Add ssl-ca configuration option
Allow charm users to provide the SSL Root CA certificate, supporting the use of an internal Root CA for PKI signing. This CA certificate will be provided to charms directly consuming the Vault HTTPS API. Change-Id: I866e9835c0f47236c160e8ff122eb2cb4fc3f053
This commit is contained in:
parent
d4e1b83d44
commit
aa4a55e31a
|
@ -37,3 +37,8 @@ options:
|
|||
default: ""
|
||||
description: >-
|
||||
The SSL key, base64-encoded.
|
||||
ssl-ca:
|
||||
type: string
|
||||
default: ""
|
||||
description: >-
|
||||
The SSL Root CA certificate, base64-encoded.
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import base64
|
||||
import psycopg2
|
||||
import subprocess
|
||||
|
||||
from charmhelpers.contrib.charmsupport.nrpe import (
|
||||
NRPE,
|
||||
|
@ -147,6 +148,13 @@ def configure_ssl():
|
|||
status_set('active', 'SSL key and cert installed')
|
||||
else:
|
||||
remove_state('vault.ssl.available')
|
||||
|
||||
if c['ssl-ca']:
|
||||
ssl_ca = base64.decodestring(c['ssl-ca'].encode())
|
||||
write_file('/usr/local/share/ca-certificates/vault-ca.crt',
|
||||
ssl_ca, perms=0o644)
|
||||
subprocess.check_call(['update-ca-certificates', '--fresh'])
|
||||
|
||||
set_state('vault.ssl.configured')
|
||||
remove_state('configured')
|
||||
|
||||
|
@ -166,6 +174,11 @@ def ssl_key_changed():
|
|||
remove_state('vault.ssl.configured')
|
||||
|
||||
|
||||
@when('config.changed.ssl-ca')
|
||||
def ssl_ca_changed():
|
||||
remove_state('vault.ssl.configured')
|
||||
|
||||
|
||||
@when('configured')
|
||||
@when('nrpe-external-master.available')
|
||||
@when_not('vault.nrpe.configured')
|
||||
|
|
Loading…
Reference in New Issue