Only try to unseal vault when leader has set keys

Change-Id: I2574da2f7e6520d4c9bc8e5b9f03b5723840b5c8 Closes-Bug: #1792603
2018-09-24 08:27:02 +02:00 · 2018-09-24 08:27:02 +02:00 · e621b4dec0
parent 9459c01476
commit e621b4dec0
2 changed files with 12 additions and 4 deletions
--- a/src/lib/charm/vault.py
+++ b/src/lib/charm/vault.py
@ -239,7 +239,7 @@ def prepare_vault():
    vault_health = get_vault_health()
    if not vault_health['initialized'] and hookenv.is_leader():
        initialize_vault()
-    if vault_health['sealed']:
+    if vault_health['sealed'] and hookenv.leader_get('keys'):
        unseal_vault()
    if hookenv.is_leader():
        role_id = setup_charm_vault_access()
--- a/unit_tests/test_lib_charm_vault.py
+++ b/unit_tests/test_lib_charm_vault.py
@ -179,6 +179,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
            "http://127.0.0.1:8220/v1/sys/health")
        mock_response.json.assert_called_once()

+    @patch.object(vault.hookenv, 'leader_get')
    @patch.object(vault.hookenv, 'leader_set')
    @patch.object(vault, 'setup_charm_vault_access')
    @patch.object(vault.hookenv, 'is_leader')
@ -189,8 +190,10 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
    @patch.object(vault.host, 'service_running')
    def test_prepare_vault(self, service_running, log, get_vault_health,
                           initialize_vault, unseal_vault, is_leader,
-                           setup_charm_vault_access, leader_set):
+                           setup_charm_vault_access, leader_set,
+                           leader_get):
        is_leader.return_value = True
+        leader_get.return_value = "[]"
        service_running.return_value = True
        get_vault_health.return_value = {
            'initialized': False,
@ -204,6 +207,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
            {vault.CHARM_ACCESS_ROLE_ID: mock.ANY}
        )

+    @patch.object(vault.hookenv, 'leader_get')
    @patch.object(vault.hookenv, 'leader_set')
    @patch.object(vault.hookenv, 'is_leader')
    @patch.object(vault, 'unseal_vault')
@ -213,7 +217,9 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
    @patch.object(vault.host, 'service_running')
    def test_prepare_vault_non_leader(self, service_running, log,
                                      get_vault_health, initialize_vault,
-                                      unseal_vault, is_leader, leader_set):
+                                      unseal_vault, is_leader, leader_set,
+                                      leader_get):
+        leader_get.return_value = "[]"
        is_leader.return_value = False
        service_running.return_value = True
        get_vault_health.return_value = {
@ -234,6 +240,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
        self.assertFalse(initialize_vault.called)
        self.assertFalse(unseal_vault.called)

+    @patch.object(vault.hookenv, 'leader_get')
    @patch.object(vault.hookenv, 'leader_set')
    @patch.object(vault, 'setup_charm_vault_access')
    @patch.object(vault.hookenv, 'is_leader')
@ -246,7 +253,8 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase):
                                       get_vault_health, initialize_vault,
                                       unseal_vault, is_leader,
                                       setup_charm_vault_access,
-                                       leader_set):
+                                       leader_set, leader_get):
+        leader_get.return_value = "[]"
        is_leader.return_value = False
        service_running.return_value = True
        get_vault_health.return_value = {