Support multiple remote bindings

Also adds support for remote unit to provide
unit_name explicitly so that roles are
created correctly when using Juju cross-model
relations.

Closes-Bug: #1826892

provides.py

@@ -14,6 +14,14 @@
 from charms.reactive import Endpoint
 from charms.reactive import when_any, when_not, when
 
+from charmhelpers.contrib.network.ip import (
+    is_address_in_network,
+    resolve_network_cidr,
+)
+from charmhelpers.core.hookenv import (
+    network_get_primary_address,
+)
+
 
 class VaultKVProvides(Endpoint):
 
@@ -42,9 +50,25 @@ def broken(self):
     def joined(self):
         set_flag(self.expand_name('{endpoint_name}.connected'))
 
-    def publish_url(self, vault_url):
-        """ Publish URL for Vault to all Relations """
+    def publish_url(self, vault_url, remote_binding=None):
+        """ Publish URL for Vault to all Relations
+
+        :param vault_url: api url used by remote client to speak to vault.
+        :param remote_binding: if provided, remote units not using this
+                               binding will be ignored.
+        """
         for relation in self.relations:
+            if remote_binding:
+                units = relation.units
+                if units:
+                    addr = units[0].received['ingress-address'] or \
+                        units[0].received['access_address']
+                    bound_cidr = resolve_network_cidr(
+                        network_get_primary_address(remote_binding)
+                    )
+                    if not (addr and is_address_in_network(bound_cidr, addr)):
+                        continue
+
             relation.to_publish['vault_url'] = vault_url
 
     def publish_ca(self, vault_ca):
@@ -55,15 +79,19 @@ def publish_ca(self, vault_ca):
     def set_role_id(self, unit, role_id, token):
         """ Set the AppRole ID and token for out-of-band Secret ID retrieval
         for a specific remote unit """
-        unit.relation.to_publish['{}_role_id'.format(unit.unit_name)] = role_id
-        unit.relation.to_publish['{}_token'.format(unit.unit_name)] = token
+        # for cmr we will need to the other end to provide their unit name
+        # expicitly.
+        unit_name = unit.received.get('unit_name') or unit.unit_name
+        unit.relation.to_publish['{}_role_id'.format(unit_name)] = role_id
+        unit.relation.to_publish['{}_token'.format(unit_name)] = token
 
     def requests(self):
         """ Retrieve full set of setup requests from all remote units """
         requests = []
         for relation in self.relations:
             for unit in relation.units:
                 access_address = unit.received['access_address']
+                ingress_address = unit.received['ingress-address']
                 secret_backend = unit.received['secret_backend']
                 hostname = unit.received['hostname']
                 isolated = unit.received['isolated']
@@ -73,6 +101,7 @@ def requests(self):
                 requests.append({
                     'unit': unit,
                     'access_address': access_address,
+                    'ingress_address': ingress_address,
                     'secret_backend': secret_backend,
                     'hostname': hostname,
                     'isolated': isolated,

requires.py

@@ -60,6 +60,7 @@ def request_secret_backend(self, name, isolated=True):
             relation.to_publish['access_address'] = self.endpoint_address
             relation.to_publish['hostname'] = socket.gethostname()
             relation.to_publish['isolated'] = isolated
+            relation.to_publish['unit_name'] = hookenv.local_unit()
 
     @property
     def unit_role_id(self):