Merge pull request #141 from gboutry/feat/maas-merge-main

Feat/maas merge main
canonical · Feb 22, 2024 · e4530e6 · e4530e6
2 parents 513dd4c + 082b841
commit e4530e6
Show file tree

Hide file tree

Showing 32 changed files with 973 additions and 267 deletions.
diff --git a/cloud/etc/deploy-openstack-hypervisor/main.tf b/cloud/etc/deploy-openstack-hypervisor/main.tf
@@ -76,6 +76,19 @@ resource "juju_integration" "hypervisor-identity" {
   }
 }
 
+resource "juju_integration" "hypervisor-cert-distributor" {
+  model = var.machine_model
+
+  application {
+    name     = juju_application.openstack-hypervisor.name
+    endpoint = "receive-ca-cert"
+  }
+
+  application {
+    offer_url = data.terraform_remote_state.openstack.outputs.cert-distributor-offer-url
+  }
+}
+
 resource "juju_integration" "hypervisor-certs" {
   model = var.machine_model
 

diff --git a/sunbeam-python/.stestr.conf b/sunbeam-python/.stestr.conf
diff --git a/sunbeam-python/sunbeam/commands/configure.py b/sunbeam-python/sunbeam/commands/configure.py
@@ -31,7 +31,12 @@
     TerraformInitStep,
 )
 from sunbeam.jobs.common import BaseStep, Result, ResultType, Status
-from sunbeam.jobs.juju import JujuHelper, run_sync
+from sunbeam.jobs.juju import (
+    ActionFailedException,
+    JujuHelper,
+    LeaderNotFoundException,
+    run_sync,
+)
 
 CLOUD_CONFIG_SECTION = "CloudConfig"
 LOG = logging.getLogger(__name__)
@@ -164,17 +169,21 @@ def retrieve_admin_credentials(jhelper: JujuHelper, model: str) -> dict:
     app = "keystone"
     action_cmd = "get-admin-account"
 
-    unit = run_sync(jhelper.get_leader_unit(app, model))
-    if not unit:
-        _message = f"Unable to get {app} leader"
-        raise click.ClickException(_message)
+    try:
+        unit = run_sync(jhelper.get_leader_unit(app, model))
+    except LeaderNotFoundException:
+        raise click.ClickException(f"Unable to get {app} leader")
+
+    try:
+        action_result = run_sync(jhelper.run_action(unit, model, action_cmd))
+    except ActionFailedException as e:
+        LOG.debug(f"Running action {action_cmd} on {unit} failed: {str(e)}")
+        raise click.ClickException("Unable to retrieve openrc from Keystone service")
 
-    action_result = run_sync(jhelper.run_action(unit, model, action_cmd))
     if action_result.get("return-code", 0) > 1:
-        _message = "Unable to retrieve openrc from Keystone service"
-        raise click.ClickException(_message)
+        raise click.ClickException("Unable to retrieve openrc from Keystone service")
 
-    return {
+    params = {
         "OS_USERNAME": action_result.get("username"),
         "OS_PASSWORD": action_result.get("password"),
         "OS_AUTH_URL": action_result.get("public-endpoint"),
@@ -185,6 +194,46 @@ def retrieve_admin_credentials(jhelper: JujuHelper, model: str) -> dict:
         "OS_IDENTITY_API_VERSION": action_result.get("api-version"),
     }
 
+    action_cmd = "list-ca-certs"
+    try:
+        action_result = run_sync(jhelper.run_action(unit, model, action_cmd))
+    except ActionFailedException as e:
+        LOG.debug(f"Running action {action_cmd} on {unit} failed: {str(e)}")
+        raise click.ClickException("Unable to retrieve CA certs from Keystone service")
+
+    if action_result.get("return-code", 0) > 1:
+        raise click.ClickException("Unable to retrieve CA certs from Keystone service")
+
+    action_result.pop("return-code")
+    ca_bundle = []
+    for name, certs in action_result.items():
+        # certs = json.loads(certs)
+        ca = certs.get("ca")
+        chain = certs.get("chain")
+        if ca and ca not in ca_bundle:
+            ca_bundle.append(ca)
+        if chain and chain not in ca_bundle:
+            ca_bundle.append(chain)
+
+    bundle = "\n".join(ca_bundle)
+
+    if bundle:
+        home = os.environ.get("SNAP_REAL_HOME")
+        cafile = Path(home) / ".config" / "openstack" / "ca_bundle.pem"
+        LOG.debug("Writing CA bundle to {str(cafile)}")
+
+        cafile.parent.mkdir(mode=0o775, parents=True, exist_ok=True)
+        if not cafile.exists():
+            cafile.touch()
+        cafile.chmod(0o660)
+
+        with cafile.open("w") as file:
+            file.write(bundle)
+
+        params["OS_CACERT"] = str(cafile)
+
+    return params
+
 
 class SetHypervisorCharmConfigStep(BaseStep):
     """Update openstack-hypervisor charm config"""
@@ -266,6 +315,7 @@ def __init__(
         tfhelper: TerraformHelper,
         auth_url: str,
         auth_version: str,
+        cacert: str | None = None,
         openrc: Path | None = None,
     ):
         super().__init__(
@@ -275,6 +325,7 @@ def __init__(
         self.tfhelper = tfhelper
         self.auth_url = auth_url
         self.auth_version = auth_version
+        self.cacert = cacert
         self.openrc = openrc
 
