From 6820332c8032a38350846822c9b3856ac6481a5e Mon Sep 17 00:00:00 2001
From: "camille.rodriguez" <camille.rodriguez@canonical.com>
Date: Mon, 17 Aug 2020 11:32:32 -0500
Subject: [PATCH] Add trusted-external-ca-cert option

To connect to an external S3 endpoint with encryption,
a root CA needs to be installed on the gnocchi units.

Func-test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/393
Change-Id: I50fd881400d4c1bf4beaa70d75af34c28c98ea41
---
 src/README.md                      |  3 +++
 src/config.yaml                    |  6 ++++++
 src/lib/charm/openstack/gnocchi.py | 26 ++++++++++++++++++++++++++
 src/reactive/gnocchi_handlers.py   |  1 +
 src/tests/tests.yaml               |  2 ++
 5 files changed, 38 insertions(+)

diff --git a/src/README.md b/src/README.md
index c6af97d..2f2bfd5 100644
--- a/src/README.md
+++ b/src/README.md
@@ -51,6 +51,9 @@ set accordingly:
 * `s3-access-key-id`
 * `s3-secret-access-key`
 
+For an encrypted S3 endpoint that is not managed by charmed Vault, the config
+option `trusted-ssl-ca-cert` needs to be configured.
+
 See file `config.yaml` for more details on the above options.
 
 ## Policy overrides
diff --git a/src/config.yaml b/src/config.yaml
index a09ece1..c89ae89 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -41,6 +41,12 @@ options:
     description: |
       The maximum number of connections to keep in a connection pool. (integer value).
       Minimum value: 1
+  trusted-external-ca-cert:
+    type: string
+    default:
+    description: |
+      Base 64 encoded SSL CA certificate to use for an encrypted S3 endpoint.
+      To be used when the S3 certificates are not managed by charmed Vault.
   use-policyd-override:
     type: boolean
     default: False
diff --git a/src/lib/charm/openstack/gnocchi.py b/src/lib/charm/openstack/gnocchi.py
index fcf98fc..c0b1889 100644
--- a/src/lib/charm/openstack/gnocchi.py
+++ b/src/lib/charm/openstack/gnocchi.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import os
 import collections
 import subprocess
@@ -56,6 +57,8 @@
 
 DB_INTERFACE = 'shared-db'
 
+EXTERNAL_CA_CERT_FILE = '/usr/local/share/ca-certificates/gnocchi-external.crt'
+
 charms_openstack.charm.use_defaults('charm.default-select-package-type')
 charms_openstack.charm.use_defaults('charm.default-select-release')
 
@@ -268,6 +271,29 @@ def states_to_check(self, required_relations=None):
         ]
         return states_to_check
 
+    def configure_external_tls(self):
+        """Installs an external root CA to the gnocchi units, if provided.
+        The purpose of this is to allow connection to an external S3 endpoint
+        with encryption.
+        :returns: None
+        """
+        if self.options.trusted_external_ca_cert:
+            ca_cert = self.options.trusted_external_ca_cert.strip()
+            hookenv.log("Writing tls ca cert {}".format(ca_cert), hookenv.INFO)
+            cert_content = base64.b64decode(ca_cert).decode()
+            try:
+                with open(EXTERNAL_CA_CERT_FILE, 'w') as fd:
+                    fd.write(cert_content)
+                subprocess.call(['/usr/sbin/update-ca-certificates'])
+            except (subprocess.CalledProcessError, PermissionError) as error:
+                hookenv.status_set(
+                    'blocked',
+                    'An error occured while uploading the external ca cert.'
+                )
+                hookenv.log('configure_external_ssl failed: {}'.format(error),
+                            hookenv.ERROR)
+                return
+
 
 class GnocchiCharm(GnocchiCharmBase):
 
diff --git a/src/reactive/gnocchi_handlers.py b/src/reactive/gnocchi_handlers.py
index c469f3d..68a31e1 100644
--- a/src/reactive/gnocchi_handlers.py
+++ b/src/reactive/gnocchi_handlers.py
@@ -117,6 +117,7 @@ def render_config(*args):
     with charm.provide_charm_instance() as charm_class:
         charm_class.upgrade_if_available(args)
         charm_class.configure_ssl()
+        charm_class.configure_external_tls()
         charm_class.render_with_interfaces(args)
         charm_class.enable_webserver_site()
     hookenv.log("Configuration rendered", hookenv.DEBUG)
diff --git a/src/tests/tests.yaml b/src/tests/tests.yaml
index e03ed27..0928d47 100644
--- a/src/tests/tests.yaml
+++ b/src/tests/tests.yaml
@@ -32,9 +32,11 @@ configure:
     - zaza.openstack.charm_tests.ceilometer.setup.basic_setup
 tests:
   - zaza.openstack.charm_tests.gnocchi.tests.GnocchiTest
+  - zaza.openstack.charm_tests.gnocchi.tests.GnocchiExternalCATest
   - test-s3:
     - zaza.openstack.charm_tests.gnocchi.tests.GnocchiS3Test
     - zaza.openstack.charm_tests.gnocchi.tests.GnocchiTest
+    - zaza.openstack.charm_tests.gnocchi.tests.GnocchiExternalCATest
 target_deploy_status:
   vault:
     workload-status: blocked