From 46b40162b9d41948d906ec21fed848700dced815 Mon Sep 17 00:00:00 2001 From: saltiyazan Date: Thu, 21 Sep 2023 15:55:41 +0400 Subject: [PATCH 1/2] Creates sdcore management interface (#104) * Creates spec for sdcore_management relation interface * Improves experssions in the README * Addresses review comments Fixes PEP 8 issues Improves README --- README.md | 1 + .../sdcore_management/provider.json | 43 +++++++++++++++++ .../sdcore_management/requirer.json | 20 ++++++++ interfaces/sdcore_management/README.md | 47 +++++++++++++++++++ interfaces/sdcore_management/charms.yaml | 2 + interfaces/sdcore_management/schema.py | 36 ++++++++++++++ 6 files changed, 149 insertions(+) create mode 100644 docs/json_schemas/interfaces/sdcore_management/provider.json create mode 100644 docs/json_schemas/interfaces/sdcore_management/requirer.json create mode 100644 interfaces/sdcore_management/README.md create mode 100644 interfaces/sdcore_management/charms.yaml create mode 100644 interfaces/sdcore_management/schema.py diff --git a/README.md b/README.md index 55c4fbfb..74dc47b4 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,7 @@ To quickly get started, see the [template interface](https://github.com/canonica | | [`fiveg_n2`](interfaces/fiveg_n2/v0/README.md) | ![Status: Draft](https://img.shields.io/badge/Status-Draft-orange) | | | [`fiveg_n3`](interfaces/fiveg_n3/v0/README.md) | ![Status: Draft](https://img.shields.io/badge/Status-Draft-orange) | | | [`fiveg_n4`](interfaces/fiveg_n4/v0/README.md) | ![Status: Draft](https://img.shields.io/badge/Status-Draft-orange) | +| | [`sdcore_management`](interfaces/sdcore_management/v0/README.md) | ![Status: Draft](https://img.shields.io/badge/Status-Draft-orange) | For a more detailed explanation of statuses and how they should be used, see [the legend](https://github.com/canonical/charm-relation-interfaces/blob/main/LEGEND.md). diff --git a/docs/json_schemas/interfaces/sdcore_management/provider.json b/docs/json_schemas/interfaces/sdcore_management/provider.json new file mode 100644 index 00000000..bb133421 --- /dev/null +++ b/docs/json_schemas/interfaces/sdcore_management/provider.json @@ -0,0 +1,43 @@ +{ + "title": "ProviderSchema", + "description": "The schema for the provider side of the sdcore_management interface.", + "type": "object", + "properties": { + "unit": { + "$ref": "#/definitions/BaseModel" + }, + "app": { + "$ref": "#/definitions/SdcoreManagementProviderAppData" + } + }, + "required": [ + "app" + ], + "definitions": { + "BaseModel": { + "title": "BaseModel", + "type": "object", + "properties": {} + }, + "SdcoreManagementProviderAppData": { + "title": "SdcoreManagementProviderAppData", + "type": "object", + "properties": { + "management_url": { + "title": "Management Url", + "description": "The endpoint to use to manage SD-Core network.", + "examples": [ + "http://1.2.3.4:1234" + ], + "minLength": 1, + "maxLength": 2083, + "format": "uri", + "type": "string" + } + }, + "required": [ + "management_url" + ] + } + } +} \ No newline at end of file diff --git a/docs/json_schemas/interfaces/sdcore_management/requirer.json b/docs/json_schemas/interfaces/sdcore_management/requirer.json new file mode 100644 index 00000000..63d0ac00 --- /dev/null +++ b/docs/json_schemas/interfaces/sdcore_management/requirer.json @@ -0,0 +1,20 @@ +{ + "title": "RequirerSchema", + "description": "The schema for the requirer side of the sdcore_management interface.", + "type": "object", + "properties": { + "unit": { + "$ref": "#/definitions/BaseModel" + }, + "app": { + "$ref": "#/definitions/BaseModel" + } + }, + "definitions": { + "BaseModel": { + "title": "BaseModel", + "type": "object", + "properties": {} + } + } +} \ No newline at end of file diff --git a/interfaces/sdcore_management/README.md b/interfaces/sdcore_management/README.md new file mode 100644 index 00000000..b7b1b06d --- /dev/null +++ b/interfaces/sdcore_management/README.md @@ -0,0 +1,47 @@ +# `sdcore_management` + +## Usage + +Within Charmed-5G, the components that makes configuration