From 52e0852daa8e00c5148b152d76eff8685b9b8e88 Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Tue, 5 Dec 2023 10:45:49 +0100 Subject: [PATCH 1/2] utilities/openstack: Fix handling of unit.run for CA check The `async_block_until_ca_exists` function makes direct use of the libjuju APIs which changed in Juju 3.x. Use the action normalise helper from the Zaza model module to reconcile. Signed-off-by: Frode Nordahl --- zaza/openstack/utilities/openstack.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/zaza/openstack/utilities/openstack.py b/zaza/openstack/utilities/openstack.py index 540b9a3c1..99daefa5b 100644 --- a/zaza/openstack/utilities/openstack.py +++ b/zaza/openstack/utilities/openstack.py @@ -237,8 +237,15 @@ async def _check_ca_present(model, ca_files): for ca_file in ca_files: for unit in units: try: - output = await unit.run('cat {}'.format(ca_file)) - contents = output.data.get('results').get('Stdout', '') + action = await unit.run('cat {}'.format(ca_file)) + action = await action.wait() + # NOTE(fnordahl): yes, this is a call to a private + # function, and to be pragmatic we are already + # mocking about under the hood in this function, so let's + # just make it work. + results = zaza.model._normalise_action_results( + getattr(action, 'results', action.data.get('results'))) + contents = results.get('stdout', '') if ca_cert not in contents: break # libjuju throws a generic error for connection failure. So we From ff0c2e662d241f96567196c67f20785422f113bb Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Sun, 31 Dec 2023 07:13:21 +0100 Subject: [PATCH 2/2] vault: Allow consecutive invocations of auto_initialize The vault charm will expect the ``force`` parameter to be set to 'true' on consecutive runs of the ``get-csr`` or ``regenerate-intermediate-ca`` actions. --- zaza/openstack/charm_tests/vault/setup.py | 4 ++++ zaza/openstack/charm_tests/vault/utils.py | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/zaza/openstack/charm_tests/vault/setup.py b/zaza/openstack/charm_tests/vault/setup.py index 05e8cc547..74b14ec63 100644 --- a/zaza/openstack/charm_tests/vault/setup.py +++ b/zaza/openstack/charm_tests/vault/setup.py @@ -162,6 +162,10 @@ def auto_initialize(cacert=None, validation_application='keystone', wait=True, basic_setup(cacert=cacert, unseal_and_authorize=True) action = vault_utils.run_get_csr() + if 'output' not in action.data['results']: + logging.warning("Running 'get-csr' action with force, " + "vault already initialized?") + action = vault_utils.run_get_csr(force=True) intermediate_csr = action.data['results']['output'] (cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', diff --git a/zaza/openstack/charm_tests/vault/utils.py b/zaza/openstack/charm_tests/vault/utils.py index 72cbac413..464095708 100644 --- a/zaza/openstack/charm_tests/vault/utils.py +++ b/zaza/openstack/charm_tests/vault/utils.py @@ -474,18 +474,23 @@ def run_charm_authorize(token): action_params={'token': token}) -def run_get_csr(): +def run_get_csr(force=None): """Retrieve CSR from vault. Run vault charm action to retrieve CSR from vault. + :param force: Force regeneration of intermediate ca. + :type force: Optional[bool] :returns: Action object :rtype: juju.action.Action """ + action_params={} + if force is not None: + action_params.update({'force': force}) return zaza.model.run_action_on_leader( 'vault', 'get-csr', - action_params={}) + action_params=action_params) def run_upload_signed_csr(pem, root_ca, allowed_domains):