def configure_tls(self, certificates_interface=None): if certificates_interface is None: certificates_interface = reactive.endpoint_from_flag( 'certificates.available') tls_objects = super( charms_openstack.charm.OpenStackAPICharm, self).configure_tls( certificates_interface=certificates_interface) with is_data_changed( 'configure_ssl.ssl_objects', tls_objects) as changed: if tls_objects: for tls_object in tls_objects: self.set_state('ssl.requested', True) path = NGINX_SSL_DIR self.configure_cert( path, tls_object['cert'], tls_object['key'], cn=tls_object['cn']) if 'chain' in tls_object: self.configure_wsgate_ca( tls_object["ca"], tls_object['chain']) else: self.configure_wsgate_ca(tls_object["ca"]) self.configure_nginx(path, tls_object['cn']) self.service_reload('nginx') self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False)
def configure_ssl(self, keystone_interface=None): """Configure SSL certificates and keys NOTE(AJK): This function tries to minimise the work it does, particularly with writing files and restarting apache. @param keystone_interface KeystoneRequires class """ keystone_interface = ( relations.endpoint_from_flag('identity-service.available.ssl') or relations.endpoint_from_flag( 'identity-service.available.ssl_legacy')) ssl_objects = self.get_certs_and_keys( keystone_interface=keystone_interface) with is_data_changed('configure_ssl.ssl_objects', ssl_objects) as changed: if ssl_objects: if changed: for ssl in ssl_objects: self.set_state('ssl.requested', True) self.configure_cert(ssl['cert'], ssl['key'], cn=ssl['cn']) self.configure_ca(ssl['ca']) if not os_utils.snap_install_requested(): self.configure_apache() self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False) amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl') if amqp_ssl: self.configure_rabbit_cert(amqp_ssl)
def maybe_setup_endpoint(keystone): """When the keystone interface connects, register this unit in the keystone catalogue. """ with provide_charm_instance() as instance: args = [ instance.service_type, instance.region, instance.public_url, instance.internal_url, instance.admin_url ] # This function checkes that the data has changed before sending it with is_data_changed('charms.openstack.register-endpoints', args) as c: if c: keystone.register_endpoints(*args)
def register_endpoints(keystone): """Register the endpoints when the identity-service connects. Note that this charm doesn't use the default endpoint registration function as it needs to register multiple endpoints, and thus needs a custom function in the charm. """ with charms_openstack.charm.provide_charm_instance() as congress_charm: args = [congress_charm.service_type, congress_charm.region, congress_charm.public_url, congress_charm.internal_url, congress_charm.admin_url] # This function checkes that the data has changed before sending it with is_data_changed('charms.openstack.register-endpoints', args) as c: if c: keystone.register_endpoints(*args)
def register_endpoints(keystone): """Register the endpoints when the identity-service connects. Note that this charm doesn't use the default endpoint registration function as it needs to register multiple endpoints, and thus needs a custom function in the charm. """ with charms_openstack.charm.provide_charm_instance() as congress_charm: args = [ congress_charm.service_type, congress_charm.region, congress_charm.public_url, congress_charm.internal_url, congress_charm.admin_url ] # This function checkes that the data has changed before sending it with is_data_changed('charms.openstack.register-endpoints', args) as c: if c: keystone.register_endpoints(*args)
def test_is_data_changed(self): class FakeKV(object): def __init__(self): self.store = {} def get(self, key): return self.store.get(key, None) def set(self, key, value): self.store[key] = value store = FakeKV() self.patch_object(utils.core.unitdata, "kv", new=lambda: store) with utils.is_data_changed('foo', { 'foo': 'FOO', 'bar': u'\ua000BAR' }) as f: self.assertTrue(f) with utils.is_data_changed('foo', { 'foo': 'FOO', 'bar': u'\ua000BAR' }) as f: self.assertFalse(f) with utils.is_data_changed('bar', { 'foo': 'FOO', 'bar': u'\ua000BAR' }) as f: self.assertTrue(f) with utils.is_data_changed('bar', { 'foo': 'FOO', 'bar': u'\ua000BAR' }) as f: self.assertFalse(f) # check that raising an exception doesn't cause a data change hash = store.get('charms.openstack.data_changed.bar') try: with utils.is_data_changed('bar', "string") as f: self.assertTrue(f) raise Exception() except Exception: pass self.assertEqual(hash, store.get('charms.openstack.data_changed.bar')) # check that raising an exception AND having the flag set causes a # change try: with utils.is_data_changed('bar', "string", no_change_on_exception=False) as f: self.assertTrue(f) raise Exception() except Exception: pass self.assertNotEqual(hash, store.get('charms.openstack.data_changed.bar'))
def configure_ssl(self, keystone_interface=None): """Configure SSL certificates and keys NOTE(AJK): This function tries to minimise the work it does, particularly with writing files and restarting apache. @param keystone_interface KeystoneRequires class """ keystone_interface = ( relations.endpoint_from_flag('identity-service.available.ssl') or relations .endpoint_from_flag('identity-service.available.ssl_legacy')) certificates_interface = relations.endpoint_from_flag( 'certificates.batch.cert.available') ssl_objects = self.get_certs_and_keys( keystone_interface=keystone_interface, certificates_interface=certificates_interface) with is_data_changed('configure_ssl.ssl_objects', ssl_objects) as changed: if ssl_objects: # NOTE(fnordahl): regardless of changes to data we may # have other changes we want to apply to the files. # (e.g. ownership, permissions) # # Also note that c-h.host.write_file used in configure_cert() # has it's own logic to detect data changes. # # LP: #1821314 for ssl in ssl_objects: self.set_state('ssl.requested', True) self.configure_cert( ssl['cert'], ssl['key'], cn=ssl['cn']) self.configure_ca(ssl['ca']) cert_utils.create_ip_cert_links( os.path.join('/etc/apache2/ssl/', self.name)) if not os_utils.snap_install_requested() and changed: self.configure_apache() ch_host.service_reload('apache2') self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False) amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl') if amqp_ssl: self.configure_rabbit_cert(amqp_ssl)
