diff --git a/requirements.txt b/requirements.txt index 533a702da..36df2abed 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,6 +11,7 @@ async_generator # https://github.com/pyca/pyopenssl/commit/a145fc3bc6d2e943434beb2f04bbf9b18930296f pyopenssl<22.1.0 +trustme boto3<1.25 PyYAML<=4.2,>=3.0; python_version < '3.9' PyYAML>=5.1; python_version >= '3.9' diff --git a/setup.py b/setup.py index 75742f170..fe4aceeb9 100644 --- a/setup.py +++ b/setup.py @@ -28,6 +28,7 @@ 'futurist<2.0.0', 'async_generator', 'boto3', + 'trustme' # pyopenssl depends on a newer version of cryptography since 22.1.0 # TypeError: deprecated() got an unexpected keyword argument 'name' diff --git a/zaza/openstack/charm_tests/ceilometer/tests.py b/zaza/openstack/charm_tests/ceilometer/tests.py index c93dcf756..a9b704b21 100644 --- a/zaza/openstack/charm_tests/ceilometer/tests.py +++ b/zaza/openstack/charm_tests/ceilometer/tests.py @@ -126,7 +126,7 @@ def test_900_restart_on_config_change(self): current_value = openstack_utils.get_application_config_option( self.application_name, config_name ) - assert type(current_value) == bool + assert type(current_value) is bool new_value = not current_value # Convert bool to str diff --git a/zaza/openstack/charm_tests/ceph/dashboard/tests.py b/zaza/openstack/charm_tests/ceph/dashboard/tests.py index d479e2640..9111f866f 100644 --- a/zaza/openstack/charm_tests/ceph/dashboard/tests.py +++ b/zaza/openstack/charm_tests/ceph/dashboard/tests.py @@ -20,6 +20,7 @@ import requests import tenacity import uuid +import trustme import zaza import zaza.openstack.charm_tests.test_utils as test_utils @@ -309,3 +310,58 @@ def test_saml(self): verify=self.local_ca_cert, allow_redirects=False) self.assertEqual(resp.status_code, requests.codes.ok) + + def test_charm_config_ssl(self): + """Config charm SSL certs to test the Ceph dashboard application.""" + local_ca = trustme.CA() + server_cert = local_ca.issue_cert("ceph-dashboard") + + # Configure local certs in charm config + zaza.model.model.set_application_config( + 'ceph-dashboard', + { + 'ssl_cert': str(server_cert.cert_chain_pems[0].bytes() + .decode('UTF-8')), + 'ssl_key': str(server_cert.private_key_pem.bytes() + .decode('UTF-8')), + 'ssl_ca': str(local_ca.cert_pem.bytes().decode('UTF-8')) + } + ) + + # Check application status message. + assert_state = { + 'ceph-dashboard': { + "workload-status": "blocked", + "workload-status-message-prefix": + "Charm-config certificates ignored" + } + } + zaza.model.wait_for_application_states( + states=assert_state, timeout=300 + ) + + # Remove certificates relation to trigger configured certs. + zaza.model.remove_relation( + 'ceph-dashboard', + 'ceph-dashboard:certificates', + 'vault:certificates' + ) + + # Wait for status to clear + zaza.model.block_until_all_units_idle() + + # Verify Certificates. + rcs = collections.defaultdict(list) + units = zaza.model.get_units('ceph-mon') + with local_ca.cert_pem.tempfile() as ca_temp_file: + for unit in units: + r = self._run_request_get( + 'https://{}:8443'.format( + zaza.model.get_unit_public_address(unit)), + verify=ca_temp_file, + allow_redirects=False) + rcs[r.status_code].append( + zaza.model.get_unit_public_address(unit) + ) + self.assertEqual(len(rcs[requests.codes.ok]), 1) + self.assertEqual(len(rcs[requests.codes.see_other]), len(units) - 1)