[DPE-3644] Landscape client (#388)

* Landscape client

* Pass the cert

* Juju 2 compatible

* Update libs

Author: dragomirp

lib/charms/tls_certificates_interface/v2/tls_certificates.py

@@ -277,7 +277,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven
 import logging
 import uuid
 from contextlib import suppress
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from ipaddress import IPv4Address
 from typing import Any, Dict, List, Literal, Optional, Union
 
@@ -286,7 +286,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import pkcs12
-from jsonschema import exceptions, validate  # type: ignore[import-untyped]
+from jsonschema import exceptions, validate
 from ops.charm import (
     CharmBase,
     CharmEvents,
@@ -307,7 +307,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 27
+LIBPATCH = 28
 
 PYDEPS = ["cryptography", "jsonschema"]
 
@@ -635,7 +635,9 @@ def _get_closest_future_time(
         datetime: expiry_notification_time if not in the past, expiry_time otherwise
     """
     return (
-        expiry_notification_time if datetime.utcnow() < expiry_notification_time else expiry_time
+        expiry_notification_time
+        if datetime.now(timezone.utc) < expiry_notification_time
+        else expiry_time
     )
 
 
@@ -650,7 +652,7 @@ def _get_certificate_expiry_time(certificate: str) -> Optional[datetime]:
     """
     try:
         certificate_object = x509.load_pem_x509_certificate(data=certificate.encode())
-        return certificate_object.not_valid_after
+        return certificate_object.not_valid_after_utc
     except ValueError:
         logger.warning("Could not load certificate.")
         return None
@@ -705,8 +707,8 @@ def generate_ca(
         .issuer_name(subject_name)
         .public_key(private_key_object.public_key())  # type: ignore[arg-type]
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.utcnow())
-        .not_valid_after(datetime.utcnow() + timedelta(days=validity))
+        .not_valid_before(datetime.now(timezone.utc))
+        .not_valid_after(datetime.now(timezone.utc) + timedelta(days=validity))
         .add_extension(x509.SubjectKeyIdentifier(digest=subject_identifier), critical=False)
         .add_extension(
             x509.AuthorityKeyIdentifier(
@@ -860,8 +862,8 @@ def generate_certificate(
         .issuer_name(issuer)
         .public_key(csr_object.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.utcnow())
-        .not_valid_after(datetime.utcnow() + timedelta(days=validity))
+        .not_valid_before(datetime.now(timezone.utc))
+        .not_valid_after(datetime.now(timezone.utc) + timedelta(days=validity))
     )
     extensions = get_certificate_extensions(
         authority_key_identifier=ca_pem.extensions.get_extension_for_class(
@@ -1070,7 +1072,7 @@ class CertificatesRequirerCharmEvents(CharmEvents):
 class TLSCertificatesProvidesV2(Object):
     """TLS certificates provider class to be instantiated by TLS certificates providers."""
 
-    on = CertificatesProviderCharmEvents()
+    on = CertificatesProviderCharmEvents()  # type: ignore[reportAssignmentType]
 
     def __init__(self, charm: CharmBase, relationship_name: str):
         super().__init__(charm, relationship_name)
@@ -1481,7 +1483,7 @@ def certificate_issued_for_csr(
 class TLSCertificatesRequiresV2(Object):
     """TLS certificates requirer class to be instantiated by TLS certificates requirers."""
 
-    on = CertificatesRequirerCharmEvents()
+    on = CertificatesRequirerCharmEvents()  # type: ignore[reportAssignmentType]
 
     def __init__(
         self,
@@ -1708,7 +1710,7 @@ def get_expiring_certificates(self) -> List[Dict[str, str]]:
                 expiry_notification_time = expiry_time - timedelta(
                     hours=self.expiry_notification_time
                 )
-                if datetime.utcnow() > expiry_notification_time:
+                if datetime.now(timezone.utc) > expiry_notification_time:
                     final_list.append(cert)
         return final_list
 
@@ -1891,7 +1893,7 @@ def _on_secret_expired(self, event: SecretExpiredEvent) -> None:
             event.secret.remove_all_revisions()
             return
 
