Add trusted-external-ca-cert option

To connect to an external S3 endpoint with encryption,
a root CA needs to be installed on the gnocchi units.

Func-test-PR: openstack-charmers/zaza-openstack-tests#393
Change-Id: I50fd881400d4c1bf4beaa70d75af34c28c98ea41

src/README.md

@@ -51,6 +51,9 @@ set accordingly:
 * `s3-access-key-id`
 * `s3-secret-access-key`
 
+For an encrypted S3 endpoint that is not managed by charmed Vault, the config
+option `trusted-ssl-ca-cert` needs to be configured.
+
 See file `config.yaml` for more details on the above options.
 
 ## Policy overrides

src/config.yaml

@@ -41,6 +41,12 @@ options:
     description: |
       The maximum number of connections to keep in a connection pool. (integer value).
       Minimum value: 1
+  trusted-external-ca-cert:
+    type: string
+    default:
+    description: |
+      Base 64 encoded SSL CA certificate to use for an encrypted S3 endpoint.
+      To be used when the S3 certificates are not managed by charmed Vault.
   use-policyd-override:
     type: boolean
     default: False

src/lib/charm/openstack/gnocchi.py

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import os
 import collections
 import subprocess
@@ -56,6 +57,8 @@
 
 DB_INTERFACE = 'shared-db'
 
+EXTERNAL_CA_CERT_FILE = '/usr/local/share/ca-certificates/gnocchi-external.crt'
+
 charms_openstack.charm.use_defaults('charm.default-select-package-type')
 charms_openstack.charm.use_defaults('charm.default-select-release')
 
@@ -268,6 +271,29 @@ def states_to_check(self, required_relations=None):
         ]
         return states_to_check
 
+    def configure_external_tls(self):
+        """Installs an external root CA to the gnocchi units, if provided.
+        The purpose of this is to allow connection to an external S3 endpoint
+        with encryption.
+        :returns: None
+        """
+        if self.options.trusted_external_ca_cert:
+            ca_cert = self.options.trusted_external_ca_cert.strip()
+            hookenv.log("Writing tls ca cert {}".format(ca_cert), hookenv.INFO)
+            cert_content = base64.b64decode(ca_cert).decode()
+            try:
+                with open(EXTERNAL_CA_CERT_FILE, 'w') as fd:
+                    fd.write(cert_content)
+                subprocess.call(['/usr/sbin/update-ca-certificates'])
+            except (subprocess.CalledProcessError, PermissionError) as error:
+                hookenv.status_set(
+                    'blocked',
+                    'An error occured while uploading the external ca cert.'
+                )
+                hookenv.log('configure_external_ssl failed: {}'.format(error),
+                            hookenv.ERROR)
+                return
+
 
 class GnocchiCharm(GnocchiCharmBase):
 

src/reactive/gnocchi_handlers.py

@@ -117,6 +117,7 @@ def render_config(*args):
     with charm.provide_charm_instance() as charm_class:
         charm_class.upgrade_if_available(args)
         charm_class.configure_ssl()
+        charm_class.configure_external_tls()
         charm_class.render_with_interfaces(args)
         charm_class.enable_webserver_site()
     hookenv.log("Configuration rendered", hookenv.DEBUG)

src/tests/tests.yaml

@@ -32,9 +32,11 @@ configure:
     - zaza.openstack.charm_tests.ceilometer.setup.basic_setup
 tests:
   - zaza.openstack.charm_tests.gnocchi.tests.GnocchiTest
+  - zaza.openstack.charm_tests.gnocchi.tests.GnocchiExternalCATest
   - test-s3:
     - zaza.openstack.charm_tests.gnocchi.tests.GnocchiS3Test
     - zaza.openstack.charm_tests.gnocchi.tests.GnocchiTest
+    - zaza.openstack.charm_tests.gnocchi.tests.GnocchiExternalCATest
 target_deploy_status:
   vault:
     workload-status: blocked