changes to the network require access to the configuration and management service. + +The `sdcore_management` relation interface describes the expected behavior of any charm claiming to provide or consume the information to access the configuration service in SD-Core. + +SD-Core Webui Operator that is responsible for the configuration of the SD-Core network within Charmed-5G is a typical provider and SD-Core NMS (Network Management System) Operator that provides a user interface to manage and configure the network is a typical requirer of this relation. + +## Direction + +```mermaid +flowchart TD + Provider -- management_url --> Requirer +``` + +As with all Juju relations, the `sdcore_management` interface consists of two parties: a Provider and a Requirer. + +## Behavior + +Both the Requirer and the Provider need to adhere to criteria to be considered compatible with the interface. + +### Provider + +- Is expected to provide the address to access the SD-Core configuration service endpoint. + +### Requirer + +- Is expected to use the endpoint address provided to connect to the configuration service. + +## Relation Data + +[\[Pydantic Schema\]](./schema.py) + +#### Example + +```yaml +provider: + app: { + "management_url": "http://1.2.3.4:1234", + } + unit: {} +requirer: + app: {} + unit: {} +``` diff --git a/interfaces/sdcore_management/charms.yaml b/interfaces/sdcore_management/charms.yaml new file mode 100644 index 00000000..d6d06c41 --- /dev/null +++ b/interfaces/sdcore_management/charms.yaml @@ -0,0 +1,2 @@ +providers: [] +requirers: [] diff --git a/interfaces/sdcore_management/schema.py b/interfaces/sdcore_management/schema.py new file mode 100644 index 00000000..0650d6f4 --- /dev/null +++ b/interfaces/sdcore_management/schema.py @@ -0,0 +1,36 @@ +"""This file defines the schemas for the provider and requirer sides of the `sdcore_management` relation interface. + +It must expose two interfaces.schema_base.DataBagSchema subclasses called: +- ProviderSchema +- RequirerSchema + +Examples: + ProviderSchema: + unit: + app: { + "management_endpoint": "http://1.2.3.4:1234", + } + RequirerSchema: + unit: + app: +""" + +from interface_tester.schema_base import DataBagSchema +from pydantic import BaseModel, Field, HttpUrl + + +class SdcoreManagementProviderAppData(BaseModel): + management_url: HttpUrl = Field( + description="The endpoint to use to manage SD-Core network.", + examples=["http://1.2.3.4:1234"], + ) + + +class ProviderSchema(DataBagSchema): + """The schema for the provider side of the sdcore_management interface.""" + + app: SdcoreManagementProviderAppData + + +class RequirerSchema(DataBagSchema): + """The schema for the requirer side of the sdcore_management interface.""" From 40b2864d133a045b4f9b7c5b6612654002926c72 Mon Sep 17 00:00:00 2001 From: Guillaume Boutry Date: Thu, 21 Sep 2023 16:03:51 +0200 Subject: [PATCH 2/2] feat: add ca_certificate field in vault-kv relation (#105) Vault-k8s has been refactored to always have TLS enabled. The CA certificate is needed to validate the vault server's identity. Co-authored-by: Simon Aronsson --- docs/json_schemas/vault_kv/v0/provider.json | 6 +++++ interfaces/vault_kv/v0/README.md | 30 ++++++++++++++++++--- interfaces/vault_kv/v0/schema.py | 3 +++ 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/json_schemas/vault_kv/v0/provider.json b/docs/json_schemas/vault_kv/v0/provider.json index 4b03a04b..b159b8e9 100644 --- a/docs/json_schemas/vault_kv/v0/provider.json +++ b/docs/json_schemas/vault_kv/v0/provider.json @@ -33,6 +33,11 @@ "description": "The KV mount available for the requirer application, respecting the pattern 'charm--'.", "type": "string" }, + "ca_certificate": { + "title": "Ca Certificate", + "description": "The CA certificate to use when validating the Vault server's certificate.", + "type": "string" + }, "credentials": { "title": "Credentials", "description": "Mapping of unit name and credentials for that unit. Credentials are a juju secret containing a 'role-id' and a 'role-secret-id'.", @@ -45,6 +50,7 @@ "required": [ "vault_url", "mount", + "ca_certificate", "credentials" ] } diff --git a/interfaces/vault_kv/v0/README.md b/interfaces/vault_kv/v0/README.md index 65ad9d54..24b7dbe3 100644 --- a/interfaces/vault_kv/v0/README.md +++ b/interfaces/vault_kv/v0/README.md @@ -9,7 +9,7 @@ Some charms require a secure key value store. This relation interface describes ```mermaid flowchart TD Requirer -- mount_suffix, nonce, egress_subnet --> Provider - Provider -- vault_url, mount, credentials --> Requirer + Provider -- vault_url, ca_certificate, mount, credentials --> Requirer ``` ## Behavior @@ -20,10 +20,11 @@ Both the Requirer and the Provider need to adhere to criteria to be considered c Provider expectations -- Is expected to provide the vault url +- Is expected to provide the vault url. +- Is expected to provide a ca certificate used to validate the vault server's certificate. - Is expected to provide a key value mount, the mount name shall respect the following pattern: `charm--` - Is expected to create an approle restricted to the requiring unit's egress subnet. -- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit +- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit. - Is expected to provide the Juju secret ID in the relation data, identified by the unit's nonce. - Is expected to have out of date credentials when requirer unit's identity change, for some unspecified amount of time until new credentials have been generated. For example, during an upgrade-charm event. @@ -32,7 +33,7 @@ Provider expectations Requirer expectations -- Is expected to provide a mount suffix +- Is expected to provide a mount suffix. - Is expected to provide an egress subnet for each unit requiring access to the vault key value store. The unit's egress_subnet shall be used to restrict access to the secret backend. - Is expected to provide a nonce, i.e. a string uniquely identifying the unit. @@ -48,6 +49,27 @@ provider: app: vault_url: http://10.152.183.104:8200 mount: charm-barbican-secrets # in case of CMR, mount will look like `charm-remote-fd7bc6a8c2d54d748ec3822da5abf0bc-secrets` + ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIDPzCCAiegAwIBAgIUSV4nLL94rCgtxIHB1kyCDh2SBnkwDQYJKoZIhvcNAQEL + BQAwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENB + MCAXDTIzMDkxNTEzMzAzM1oYDzIwNzMwOTAyMTMzMDMzWjAsMQswCQYDVQQGEwJV + UzEdMBsGA1UEAwwUVmF1bHQgc2VsZiBzaWduZWQgQ0EwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQC1Odkv2Yv6PoDTT4VPO8EGwlhmbkYib4VbxZVCxQe/ + 1qp4IDDKwN4PXnmCbfg/Ri+A8C9CQZirVam0zIxqQJ2fe0EKBO7y7BM8HrhWPh2p + 3oWV3mi8qm1frQvjpWK859oQMFzDkaKGLHIADwi8pr7wLlyUAlGZ6s/aKAtAkRUZ + fLpUkMpSuoBT/3JgbvQOk9QQS+I0lLsaPxE4KV1kfuH/EdAgiMeqj0Y2Cj0t0ZBG + ZWt6jOFRffZbDmV/P2Vl0Oc7dJFfluWTy+3GA+AMlaNOVR1xdtmSot+W9dZR7rHp + dCGeulRjm79DgkCBZ8XNGUDSd5kBv4dkNVXtY24ZCP45AgMBAAGjVzBVMB8GA1Ud + DgQYBBYEFKbR1+Rgj49n7dHWsrsF+US8FI2GMCEGA1UdIwQaMBiAFgQUptHX5GCP + j2ft0dayuwX5RLwUjYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC + AQEAjFZKJQ/Vo1TtPBfD3A+3NI0jbjEt7i2+ERHfrDSAVZEuV10X7Red/YRd+lup + rPwgZr1Fg5/dDwiILwOcQz39Qq3u6BFChjH47Oz4krcG5uv6VTrDwhSnmV5gzTia + hXR6SET/yOwwoM6AWRsvjZQ0jCdRcvd5e+rafM27jXRBO0/F9XQGc3Dn5WM0TalC + S293oLoL3epU0X36FFRVWMVOCPBVzUS0eRrL90gTWxBNEw4YPyxIZD1+0uhUdJum + q9IJGysn/ETTPHj83pM+Dgr3+3rP8NP3OF81eKi87nGyrY+HtzlKUTCYymyeCUqK + CnYvDG4IK/MIkjgiBBTS7diP/A== + -----END CERTIFICATE----- credentials: | { "3081279da89c48a32923473c2c587019": "secret://4f7cc474-a23d-49a2-8b6e-9835c1e08325/cjk5slcrl3uc767oebp0", diff --git a/interfaces/vault_kv/v0/schema.py b/interfaces/vault_kv/v0/schema.py index 45059926..5762bcb1 100644 --- a/interfaces/vault_kv/v0/schema.py +++ b/interfaces/vault_kv/v0/schema.py @@ -20,6 +20,9 @@ class VaultKvProviderSchema(BaseModel): "respecting the pattern 'charm--'." ) ) + ca_certificate: str = Field( + description="The CA certificate to use when validating the Vault server's certificate." + ) credentials: Json[Mapping[str, str]] = Field( description=( "Mapping of unit name and credentials for that unit."