-        if datetime.utcnow() < expiry_time:
+        if datetime.now(timezone.utc) < expiry_time:
             logger.warning("Certificate almost expired")
             self.on.certificate_expiring.emit(
                 certificate=certificate_dict["certificate"],
@@ -1937,7 +1939,7 @@ def _on_update_status(self, event: UpdateStatusEvent) -> None:
             expiry_time = _get_certificate_expiry_time(certificate_dict["certificate"])
             if not expiry_time:
                 continue
-            time_difference = expiry_time - datetime.utcnow()
+            time_difference = expiry_time - datetime.now(timezone.utc)
             if time_difference.total_seconds() < 0:
                 logger.warning("Certificate is expired")
                 self.on.certificate_invalidated.emit(

tests/integration/test_backups.py

@@ -90,12 +90,6 @@ async def cloud_configs(ops_test: OpsTest, github_secrets) -> None:
             bucket_object.delete()
 
 
-@pytest.mark.group(1)
-async def test_none() -> None:
-    """Empty test so that the suite will not fail if all tests are skippedi."""
-    pass
-
-
 @pytest.mark.group(1)
 @pytest.mark.abort_on_fail
 async def test_backup(ops_test: OpsTest, cloud_configs: Tuple[Dict, Dict]) -> None:

tests/integration/test_subordinates.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+# Copyright 2021 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+import logging
+import subprocess
+from asyncio import gather
+from base64 import b64encode
+
+import pytest
+from pytest_operator.plugin import OpsTest
+
+from .helpers import (
+    CHARM_SERIES,
+    get_unit_address,
+    scale_application,
+)
+
+DATABASE_APP_NAME = "pg"
+LS_CLIENT = "landscape-client"
+
+logger = logging.getLogger(__name__)
+
+
+@pytest.mark.group(1)
+@pytest.mark.abort_on_fail
+async def test_deploy(ops_test: OpsTest, charm: str, github_secrets):
+    landscape_config = {
+        "admin_email": "[email protected]",
+        "admin_name": "Admin",
+        "admin_password": "qweqwepoipoi",
+    }
+    await gather(
+        ops_test.model.deploy(
+            charm,
+            application_name=DATABASE_APP_NAME,
+            num_units=3,
+            series=CHARM_SERIES,
+            config={"profile": "testing"},
+        ),
+        ops_test.model.deploy("landscape-scalable"),
+        ops_test.model.deploy(LS_CLIENT, num_units=0),
+    )
+    await ops_test.model.applications["landscape-server"].set_config(landscape_config)
+
+    await ops_test.model.wait_for_idle(
+        apps=["landscape-server", "haproxy", DATABASE_APP_NAME], status="active", timeout=3000
+    )
+    haproxy_unit = ops_test.model.applications["haproxy"].units[0]
+    haproxy_addr = get_unit_address(ops_test, haproxy_unit.name)
+    haproxy_host = haproxy_unit.machine.hostname
+    cert = subprocess.check_output(
+        ["lxc", "exec", haproxy_host, "cat", "/var/lib/haproxy/selfsigned_ca.crt"]
+    )
+    ssl_public_key = f"base64:{b64encode(cert).decode()}"
+
+    await ops_test.model.applications[LS_CLIENT].set_config(
+        {
+            "account-name": "standalone",
+            "ping-url": f"http://{haproxy_addr}/ping",
+            "url": f"https://{haproxy_addr}/message-system",
+            "ssl-public-key": ssl_public_key,
+        }
+    )
+    await ops_test.model.relate(f"{DATABASE_APP_NAME}:juju-info", f"{LS_CLIENT}:container")
+    await ops_test.model.wait_for_idle(apps=[LS_CLIENT, DATABASE_APP_NAME], status="active")
+
+
+@pytest.mark.group(1)
+async def test_scale_up(ops_test: OpsTest, github_secrets):
+    await scale_application(ops_test, DATABASE_APP_NAME, 4)
+
+    await ops_test.model.wait_for_idle(
+        apps=[LS_CLIENT, DATABASE_APP_NAME], status="active", timeout=1500
+    )
+
+
+@pytest.mark.group(1)
+async def test_scale_down(ops_test: OpsTest, github_secrets):
+    await scale_application(ops_test, DATABASE_APP_NAME, 3)
+
+    await ops_test.model.wait_for_idle(
+        apps=[LS_CLIENT, DATABASE_APP_NAME], status="active", timeout=1500
+    )