Correct key name for PKI backend TTL

Switch max-lease-ttl -> max_lease_ttl inline with Vault API
docs to ensure that certs can be issued for more than 30 days.

Existing deployments with PKI enabled will be re-tuned to
set max_lease_ttl to 10 years, correcting any existing PKI
enablement.

Certificates must be re-issued to use the TTL as provided
during upload of the signed CSR for an Intermediate certificate.

For deploys using the internally signed Root CA, the root
CA must be re-generated using the 'disable-pki' and
'generate-root-ca' actions.

Change-Id: I6a771090e320404c605d2170c7915c3c22a3ea2c
Closes-Bug: 1788945
This commit is contained in:
James Page 2019-01-16 14:09:13 +02:00
parent 379b99f17f
commit 6f043bb7ca
6 changed files with 56 additions and 4 deletions

View File

@ -84,6 +84,7 @@ def upload_signed_csr(*args):
allow_any_name=action_config.get('allow-any-name'),
max_ttl=action_config.get('max-ttl'))
set_flag('charm.vault.ca.ready')
set_flag('pki.backend.tuned')
def generate_root_ca(*args):
@ -104,6 +105,7 @@ def generate_root_ca(*args):
hookenv.leader_set({'root-ca': root_ca})
hookenv.action_set({'output': root_ca})
set_flag('charm.vault.ca.ready')
set_flag('pki.backend.tuned')
def get_root_ca(*args):

View File

@ -25,8 +25,8 @@ def configure_pki_backend(client, name, ttl=None):
backend_type='pki',
description='Charm created PKI backend',
mount_point=name,
# Default ttl to 1 Year
config={'max-lease-ttl': ttl or '87600h'})
# Default ttl to 10 years
config={'max_lease_ttl': ttl or '87600h'})
def disable_pki_backend():
@ -37,6 +37,20 @@ def disable_pki_backend():
client.disable_secret_backend(CHARM_PKI_MP)
def tune_pki_backend(ttl=None):
"""Assert tuning options for Charm PKI backend
:param ttl: TTL
:type ttl: str
"""
client = vault.get_local_client()
if vault.is_backend_mounted(client, CHARM_PKI_MP):
client.tune_secret_backend(
backend_type='pki',
mount_point=CHARM_PKI_MP,
max_lease_ttl=ttl or '87600h')
def is_ca_ready(client, name, role):
"""Check if CA is ready for use

View File

@ -743,3 +743,13 @@ def post_series_upgrade():
"""Handler for post-series-upgrade.
"""
unitdata.kv().set('charm.vault.series-upgrading', False)
@when('leadership.is_leader',
'charm.vault.ca.ready')
@when_not('pki.backend.tuned')
def tune_pki_backend():
"""Ensure Vault PKI backend is correctly tuned
"""
vault_pki.tune_pki_backend()
set_flag('pki.backend.tuned')

View File

@ -23,5 +23,8 @@ target_deploy_status:
ceph-osd:
workload-status: waiting
workload-status-message: "Incomplete relation: vault"
ceph-mon:
workload-status: waiting
workload-status-message: "Monitor bootstrapped but waiting for number of OSDs to reach expected-osd-count (3)"
tests:
- zaza.charm_tests.vault.tests.VaultTest

View File

@ -25,7 +25,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
ttl=42)
client_mock.enable_secret_backend.assert_called_once_with(
backend_type='pki',
config={'max-lease-ttl': 42},
config={'max_lease_ttl': 42},
description='Charm created PKI backend',
mount_point='my_backend')
@ -38,7 +38,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
'my_backend')
client_mock.enable_secret_backend.assert_called_once_with(
backend_type='pki',
config={'max-lease-ttl': '87600h'},
config={'max_lease_ttl': '87600h'},
description='Charm created PKI backend',
mount_point='my_backend')
@ -364,3 +364,20 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
'admin.local',
'public.local']),
(['10.0.0.10', '10.0.0.20'], ['admin.local', 'public.local']))
@patch.object(vault_pki.vault, 'get_local_client')
@patch.object(vault_pki.vault, 'is_backend_mounted')
def test_tune_secret_backend(self,
is_backend_mounted,
get_local_client):
is_backend_mounted.return_value = True
mock_client = mock.MagicMock()
get_local_client.return_value = mock_client
vault_pki.tune_pki_backend(ttl='3456h')
is_backend_mounted.assert_called_with(mock_client,
vault_pki.CHARM_PKI_MP)
mock_client.tune_secret_backend.assert_called_with(
backend_type='pki',
mount_point=vault_pki.CHARM_PKI_MP,
max_lease_ttl='3456h'
)

View File

@ -730,3 +730,9 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
tls.new_requests[2].set_cert.assert_has_calls([
mock.call('crt2', 'key2'),
])
@mock.patch.object(handlers, 'vault_pki')
def test_tune_pki_backend(self, vault_pki):
handlers.tune_pki_backend()
vault_pki.tune_pki_backend.assert_called_once_with()
self.set_flag.assert_called_once_with('pki.backend.tuned')