Use system CA bundle when verifying Vault certificate

Change-Id: I39d761dfbe1500f06abd617dd97eced671971b7d Closes-Bug: #1859092
2020-01-13 21:15:06 +01:00 · 2020-01-13 21:15:06 +01:00 · e23f232a68
parent d7c8e6feb4
commit e23f232a68
2 changed files with 8 additions and 1 deletions
--- a/src/lib/charm/vault_utils.py
+++ b/src/lib/charm/vault_utils.py
@ -14,8 +14,11 @@
 import hvac


+SYSTEM_CA_BUNDLE = '/etc/ssl/certs/ca-certificates.crt'
+
+
 def retrieve_secret_id(url, token):
-    client = hvac.Client(url=url, token=token)
+    client = hvac.Client(url=url, verify=SYSTEM_CA_BUNDLE, token=token)
    # workaround for issue where callng `client.unwrap(token)` results in
    # "error decrementing wrapping token's use-count: invalid token entry
    #  provided for use count decrementing"
--- a/unit_tests/test_vault_utils.py
+++ b/unit_tests/test_vault_utils.py
@ -32,3 +32,7 @@ class TestVaultUtils(test_utils.PatchHelper):
        self.assertEqual(
            vault_utils.retrieve_secret_id('url', 'token'), 'FAKE_SECRET_ID')
        hvac_client._post.assert_called_with('/v1/sys/wrapping/unwrap')
+        self.hvac.Client.assert_called_once_with(
+            token='token',
+            url='url',
+            verify=vault_utils.SYSTEM_CA_BUNDLE)