Use client cert for keystone-identity

When manila-ganesha is related to vault it needs a client cert to
configure the keystone-auth section of manila.conf to communicate with
keystone. This patch sets that up and removes the broken server cert
auto configuration which ended up masking the manila-share service.

func-test-pr: openstack-charmers/zaza-openstack-tests#1250
Change-Id: I55e9aa09b88684517d4052dc56eed0cab05a0262
Closes-Bug: #2064487
(cherry picked from commit ddba2d8)
(cherry picked from commit 47be19b260f2434debf57779e5f9110be4afcee1)

Author: ajkavanagh

osci.yaml

@@ -2,8 +2,17 @@
     templates:
       - charm-unit-jobs-py310
       - charm-functional-jobs
+    check:
+      jobs:
+        - jammy-antelope-vault_manila-ganesha
     vars:
       needs_charm_build: true
       charm_build_name: manila-ganesha
       build_type: charmcraft
       charmcraft_channel: 2.1/stable
+
+- job:
+    name: jammy-antelope-vault_manila-ganesha
+    parent: func-target
+    vars:
+      tox_extra_args: '-- vault:jammy-antelope-vault'

src/lib/charm/openstack/manila_ganesha.py

@@ -14,22 +14,30 @@
 
 import collections
 import errno
+import os
 import socket
 import subprocess
 
 import charms_openstack.charm
 import charms_openstack.adapters
 import charms_openstack.plugins
+import charms_openstack.charm.utils
 import charmhelpers.contrib.network.ip as ch_net_ip
+import charms.reactive.relations as relations
 from charmhelpers.core.host import (
     cmp_pkgrevno,
     service_pause,
+    mkdir,
+    path_hash,
+    write_file,
 )
 from charmhelpers.core.hookenv import (
+    ERROR,
     config,
     goal_state,
     local_unit,
     log,
+    network_get,
 )
 from charmhelpers.contrib.hahelpers.cluster import (
     is_clustered,
@@ -49,6 +57,10 @@
 
 MANILA_DIR = '/etc/manila/'
 MANILA_CONF = MANILA_DIR + "manila.conf"
+MANILA_SSL_DIR = MANILA_DIR + "ssl/"
+MANILA_CLIENT_CERT_FILE = MANILA_SSL_DIR + "cert.crt"
+MANILA_CLIENT_KEY_FILE = MANILA_SSL_DIR + "cert.key"
+MANILA_CLIENT_CA_FILE = MANILA_SSL_DIR + "ca.crt"
 MANILA_LOGGING_CONF = MANILA_DIR + "logging.conf"
 MANILA_API_PASTE_CONF = MANILA_DIR + "api-paste.ini"
 CEPH_CONF = '/etc/ceph/ceph.conf'
@@ -152,6 +164,28 @@ def service_username(self):
         return self.credentials_username
 
 
+class TlsCertificatesAdapter(
+        charms_openstack.adapters.OpenStackRelationAdapter):
+    """Modifies the keystone-credentials interface to act like keystone."""
+
+    def _resolve_file_name(self, path):
+        if os.path.exists(path):
+            return path
+        return None
+
+    @property
+    def certfile(self):
+        return self._resolve_file_name(MANILA_CLIENT_CERT_FILE)
+
+    @property
+    def keyfile(self):
+        return self._resolve_file_name(MANILA_CLIENT_KEY_FILE)
+
+    @property
+    def cafile(self):
+        return self._resolve_file_name(MANILA_CLIENT_CA_FILE)
+
+
 class GaneshaCharmRelationAdapters(
         charms_openstack.adapters.OpenStackRelationAdapters):
     relation_adapters = {
@@ -160,6 +194,7 @@ class GaneshaCharmRelationAdapters(
         'manila-ganesha': charms_openstack.adapters.OpenStackRelationAdapter,
         'identity-service': KeystoneCredentialAdapter,
         'shared_db': charms_openstack.adapters.DatabaseRelationAdapter,
+        'certificates': TlsCertificatesAdapter,
     }
 
