Missing the certificates integration when deployments are using Vault as Root CA #150
Description
Problem :
On openstack deployments, SSL is deployed through 2 manners :
- with provided certificates from customers
- directly with Vault generating a root CA.
For the case where a deployment is using Vault as a root CA, the expected experience is to have a certificates relation between Vault and the application to retrieve the root CA and apply locally on the unit.
Currently such integration doesn't exist on the charm itself.
Environment :
- Ubuntu 22.04
- Charmed Openstack Caracal with charms from 2024.1/stable
- Openstack-exporter charm with latest/stable
Logs :
As a result, we are greeted with SSL errors when the application is deployed and related to an existing Openstack.
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.389Z caller=utils.go:75 level=error err="enabling exporter for service failed" cloud=openstack service=identity error="Post "https://keystone-internal.production.solutionsqa:5000/v3/auth/token>
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.389Z caller=utils.go:71 level=info msg="Start collect cache data" cloud=openstack service=container-infra
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.389Z caller=exporter.go:218 level=error msg="Failed to include additional certificates to ca-trust" err="error parsing CA Cert from: /var/snap/charmed-openstack-exporter/common/cacert.pe>
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.392Z caller=utils.go:75 level=error err="enabling exporter for service failed" cloud=openstack service=container-infra error="Post "https://keystone-internal.production.solutionsqa:5000/v3/aut>
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.392Z caller=utils.go:71 level=info msg="Start collect cache data" cloud=openstack service=dns
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.392Z caller=exporter.go:218 level=error msg="Failed to include additional certificates to ca-trust" err="error parsing CA Cert from: /var/snap/charmed-openstack-exporter/common/cacert.pe>
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.395Z caller=utils.go:75 level=error err="enabling exporter for service failed" cloud=openstack service=dns error="Post "https://keystone-internal.production.solutionsqa:5000/v3/auth/tokens\": >
Apr 21 07:22:39 juju-334cd8-2-lxd-24 charmed-openstack-exporter.service[49627]: ts=2025-04-21T07:22:39.395Z caller=utils.go:71 level=info msg="Start collect cache data" cloud=openstack service=orchestration
Workaround :
Retrieve the CA certificate manually from Vault and apply to Openstack-exporter
juju run -m openstack vault/leader get-root-ca --format json | \ jq -r .[].results.output | tee ./ca.crt juju config -m openstack openstack-exporter ssl_ca="$(cat ./tls/ca.crt)"
Wish :
Being able to have a certificates endpoint on the charm so that it can related to Vault directly and avoid a manual (and forgetable) action from the user for each (re)deployment
juju relate vault:certificates openstack-exporter:certificates