Ensure that apache can handle certificates from Vault

Closes-Bug: #1846189
juju · Mar 3, 2020 · a6a7709 · a6a7709
1 parent 650d8a5
commit a6a7709
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 6 deletions.
diff --git a/charmhelpers/contrib/hahelpers/apache.py b/charmhelpers/contrib/hahelpers/apache.py
@@ -33,6 +33,7 @@
     log,
     INFO,
 )
+import charmhelpers.contrib.openstack.cert_utils as cert_utils
 
 
 def get_cert(cn=None):
@@ -57,6 +58,11 @@ def get_cert(cn=None):
                 if not key:
                     key = relation_get(ssl_key_attr,
                                        rid=r_id, unit=unit)
+    if not (cert and key):
+        entries = cert_utils.get_requests_for_local_unit()
+        for entry in entries:
+            for _cn, bundle in entry['certs'].items():
+                return (bundle['cert'], bundle['key'])
     return (cert, key)
 
 
@@ -71,6 +77,10 @@ def get_ca_cert():
                 if ca_cert is None:
                     ca_cert = relation_get('ca_cert',
                                            rid=r_id, unit=unit)
+    if ca_cert is None:
+        entries = cert_utils.get_requests_for_local_unit()
+        for entry in entries:
+            return entry['ca']
     return ca_cert
 
 

diff --git a/charmhelpers/contrib/openstack/cert_utils.py b/charmhelpers/contrib/openstack/cert_utils.py
@@ -42,14 +42,11 @@
     ADDRESS_MAP)
 
 from charmhelpers.core.host import (
+    install_ca_cert,
     mkdir,
     write_file,
 )
 
-from charmhelpers.contrib.hahelpers.apache import (
-    install_ca_cert
-)
-
 
 class CertRequest(object):
 
@@ -234,7 +231,7 @@ def process_certificates(service_name, relation_id, unit,
     ca = data.get('ca')
     if certs:
         certs = json.loads(certs)
-        install_ca_cert(ca.encode())
+        _install_ca_cert(ca.encode())
         install_certs(ssl_dir, certs, chain, user=user, group=group)
         create_ip_cert_links(
             ssl_dir,
@@ -243,6 +240,12 @@ def process_certificates(service_name, relation_id, unit,
     return False
 
 
+# This function is being copied in here to remove a circular
+# dependency between cert_utils and hahelpers.apache.
+def _install_ca_cert(ca_cert):
+    install_ca_cert(ca_cert, 'keystone_juju_ca_cert')
+
+
 def get_requests_for_local_unit(relation_name=None):
     """Extract any certificates data targeted at this unit down relation_name.
 

diff --git a/tests/contrib/hahelpers/test_apache_utils.py b/tests/contrib/hahelpers/test_apache_utils.py
@@ -47,6 +47,14 @@
     }
 }
 
+CERTIFICATES_RELATION_STYLE_CERTS = {
+    'certificates:0': {
+        'vault/0': {
+
+        }
+    }
+}
+
 
 class ApacheUtilsTests(TestCase):
     def setUp(self):
@@ -113,6 +121,44 @@ def test_get_ca_cert_from_relation(self):
         self.assertEquals('keystone_provided_ca',
                           result)
 
+    @patch.object(apache_utils.cert_utils, 'get_requests_for_local_unit')
+    def test_get_cert_from_certificates_relation(self, get_requests_for_local_unit):
+        self.config_get.return_value = None
+        self.relation_ids.return_value = []
+        get_requests_for_local_unit.return_value = [{
+            'ca': 'ROOTCA',
+            'certs': {
+                'juju-cd4bb3-5.lxd': {
+                    'cert': 'BASECERT',
+                    'key': 'BASEKEY'},
+                'juju-cd4bb3-5.internal': {
+                    'cert': 'INTERNALCERT',
+                    'key': 'INTERNALKEY'}},
+            'chain': 'MYCHAIN'}]
+        result = apache_utils.get_cert()
+        get_requests_for_local_unit.assert_called_once_with()
+        self.assertEquals(('BASECERT', 'BASEKEY'),
+                          result)
+
+    @patch.object(apache_utils.cert_utils, 'get_requests_for_local_unit')
+    def test_get_ca_from_certificates_relation(self, get_requests_for_local_unit):
+        self.config_get.return_value = None
+        self.relation_ids.return_value = []
+        get_requests_for_local_unit.return_value = [{
+            'ca': 'ROOTCA',
+            'certs': {
+                'juju-cd4bb3-5.lxd': {
+                    'cert': 'BASECERT',
+                    'key': 'BASEKEY'},
+                'juju-cd4bb3-5.internal': {
+                    'cert': 'INTERNALCERT',
+                    'key': 'INTERNALKEY'}},
+            'chain': 'MYCHAIN'}]
+        result = apache_utils.get_ca_cert()
+        get_requests_for_local_unit.assert_called_once_with()
+        self.assertEquals('ROOTCA',
+                          result)
+
     @patch.object(apache_utils.os.path, 'isfile')
     def test_retrieve_ca_cert(self, _isfile):
         _isfile.return_value = True

diff --git a/tests/contrib/openstack/test_cert_utils.py b/tests/contrib/openstack/test_cert_utils.py
@@ -213,7 +213,7 @@ def test_install_certs_ca(self, write_file):
     @mock.patch.object(cert_utils, 'local_unit')
     @mock.patch.object(cert_utils, 'create_ip_cert_links')
     @mock.patch.object(cert_utils, 'install_certs')
-    @mock.patch.object(cert_utils, 'install_ca_cert')
+    @mock.patch.object(cert_utils, '_install_ca_cert')
     @mock.patch.object(cert_utils, 'mkdir')
     @mock.patch.object(cert_utils, 'relation_get')
     def test_process_certificates(self, relation_get, mkdir, install_ca_cert,