 
@@ -222,6 +257,10 @@ class ManilaGaneshaCharm(charms_openstack.charm.HAOpenStackCharm,
             ('12', 'wallaby'),
             ('13', 'xena'),
             ('14', 'yoga'),
+            ('15', 'zed'),
+            ('16', 'antelope'),
+            ('17', 'bobcat'),
+            ('18', 'caracal'),
         ]),
     }
 
@@ -411,6 +450,78 @@ def request_ceph_permissions(self, ceph):
                    'client': ch_core.hookenv.application_name()})
         ceph.send_request_if_needed(rq)
 
+    def get_client_cert_cn_sans(self):
+        """Get the tuple (cn, [sans]) for a client certificiate.
+
+        This is for the keystone endpoint/interface, so generate the client
+        cert data for that.
+        """
+        try:
+            ingress = network_get('identity-service')['ingress-addresses']
+        except Exception as e:
+            # if it didn't work, log it as an error, and return (None, None)
+            log(f"Getting ingress for identity-service failed: {str(e)}",
+                level=ERROR)
+            return (None, None)
+        return (ingress[0], ingress[1:])
+
+    def handle_changed_client_cert_files(self, ca, cert, key):
+        """Handle changes to client cert, key or ca.
+
+        If the client certs have changed on disk, rerender and restart manila.
+
+        The cert and key need to be written to:
+
+        - /etc/manila/ssl/cert.crt - MANILA_CLIENT_CERT_FILE
+        - /etc/manila/ssl/cert.key - MANILA_CLIENT_KEY_FILE
+        - /etc/manila/ssl/ca.cert  - MANILA_CLIENT_CA_FILE
+        """
+        # lives ensrure that the cert dir exists
+        mkdir(MANILA_SSL_DIR)
+        paths = {
+            MANILA_CLIENT_CA_FILE: ca,
+            MANILA_CLIENT_CERT_FILE: cert,
+            MANILA_CLIENT_KEY_FILE: key,
+        }
+        checksums = {path: path_hash(path) for path in paths.keys()}
+        # write or remove the files.
+        for path, contents in paths.items():
+            if contents is None:
+                # delete the file
+                realpath = os.path.abspath(path)
+                path_exists = os.path.exists(realpath)
+                if path_exists:
+                    try:
+                        os.remove(path)
+                    except OSError as e:
+                        log("Path {} couldn't be deleted: {}"
+                            .format(path, str(e)), level=ERROR)
+            else:
+                write_file(path,
+                           contents.encode(),
+                           owner=self.user,
+                           group=self.group,
+                           perms=0o640)
+        new_checksums = {path: path_hash(path) for path in paths.keys()}
+        if new_checksums != checksums:
+            interfaces = (
+                'ceph.available',
+                'amqp.available',
+                'manila-plugin.available',
+                'shared-db.available',
+                'identity-service.available',
+                'certificates.available',
+            )
+            # check all the interfaces are available
+            endpoints = []
+            for interface in interfaces:
+                endpoint = relations.endpoint_from_flag(interface)
+                if not endpoint:
+                    # if not available don't attempt to render
+                    return
+                endpoints.append(endpoint)
+            self.render_with_interfaces(endpoints)
+
     def install_nrpe_checks(self, enable_cron=True):
         return install_nrpe_checks(enable_cron=enable_cron)
 

src/reactive/manila_ganesha.py

@@ -23,7 +23,10 @@
     'config.changed',
     'update-status',
     'upgrade-charm',
-    'certificates.available',
+    # TODO: remove follwoing commented out code.
+    # remove certificates.available as we want to wire in the call ourselves
+    # directly.
+    # 'certificates.available',
 )
 