     def is_skip(self, status: Optional[Status] = None) -> Result:
@@ -315,6 +366,8 @@ def _print_openrc(self, tf_output: dict) -> None:
 export OS_PROJECT_NAME={tf_output["OS_PROJECT_NAME"]}
 export OS_AUTH_VERSION={self.auth_version}
 export OS_IDENTITY_API_VERSION={self.auth_version}"""
+        if self.cacert:
+            _openrc = f"{_openrc}\nexport OS_CACERT={self.cacert}"
         if self.openrc:
             message = f"Writing openrc to {self.openrc} ... "
             console.status(message)

diff --git a/sunbeam-python/sunbeam/commands/generate_cloud_config.py b/sunbeam-python/sunbeam/commands/generate_cloud_config.py
@@ -144,6 +144,9 @@ def _generate_cloud_config(self, is_admin: bool, tf_output: dict) -> dict:
                 },
             }
 
+        if self.admin_credentials.get("OS_CACERT"):
+            cloud_data[self.cloud]["cacert"] = self.admin_credentials["OS_CACERT"]
+
         return cloud_data
 
     def _get_cloud_config_from_file(self, clouds_yaml: Path) -> dict:

diff --git a/sunbeam-python/sunbeam/commands/generate_preseed.py b/sunbeam-python/sunbeam/commands/generate_preseed.py
diff --git a/sunbeam-python/sunbeam/commands/launch.py b/sunbeam-python/sunbeam/commands/launch.py
@@ -91,6 +91,7 @@ def launch(
             project_name=tf_output["OS_PROJECT_NAME"],
             user_domain_name=tf_output["OS_USER_DOMAIN_NAME"],
             project_domain_name=tf_output["OS_PROJECT_DOMAIN_NAME"],
+            cacert=admin_auth_info.get("OS_CACERT"),
         )
     except openstack.exceptions.SDKException:
         LOG.error("Could not authenticate to Keystone.")

diff --git a/sunbeam-python/sunbeam/commands/manifest.py b/sunbeam-python/sunbeam/commands/manifest.py
@@ -45,44 +45,14 @@
 from sunbeam.jobs.common import FORMAT_TABLE, FORMAT_YAML, run_preflight_checks
 from sunbeam.jobs.deployment import Deployment
 from sunbeam.jobs.manifest import Manifest
-from sunbeam.jobs.questions import QuestionBank, load_answers
+from sunbeam.jobs.plugin import PluginManager
+from sunbeam.jobs.questions import QuestionBank, load_answers, show_questions
 from sunbeam.utils import asdict_with_extra_fields
 
 LOG = logging.getLogger(__name__)
 console = Console()
 
 
-def show_questions(
-    question_bank,
-    section=None,
-    subsection=None,
-    section_description=None,
-    comment_out=False,
-) -> list:
-    lines = []
-    space = " "
-    indent = ""
-    outer_indent = space * 2
-    if comment_out:
-        comment = "# "
-    else:
-        comment = ""
-    if section:
-        if section_description:
-            lines.append(f"{outer_indent}{comment}{indent}# {section_description}")
-        lines.append(f"{outer_indent}{comment}{indent}{section}:")
-        indent = space * 2
-    if subsection:
-        lines.append(f"{outer_indent}{comment}{indent}{subsection}:")
-        indent = space * 4
-    for key, question in question_bank.questions.items():
-        default = question.calculate_default() or ""
-        lines.append(f"{outer_indent}{comment}{indent}# {question.question}")
-        lines.append(f"{outer_indent}{comment}{indent}{key}: {default}")
-
-    return lines
-
-
 def generate_deployment_preseed(client: Client) -> str:
     """Generate deployment preseed section."""
     name = utils.get_fqdn()
@@ -156,6 +126,8 @@ def generate_deployment_preseed(client: Client) -> str:
         )
     )
 
+    preseed_content.extend(PluginManager().get_preseed_questions_content(client))
+
     preseed_content_final = "\n".join(preseed_content)
     return preseed_content_final
 

diff --git a/sunbeam-python/sunbeam/commands/openrc.py b/sunbeam-python/sunbeam/commands/openrc.py
@@ -18,6 +18,7 @@
 import click
 from rich.console import Console
 
+from sunbeam.commands.configure import retrieve_admin_credentials
 from sunbeam.commands.openstack import OPENSTACK_MODEL
 from sunbeam.jobs import juju
 from sunbeam.jobs.checks import DaemonGroupCheck, VerifyBootstrappedCheck
@@ -42,19 +43,7 @@ def openrc(ctx: click.Context) -> None:
     jhelper = juju.JujuHelper(deployment.get_connected_controller())
 
     with console.status("Retrieving openrc from Keystone service ... "):
-        # Retrieve config from juju actions
-        model = OPENSTACK_MODEL
-        app = "keystone"
-        action_cmd = "get-admin-account"
-        unit = juju.run_sync(jhelper.get_leader_unit(app, model))
-        if not unit:
-            _message = f"Unable to get {app} leader"
-            raise click.ClickException(_message)
-
-        action_result = juju.run_sync(jhelper.run_action(unit, model, action_cmd))
-
-        if action_result.get("return-code", 0) > 1:
-            _message = "Unable to retrieve openrc from Keystone service"
-            raise click.ClickException(_message)
-        else:
-            console.print(action_result.get("openrc"))
+        creds = retrieve_admin_credentials(jhelper, OPENSTACK_MODEL)
+        console.print("# openrc for access to OpenStack")
+        for param, value in creds.items():
+            console.print(f"export {param}={value}")