Add caas firewaller

[wallyworld]

Description of change

Add caas firewaller worker and facades.
Broken up into a few commits.

QA steps

deploy caas charm
juju expose
-> check ingress
juju unexpose
-> check ingress

[axw]

mostly looks good, just a couple of things

[axw]

s/GetExposed/IsExposed/? or ApplicationExposed? Get is non-idiomatic

[wallyworld]

I was using the same API call name as for the IAAS firewaller for consistency. I can change here.

[wallyworld]

fixed

[axw]

Thanks. The IAAS firewaller is kind of an abomination.

[axw]

So you're assuming that the initial state of the model reflects reality? That's not a sound assumption.

Rather than fetching the initial value here, I think a better approach would be:

var previouslyExposed bool
initial := true
for {
    select {
    ...
    case _, ok := <-appWatcher.Changes():
        ...
        exposed, err := aw.applicationGetter.IsExposed(aw.application)
        ...
        if !initial && exposed == previouslyExposed {
            continue
        }
        ...
        initial = false
        previouslyExposed = exposed
    }
}

This way, you will always call ExposeService or UnexposeService once when the firewaller starts up. That's necessary in case of partial handling of a change. This means those methods need to deal with being called twice in a row. Alternatively, you'll need to introduce a third method to check whether or not the service is already exposed.

[wallyworld]

Fair point. This was based on the mode of operation of the IAAS firewaller, so I think we need to consider fixing that one as well. Fixed here.

[axw]

The IAAS firewaller does the latter option: it calls an environ/instance method to get the currently-applied ingress rules, and then just applies the delta.

[wallyworld]

Replaced by #8202