node-cert-exporter snap is being integrated into projects such as Charmed OpenStack for monitoring expiration of certificates with the COS Lite stack.
The snap is hosted in the snap-node-cert-exporter GitHub repository under the Canonical organization, and will be maintained by the Canonical OVN Engineering team.
A purpose built snap for this is required because there are applications that use certificates in their operation while not exposing any externally observable endpoints. Examples of such applications are the
ovn-controller and the OpenStack Neutron server.
The snap currently have these system-files plugs defined:
+1 from me for use of
read access to
/etc/neutron but I wonder if the snap could limit the access to the certs files only so we prevent allowing the snap to access to the entire config dir? I am -1 for auto-connect though, since the snap is not the owner of such directories.
The snap has configurations such as “exclude-glob”, and “exclude-path” to limit what certs files to be excluded from the default directories, and only files with extensions [".pem", “.crt”, “.cert”, “.cer”, “.pfx”] will be read by the snap.
I am -1 for auto-connect though, since the snap is not the owner of such directories.
We have no issue with no auto-connect, we would expect the end user of the snap to make a conscious choice of granting this access.
For the immediate use case in the Charmed OpenStack project, the charm will be in a position to connect these interfaces on behalf of the user in an automated fashion.
+1 for granting
node-cert-exporter the use of
read access to
/etc/neutron, with the caveat of no auto-connect.
The transfer is now complete
Will wait for the voting period for the plug changes
Great, thanks for this clarification.
+2 votes for, 0 against. Granting installation of
etc-neutron without auto-connect. This is now live