Update method for checking endpoint protocol #769
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists.
coreycb
reviewed
Apr 19, 2023
coreycb
previously approved these changes
May 2, 2023
wolsen
previously approved these changes
May 2, 2023
ajkavanagh
requested changes
May 3, 2023
There was a problem hiding this comment.
Unfortunately, it looks like a few unit tests are breaking due to the change; it looks like the tests need some additional mocks as the method-under-test eventually calls out to juju primatives.
e.g.
======================================================================
ERROR: tests.contrib.hahelpers.test_cluster_utils.ClusterUtilsTests.test_https_cert_key_incomplete_identity_relation
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/home/ubuntu/git/github.com/juju/charm-helpers/charmhelpers/core/hookenv.py", line 1180, in inner_translate_exc2
return f(*args, **kwargs)
File "/home/ubuntu/git/github.com/juju/charm-helpers/charmhelpers/core/hookenv.py", line 1374, in network_get_primary_address
response = subprocess.check_output(
File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/lib/python3.8/subprocess.py", line 493, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/lib/python3.8/subprocess.py", line 858, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/usr/lib/python3.8/subprocess.py", line 1704, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'network-get'
Unfortunately, the github actions are currently broken due to: #774 so you'll need to run them manually (on say focal), until we get this fixed.
ajkavanagh
requested changes
May 3, 2023
| 'key', # relation_get('ssl_key') | ||
| 'ca_cert', # relation_get('ca_cert') | ||
| ] | ||
| self.assertTrue(cluster_utils.https()) |
There was a problem hiding this comment.
I think this should be assertFalse as the request for local unit is {} and that it will return False from https().
|
I've manually verified that the tox pep8 and py3 targets run on focal and jammy (actually py310 due to nose2 requirement). This is in lieu of the fix to the CI runners. |
freyes
pushed a commit
to freyes/charm-helpers
that referenced
this pull request
May 6, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34)
ajkavanagh
pushed a commit
that referenced
this pull request
May 10, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com>
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
May 26, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
coreycb
pushed a commit
to coreycb/charm-helpers
that referenced
this pull request
Jun 7, 2023
Update method for checking endpoint protocol The `https` method is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but the `https` method will return True. This patch updates the `https` method to return False if an unfilled certificate request exists. (cherry picked from commit 6064a34) Co-authored-by: Liam Young <liam.young@canonical.com> (cherry picked from commit ed01437)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
httpsmethod is used to check if an endpoint is expected to be http or https. One of the checks it performs is to examine the the certificates relation. If the relation is present then it looks for the existance of a CA. However the OpenStack charms do not switch to https until a certificate is provided via the certificates relation. This means there can be a disconnect if the certificate provider has provided a CA but has not yet provided the unit specific certificates. If this happens then the payload will still be using http but thehttpsmethod will return True.This patch updates the
httpsmethod to return False if an unfilled certificate request exists.https://bugs.launchpad.net/charm-keystone/+bug/2015103