[18.05] tls-certificates relation is not supported

Subscribed ~field-critical as currently the lack of this relation introduces a manual workflow in addition to the automatic one with other charms that support tls-certificates as of 18.05.

This feature is not quite ready for general consumption; triaging and we'll make sure this gets stable updated as well.

Unsubscribing field-critical per discussion in IRC as this is not an officially released feature as of 18.05.

Is this Field-Critical? At best this seems Field-High

On Thu, Jun 14, 2018 at 2:07 PM, James Page <email address hidden> wrote:

> This feature is not quite ready for general consumption; triaging and
> we'll make sure this gets stable updated as well.
>
> ** Changed in: charm-openstack-dashboard
> Status: New => Triaged
>
> ** Changed in: charm-openstack-dashboard
> Importance: Undecided => High
>
> --
> You received this bug notification because you are a member of Canonical
> Field Critical, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1776643
>
> Title:
> [18.05] tls-certificates relation is not supported
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/charm-openstack-dashboard/+
> bug/1776643/+subscriptions
>

John,

Unsubscribed already as it was pointed out that this functionality was not formally released yet, although was mentioned vaguely in release notes and all relevant charms except one support this.

As for reasoning, there are two completely separate workflows:

1) asking for an intermediate CA and using vault;
2) using charm options.

One could argue that mixing the two would be possible or just using 2 and treating option 1 as non-existent which would make it Field-High.

Normally it takes several deployment attempts to get a working cloud as occasional misconfigs (networking, charm options etc.) need to be sorted out but what we have to ask in advance from a customer is either a set of per-service certificates and keys or a signed intermediate CA certificate based on a CSR we generate. With very tight timelines choosing option 1 and then changing your mind to use option 2 shifts project timelines to an extent where it becomes a critical issue. Understanding that option 1 is not fully there yet allowed us to make a decision to go with option 2 and remove the "critical" status.

The same for ceph-radosgw charm.

$ juju add-relation ceph-radosgw:certificates vault:certificates
ERROR application "ceph-radosgw" has no "certificates" relation

Fix proposed to branch: master
Review: https://review.openstack.org/634407

Reviewed: https://review.openstack.org/634407
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-radosgw/commit/?id=049993db1ba8c1555ea24bb91abf9617177e3765
Submitter: Zuul
Branch: master

commit 049993db1ba8c1555ea24bb91abf9617177e3765
Author: James Page <email address hidden>
Date: Fri Feb 1 13:24:55 2019 +0000

    Add support for tls-certificates relation

    Add support for the charm to request and receive certificates from
    the tls-certificates relation.

    Change-Id: I821ad15aa6af7eaf9d22a00e7d3fb79611d4b6b5
    Closes-Bug: 1776643

Fix proposed to branch: stable/18.11
Review: https://review.openstack.org/634699

Reviewed: https://review.openstack.org/634699
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-radosgw/commit/?id=ae0a767f6766a0eb7f50f0928cf8db60232c7fe0
Submitter: Zuul
Branch: stable/18.11

commit ae0a767f6766a0eb7f50f0928cf8db60232c7fe0
Author: James Page <email address hidden>
Date: Fri Feb 1 13:24:55 2019 +0000

    Add support for tls-certificates relation

    Add support for the charm to request and receive certificates from
    the tls-certificates relation.

    Note that this cherry-pick also selectively picks some changes
    to support the restart_map/restart_on_change pattern implemented
    in a wider change on master branch.

    Change-Id: I821ad15aa6af7eaf9d22a00e7d3fb79611d4b6b5
    Closes-Bug: 1776643
    (cherry picked from commit 049993db1ba8c1555ea24bb91abf9617177e3765)