def configure_tls(self, certificates_interface=None): """Configure TLS certificates and keys NOTE(AJK): This function tries to minimise the work it does, particularly with writing files and restarting apache. :param certificates_interface: certificates relation endpoint :type certificates_interface: TlsRequires(Endpoint) object """ # this takes care of writing out the CA certificate tls_objects = super().configure_tls( certificates_interface=certificates_interface) with is_data_changed( 'configure_ssl.ssl_objects', tls_objects) as changed: if tls_objects: # NOTE(fnordahl): regardless of changes to data we may # have other changes we want to apply to the files. # (e.g. ownership, permissions) # # Also note that c-h.host.write_file used in configure_cert() # has it's own logic to detect data changes. # # LP: #1821314 for tls_object in tls_objects: self.set_state('ssl.requested', True) if os_utils.snap_install_requested(): path = ('/var/snap/{snap_name}/common/etc/nginx/ssl' .format(snap_name=self.primary_snap)) else: path = os.path.join('/etc/apache2/ssl/', self.name) self.configure_cert( path, tls_object['cert'], tls_object['key'], cn=tls_object['cn']) cert_utils.create_ip_cert_links( os.path.join('/etc/apache2/ssl/', self.name)) if not os_utils.snap_install_requested() and changed: self.configure_apache() ch_host.service_reload('apache2') self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False)
def configure_ssl(self, keystone_interface=None): """Configure SSL certificates and keys NOTE(AJK): This function tries to minimise the work it does, particularly with writing files and restarting apache. @param keystone_interface KeystoneRequires class """ keystone_interface = ( relations.endpoint_from_flag('identity-service.available.ssl') or relations.endpoint_from_flag( 'identity-service.available.ssl_legacy')) certificates_interface = relations.endpoint_from_flag( 'certificates.batch.cert.available') ssl_objects = self.get_certs_and_keys( keystone_interface=keystone_interface, certificates_interface=certificates_interface) with is_data_changed('configure_ssl.ssl_objects', ssl_objects) as changed: if ssl_objects: # NOTE(fnordahl): regardless of changes to data we may # have other changes we want to apply to the files. # (e.g. ownership, permissions) # # Also note that c-h.host.write_file used in configure_cert() # has it's own logic to detect data changes. # # LP: #1821314 for ssl in ssl_objects: self.set_state('ssl.requested', True) self.configure_cert(ssl['cert'], ssl['key'], cn=ssl['cn']) self.configure_ca(ssl['ca']) cert_utils.create_ip_cert_links( os.path.join('/etc/apache2/ssl/', self.name)) if not os_utils.snap_install_requested() and changed: self.configure_apache() ch_host.service_reload('apache2') self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False) amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl') if amqp_ssl: self.configure_rabbit_cert(amqp_ssl)
def update_peers(self, cluster): """Update peers in the cluster about the addresses that this unit holds. NOTE(AJK): This uses the helper is_data_changed() to track whether this has already been done, and doesn't re-advertise the changes if nothing has changed. @param cluster: the interface object for the cluster relation """ laddrs = [] for addr_type in sorted(os_ip.ADDRESS_MAP.keys()): cidr = self.config.get(os_ip.ADDRESS_MAP[addr_type]['config']) laddr = ch_ip.get_relation_ip( os_ip.ADDRESS_MAP[addr_type]['binding'], cidr) laddrs.append((addr_type, laddr)) with is_data_changed('update_peers.laddrs', laddrs) as changed: if changed: for (addr_type, laddr) in laddrs: cluster.set_address( os_ip.ADDRESS_MAP[addr_type]['binding'], laddr)
def configure_ssl(self, keystone_interface=None): """Configure SSL certificates and keys NOTE(AJK): This function tries to minimise the work it does, particularly with writing files and restarting apache. @param keystone_interface KeystoneRequires class """ keystone_interface = ( relations.endpoint_from_flag('identity-service.available.ssl') or relations .endpoint_from_flag('identity-service.available.ssl_legacy')) certificates_interface = relations.endpoint_from_flag( 'certificates.batch.cert.available') ssl_objects = self.get_certs_and_keys( keystone_interface=keystone_interface, certificates_interface=certificates_interface) with is_data_changed('configure_ssl.ssl_objects', ssl_objects) as changed: if ssl_objects: if changed: for ssl in ssl_objects: self.set_state('ssl.requested', True) self.configure_cert( ssl['cert'], ssl['key'], cn=ssl['cn']) self.configure_ca(ssl['ca']) cert_utils.create_ip_cert_links( os.path.join('/etc/apache2/ssl/', self.name)) if not os_utils.snap_install_requested(): self.configure_apache() ch_host.service_reload('apache2') self.remove_state('ssl.requested') self.set_state('ssl.enabled', True) else: self.set_state('ssl.enabled', False) amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl') if amqp_ssl: self.configure_rabbit_cert(amqp_ssl)