 
@@ -78,7 +81,14 @@ def render_things(*args):
                             level=ch_core.hookenv.INFO)
         charm_instance.configure_ceph_keyring(ceph_relation.key)
 
-        charm_instance.render_with_interfaces(args)
+        # add in optional certificates.available relation for https to keystone
+        certificates = relations.endpoint_from_flag('certificates.available')
+        if certificates:
+            interfaces = list(args) + [certificates]
+        else:
+            interfaces = list(args)
+
+        charm_instance.render_with_interfaces(interfaces)
 
         reactive.set_flag('config.rendered')
         charm_instance.assess_status()
@@ -156,6 +166,68 @@ def disable_services():
     reactive.set_flag('services-disabled')
 
 
+@reactive.when('certificates.ca.available')
+def install_root_ca_cert():
+    print("running install_root_ca_cert")
+    cert_provider = relations.endpoint_from_flag('certificates.ca.available')
+    if cert_provider:
+        print("cert_provider lives")
+        update_client_certs_and_ca(cert_provider)
+
+
+@reactive.when('certificates.available')
+def set_client_cert_request():
+    """Set up the client certificate request.
+
+    If the charm is related to vault then it will send a client cert request
+    (set it on the relation) so that the keystone auth can be configured with a
+    client cert, key and CA to authenticate with keystone (HTTP).
+    """
+    print("running set_client_cert_request")
+    cert_provider = relations.endpoint_from_flag('certificates.available')
+    if cert_provider:
+        print("cert_provider lives")
+        with charm.provide_charm_instance() as the_charm:
+            client_cn, client_sans = the_charm.get_client_cert_cn_sans()
+            print(f"client_cn: {client_cn}, client_sans: {client_sans}")
+            if client_cn:
+                cert_provider.request_client_cert(client_cn, client_sans)
+
+
+@reactive.when('certificates.certs.available')
+def update_client_cert():
+    print("running update_client_cert")
+    cert_provider = relations.endpoint_from_flag('certificates.available')
+    if cert_provider:
+        print("cert_provider lives")
+        update_client_certs_and_ca(cert_provider)
+
+
+def update_client_certs_and_ca(cert_provider):
+    """Get the CA, and client cert, key and then update the config."""
+    ca = cert_provider.root_ca_cert
+    chain = cert_provider.root_ca_chain
+    if ca and chain:
+        if ca not in chain:
+            ca = chain + ca
+        else:
+            ca = chain
+    cert = key = None
+    try:
+        client_cert = cert_provider.client_certs[0]  # only requested one cert
+        cert = client_cert.cert
+        key = client_cert.key
+    except IndexError:
+        pass
+    with charm.provide_charm_instance() as the_charm:
+        print(f"updating: {ca}\n{cert}\n{key}")
+        if ca:
+            the_charm.configure_ca(ca)
+        if chain:
+            the_charm.configure_ca(chain, postfix="chain")
+        the_charm.handle_changed_client_cert_files(ca, cert, key)
+
+
 @reactive.when('nrpe-external-master.available')
 def configure_nrpe():
     """Config and install NRPE plugins."""

src/templates/rocky/manila.conf

@@ -29,6 +29,20 @@ lock_path = /var/lib/manila/tmp
 # parts/section-keystone-authtoken includes the [keystone_authtoken] section
 # identifier
 {% include "parts/section-keystone-authtoken" %}
+{% if certificates -%}
+# Certificates for https connections to keystone when tls-certificates is
+# available
+{# NOTE(ajkavanagh) 'certificates' is an optional relation and so we have to -#}
+{# check for its existence before access the .parts. -#}
+{% if certificates.certfile -%}
+certfile = {{ certificates.certfile }}
+keyfile = {{ certificates.keyfile }}
+{% endif -%}
+{% if certificates.cafile -%}
+cafile = {{ certificates.cafile }}
+insecure = false
+{% endif -%}
+{% endif %}
 
 [oslo_messaging_amqp]