stsstack-bundles

Overview
Code
Bugs
Blueprints
Translations
Answers

Merge ~hopem/stsstack-bundles:ensure-local-ca-installed-per-model into stsstack-bundles:master

Git
lp:~hopem/stsstack-bundles
ensure-local-ca-installed-per-model
Merge into master

Proposed by Edward Hope-Morley on 2020-09-18

Status:	Merged
Merged at revision:	5c9f46f641f45ff557f531b537257d093b2c07b2
Proposed branch:	~hopem/stsstack-bundles:ensure-local-ca-installed-per-model
Merge into:	stsstack-bundles:master
Diff against target:	88 lines (+25/-15) 5 files modified ceph/tools/install_local_ca.sh (+1/-0) kubernetes/tools/install_local_ca.sh (+1/-0) openstack/novarc (+13/-5) openstack/tools/install_local_ca.sh (+9/-10) swift/tools/install_local_ca.sh (+1/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Jolly Bundlers		2020-09-18	Pending
Review via email: mp+390970@code.launchpad.net

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Download diff
Side-by-side diff

Subscribers

People subscribed via source and target branches

to all changes:

Edward Hope-Morley

Openstack Charm Testers

 diff --git a/ceph/tools/install_local_ca.sh b/ceph/tools/install_local_ca.sh
 new file mode 120000
 index 0000000..90d5dfd
 --- /dev/null
 +++ b/ceph/tools/install_local_ca.sh
@@ -0,0 +1 @@
++../../openstack/tools/install_local_ca.sh
 \ No newline at end of file
 diff --git a/kubernetes/tools/install_local_ca.sh b/kubernetes/tools/install_local_ca.sh
 new file mode 120000
 index 0000000..90d5dfd
 --- /dev/null
 +++ b/kubernetes/tools/install_local_ca.sh
@@ -0,0 +1 @@
++../../openstack/tools/install_local_ca.sh
 \ No newline at end of file
 diff --git a/openstack/novarc b/openstack/novarc
 index 96ebcf6..252cc22 100644
 --- a/openstack/novarc
 +++ b/openstack/novarc
@@ -20,14 +20,22 @@ fi
  ssl_cert=`juju config keystone ssl_cert`
  if [ -n "$ssl_cert" ]; then
    export OS_AUTH_PROTOCOL=https
++  # NOTE(hopem): we don't actually need OS_CACERT if the cert is installed and that should be fixed now
++  # so we could consider removing this.
    export OS_CACERT=$(dirname "$(realpath -s "${BASH_SOURCE[0]}")")/ssl/openstack-ssl/results/cacert.pem
--else
++elif ((`jq -r '.applications[]| select(."charm-name"=="vault")' $juju_status_json_cache| wc -l`)); then
      # Vault-based ssl
--    if ((`jq -r '.applications[]| select(."charm-name"=="vault")' $juju_status_json_cache| wc -l`)); then
--        if `jq -r .applications.vault.relations.certificates[] $juju_status_json_cache| grep -q keystone`; then
--            export OS_AUTH_PROTOCOL=https
--        fi
++    if `jq -r .applications.vault.relations.certificates[] $juju_status_json_cache| grep -q keystone`; then
++        export OS_AUTH_PROTOCOL=https
      fi
++else
++    unset OS_AUTH_PROTOCOL
++fi
++
++if [ "${OS_AUTH_PROTOCOL:-}" = "https" ]; then
++    echo -n "INFO: installing certificate authority for this deployment..."
++    ./tools/install_local_ca.sh &>/dev/null
++    echo done.
  fi
  unset _OS_PARAMS
 diff --git a/openstack/tools/install_local_ca.sh b/openstack/tools/install_local_ca.sh
 index e6770ff..a72d510 100755
 --- a/openstack/tools/install_local_ca.sh
 +++ b/openstack/tools/install_local_ca.sh
@@ -1,18 +1,17 @@
  #!/bin/bash -eux
--local_ca_crt_path=${1:-ssl/openstack/results/cacert.pem}
--
--ftmp=`mktemp`
--
--cleanup () { rm -f $ftmp; }
--trap cleanup EXIT INT
++model_ca_cert_path=${1:-ssl/openstack/results/cacert.pem}
  if ((`juju status --format=json| jq -r '.applications[]| select(."charm-name"=="vault")'| wc -l`)); then
--    echo "Fetching CA cert from vault"
--    juju run-action --format=json vault/leader get-root-ca --wait | jq -r .[].results.output > $ftmp
--    local_ca_crt_path=$ftmp
++    model_uuid=`juju show-model --format=json| jq -r '.[]."model-uuid"'`
++    model_ca_cert_path=`find /tmp -name \*.stsstack-bundles.ssl.$model_uuid 2>/dev/null` || true
++    if [ -z "$model_ca_cert_path" ]; then
++        model_ca_cert_path=`mktemp --suffix=.stsstack-bundles.ssl.$model_uuid`
++        echo "Fetching CA cert from vault"
++        juju run-action --format=json vault/leader get-root-ca --wait | jq -r .[].results.output > $model_ca_cert_path
++    fi
  fi
  echo "INFO: installing stsstack-bundles openstack CA at /usr/local/share/ca-certificates/cacert.crt"
--sudo cp ${local_ca_crt_path} /usr/local/share/ca-certificates/cacert.crt
++sudo cp ${model_ca_cert_path} /usr/local/share/ca-certificates/cacert.crt
  sudo chmod 644 /usr/local/share/ca-certificates/cacert.crt
  sudo update-ca-certificates --fresh
 diff --git a/swift/tools/install_local_ca.sh b/swift/tools/install_local_ca.sh
 new file mode 120000
 index 0000000..90d5dfd
 --- /dev/null
 +++ b/swift/tools/install_local_ca.sh
@@ -0,0 +1 @@
++../../openstack/tools/install_local_ca.sh
 \ No newline at end of file

stsstack-bundles

Merge ~hopem/stsstack-bundles:ensure-local-ca-installed-per-model into stsstack-bundles:master

Commit message

Description of the change

Preview Diff

Subscribers