Use per-model tmp-dir to store local copy of CA cert (#493)

The current approach of storing the deployment CA certificate in
the 'test/' relative path does not allow for executing tests for
multiple targets from the same environment.

We have previously moved (7a90110) the local copy of the SSH
private key for similar reasons.

Remove the global constants as we cannot build them without making
function calls, and we'd rather avoid doing that at module import
time. Code using the location of the local CA certificate has
already been changed to use helper functions.

unit_tests/utilities/test_zaza_utilities_openstack.py

@@ -1333,25 +1333,34 @@ class TestOpenStackUtils(ut_utils.BaseTestCase):
                 'bridge-interface-mappings',
                 {'ovn-bridge-mappings': 'physnet1:br-ex'}))
 
+    def test_get_cacert_absolute_path(self):
+        self.patch_object(openstack_utils.deployment_env, 'get_tmpdir')
+        self.get_tmpdir.return_value = '/tmp/default'
+        self.assertEqual(
+            openstack_utils.get_cacert_absolute_path('filename'),
+            '/tmp/default/filename')
+
     def test_get_cacert(self):
+        self.patch_object(openstack_utils.deployment_env, 'get_tmpdir')
+        self.get_tmpdir.return_value = '/tmp/default'
         self.patch_object(openstack_utils.os.path, 'exists')
         results = {
-            'tests/vault_juju_ca_cert.crt': True}
+            '/tmp/default/vault_juju_ca_cert.crt': True}
         self.exists.side_effect = lambda x: results[x]
         self.assertEqual(
             openstack_utils.get_cacert(),
-            'tests/vault_juju_ca_cert.crt')
+            '/tmp/default/vault_juju_ca_cert.crt')
 
         results = {
-            'tests/vault_juju_ca_cert.crt': False,
-            'tests/keystone_juju_ca_cert.crt': True}
+            '/tmp/default/vault_juju_ca_cert.crt': False,
+            '/tmp/default/keystone_juju_ca_cert.crt': True}
         self.assertEqual(
             openstack_utils.get_cacert(),
-            'tests/keystone_juju_ca_cert.crt')
+            '/tmp/default/keystone_juju_ca_cert.crt')
 
         results = {
-            'tests/vault_juju_ca_cert.crt': False,
-            'tests/keystone_juju_ca_cert.crt': False}
+            '/tmp/default/vault_juju_ca_cert.crt': False,
+            '/tmp/default/keystone_juju_ca_cert.crt': False}
         self.assertIsNone(openstack_utils.get_cacert())
 
     def test_get_remote_ca_cert_file(self):
@@ -1364,6 +1373,8 @@ class TestOpenStackUtils(ut_utils.BaseTestCase):
         self.patch_object(openstack_utils.shutil, 'move')
         self.patch_object(openstack_utils.os, 'chmod')
         self.patch_object(openstack_utils.tempfile, 'NamedTemporaryFile')
+        self.patch_object(openstack_utils.deployment_env, 'get_tmpdir')
+        self.get_tmpdir.return_value = '/tmp/default'
         enter_mock = mock.MagicMock()
         enter_mock.__enter__.return_value.name = 'tempfilename'
         self.NamedTemporaryFile.return_value = enter_mock
@@ -1377,8 +1388,9 @@ class TestOpenStackUtils(ut_utils.BaseTestCase):
             'neutron-api/0',
             '/tmp/ca1.cert',
             'tempfilename')
-        self.chmod.assert_called_once_with('tests/ca1.cert', 0o644)
-        self.move.assert_called_once_with('tempfilename', 'tests/ca1.cert')
+        self.chmod.assert_called_once_with('/tmp/default/ca1.cert', 0o644)
+        self.move.assert_called_once_with(
+            'tempfilename', '/tmp/default/ca1.cert')
 
 
 class TestAsyncOpenstackUtils(ut_utils.AioTestCase):

zaza/openstack/utilities/openstack.py

@@ -185,12 +185,10 @@ WORKLOAD_STATUS_EXCEPTIONS = {
 # For vault TLS certificates
 CACERT_FILENAME_FORMAT = "{}_juju_ca_cert.crt"
 CERT_PROVIDERS = ['vault']
-LOCAL_CERT_DIR = "tests"
 REMOTE_CERT_DIR = "/usr/local/share/ca-certificates"
 KEYSTONE_CACERT = "keystone_juju_ca_cert.crt"
 KEYSTONE_REMOTE_CACERT = (
     "/usr/local/share/ca-certificates/{}".format(KEYSTONE_CACERT))
-KEYSTONE_LOCAL_CACERT = ("{}/{}".format(LOCAL_CERT_DIR, KEYSTONE_CACERT))
 
 
 async def async_block_until_ca_exists(application_name, ca_cert,
@@ -236,6 +234,18 @@ async def async_block_until_ca_exists(application_name, ca_cert,
 block_until_ca_exists = zaza.model.sync_wrapper(async_block_until_ca_exists)
 
 
+def get_cacert_absolute_path(filename):
+    """Build string containing location of the CA Certificate file.
+
+    :param filename: Expected filename for CA Certificate file.
+    :type filename: str
+    :returns: Absolute path to file containing CA Certificate
+    :rtype: str
+    """
+    return os.path.join(
+        deployment_env.get_tmpdir(), filename)
+
+
 def get_cacert():
     """Return path to CA Certificate bundle for verification during test.
 
@@ -243,12 +253,13 @@ def get_cacert():
     :rtype: Union[str, None]
     """
     for _provider in CERT_PROVIDERS:
-        _cert = LOCAL_CERT_DIR + '/' + CACERT_FILENAME_FORMAT.format(
-            _provider)
+        _cert = get_cacert_absolute_path(
+            CACERT_FILENAME_FORMAT.format(_provider))
         if os.path.exists(_cert):
             return _cert
-    if os.path.exists(KEYSTONE_LOCAL_CACERT):
-        return KEYSTONE_LOCAL_CACERT
+    _keystone_local_cacert = get_cacert_absolute_path(KEYSTONE_CACERT)
+    if os.path.exists(_keystone_local_cacert):
+        return _keystone_local_cacert
 
 
 # OpenStack Client helpers
@@ -2056,8 +2067,7 @@ def get_remote_ca_cert_file(application, model_name=None):
         application,
         model_name=model_name)
     for cert_file in cert_files:
-        _local_cert_file = "{}/{}".format(
-            LOCAL_CERT_DIR,
+        _local_cert_file = get_cacert_absolute_path(
             os.path.basename(cert_file))
         with tempfile.NamedTemporaryFile(mode="w", delete=False) as _tmp_ca:
             try: