git a/.gitignore b/.gitignore
index 1997ae74..d0cd35ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ tags
 .settings
 .stestr
 func-results.json
+tests/keystone_juju_ca_cert.crt
diff --git a/hooks/horizon_hooks.py b/hooks/horizon_hooks.py
index daed2fd5..1bbfaa4b 100755
--- a/hooks/horizon_hooks.py
+++ b/hooks/horizon_hooks.py
@@ -267,6 +267,12 @@ def ha_relation_joined(relation_id=None):
     relation_set(relation_id=relation_id, **settings)
 
 
+@hooks.hook('ha-relation-changed')
+def ha_changed():
+    for relid in relation_ids('certificates'):
+        certs_changed(relation_id=relid)
+
+
 @hooks.hook('website-relation-joined')
 def website_relation_joined():
     relation_set(port=70,
diff --git a/test-requirements.txt b/test-requirements.txt
index 7d9c2587..3ca60cbc 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7,6 +7,7 @@
 #       requirements.  They are intertwined.  Also, Zaza itself should specify
 #       all of its own requirements and if it doesn't, fix it there.
 #
+setuptools<50.0.0 
 charm-tools>=2.4.4
 requests>=2.18.4
 mock>=1.2
diff --git a/tests/bundles/bionic-queens-cmr-vault.yaml b/tests/bundles/bionic-queens-cmr-vault.yaml
new file mode 100644
index 00000000..7fceb21f
--- /dev/null
+++ b/tests/bundles/bionic-queens-cmr-vault.yaml
@@ -0,0 +1,47 @@
+series: bionic
+
+comment:
+  - 'machines section to decide order of deployment. database sooner = faster'
+  - 'virt-type=kvm is workaround while awaiting new release of python-libjuju'
+
+machines:
+  '0':
+    constraints: virt-type=kvm mem=3072M
+  '1':
+    constraints: virt-type=kvm
+  '2':
+    constraints: virt-type=kvm mem=3072M
+  '3':
+    constraints: virt-type=kvm mem=3072M
+  '4':
+    constraints: virt-type=kvm mem=3072M
+
+relations:
+  - ["keystone:shared-db", "mysql:shared-db"]
+  - ["openstack-dashboard:shared-db", "mysql:shared-db"]
+  - ["openstack-dashboard:identity-service", "keystone:identity-service"]
+  - ["openstack-dashboard:ha", "hacluster:ha"]
+
+applications:
+  mysql:
+    charm: cs:~openstack-charmers-next/percona-cluster
+    num_units: 1
+    to:
+      - '0'
+  keystone:
+    charm: cs:~openstack-charmers-next/keystone
+    num_units: 1
+    to:
+      - '1'
+  openstack-dashboard:
+    charm: ../../../openstack-dashboard
+    num_units: 3
+    to:
+      - '2'
+      - '3'
+      - '4'
+  hacluster:
+    charm: cs:~openstack-charmers-next/hacluster
+    options:
+      corosync_transport: unicast
+      cluster_count: 3
diff --git a/tests/bundles/bionic-vault.yaml b/tests/bundles/bionic-vault.yaml
new file mode 100644
index 00000000..1eaa3e54
--- /dev/null
+++ b/tests/bundles/bionic-vault.yaml
@@ -0,0 +1,12 @@
+series: bionic
+services:
+  vault:
+    num_units: 1
+    series: bionic
+    charm: cs:~openstack-charmers-next/vault
+  mysql:
+    charm: cs:~openstack-charmers-next/percona-cluster
+    num_units: 1
+relations:
+- - vault:shared-db
+  - mysql:shared-db
diff --git a/tests/bundles/overlays/bionic-queens-cmr-vault.yaml.j2 b/tests/bundles/overlays/bionic-queens-cmr-vault.yaml.j2
new file mode 100644
index 00000000..03f3cb0e
--- /dev/null
+++ b/tests/bundles/overlays/bionic-queens-cmr-vault.yaml.j2
@@ -0,0 +1,12 @@
+applications:
+  openstack-dashboard:
+    options:
+        vip: '{{ OS_VIP00 }}'
+relations:
+- - openstack-dashboard:certificates
+  - vault:certificates
+- - keystone:certificates
+  - vault:certificates
+saas:
+  vault:
+    url: admin/{{ vault }}.vault
diff --git a/tests/bundles/overlays/bionic-vault.yaml.j2 b/tests/bundles/overlays/bionic-vault.yaml.j2
new file mode 100644
index 00000000..4127e626
--- /dev/null
+++ b/tests/bundles/overlays/bionic-vault.yaml.j2
@@ -0,0 +1,7 @@
+applications:
+  vault:
+    offers:
+      vault:
+        endpoints:
+        - secrets
+        - certificates
diff --git a/tests/tests.yaml b/tests/tests.yaml
index d4cbf804..06b9299b 100644
--- a/tests/tests.yaml
+++ b/tests/tests.yaml
@@ -6,6 +6,9 @@ comment:
 smoke_bundles:
   - bionic-stein
 gate_bundles:
+  - bionic-train-gr:
+    - vault: bionic-vault
+    - dashboard: bionic-queens-cmr-vault
   - trusty-mitaka
   - xenial-mitaka
   - xenial-ocata
@@ -23,9 +26,19 @@ dev_bundles:
   - groovy-victoria
 
 configure:
+  - vault:
+    - zaza.openstack.charm_tests.vault.setup.auto_initialize_no_validation_no_wait
+  - dashboard:
+    - zaza.openstack.charm_tests.keystone.setup.wait_for_cacert
+    - zaza.openstack.charm_tests.keystone.setup.add_demo_user
   - zaza.openstack.charm_tests.keystone.setup.add_demo_user
 
 tests:
+  - vault:
+    - zaza.charm_tests.noop.tests.NoopTest
+  - dashboard:
+    - zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardTests
+    - zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests
   - zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardTests
   - zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests
 tests_options:
@@ -33,3 +46,7 @@ tests_options:
     service: openstack-dashboard
   force_deploy:
     - groovy-victoria
+target_deploy_status:
+  vault:
+    workload-status: blocked
+    workload-status-message: Vault needs to be initialized