Add ssl-ca configuration option

Allow charm users to provide the SSL Root CA certificate, supporting the use of an internal Root CA for PKI signing. This CA certificate will be provided to charms directly consuming the Vault HTTPS API. Change-Id: I866e9835c0f47236c160e8ff122eb2cb4fc3f053
2018-04-11 11:29:28 +01:00 · 2018-04-11 11:29:28 +01:00 · aa4a55e31a
parent d4e1b83d44
commit aa4a55e31a
2 changed files with 18 additions and 0 deletions
--- a/src/config.yaml
+++ b/src/config.yaml
@ -37,3 +37,8 @@ options:
    default: ""
    description: >-
      The SSL key, base64-encoded.
+  ssl-ca:
+    type: string
+    default: ""
+    description: >-
+      The SSL Root CA certificate, base64-encoded.
--- a/src/reactive/vault.py
+++ b/src/reactive/vault.py
@ -1,5 +1,6 @@
 import base64
 import psycopg2
+import subprocess

 from charmhelpers.contrib.charmsupport.nrpe import (
    NRPE,
@ -147,6 +148,13 @@ def configure_ssl():
        status_set('active', 'SSL key and cert installed')
    else:
        remove_state('vault.ssl.available')
+
+    if c['ssl-ca']:
+        ssl_ca = base64.decodestring(c['ssl-ca'].encode())
+        write_file('/usr/local/share/ca-certificates/vault-ca.crt',
+                   ssl_ca, perms=0o644)
+        subprocess.check_call(['update-ca-certificates', '--fresh'])
+
    set_state('vault.ssl.configured')
    remove_state('configured')

@ -166,6 +174,11 @@ def ssl_key_changed():
    remove_state('vault.ssl.configured')


+@when('config.changed.ssl-ca')
+def ssl_ca_changed():
+    remove_state('vault.ssl.configured')
+
+
@when('configured')
@when('nrpe-external-master.available')
@when_not('vault.nrpe.configured')