Correct key name for PKI backend TTL
Switch max-lease-ttl -> max_lease_ttl inline with Vault API docs to ensure that certs can be issued for more than 30 days. Existing deployments with PKI enabled will be re-tuned to set max_lease_ttl to 10 years, correcting any existing PKI enablement. Certificates must be re-issued to use the TTL as provided during upload of the signed CSR for an Intermediate certificate. For deploys using the internally signed Root CA, the root CA must be re-generated using the 'disable-pki' and 'generate-root-ca' actions. Change-Id: I6a771090e320404c605d2170c7915c3c22a3ea2c Closes-Bug: 1788945
This commit is contained in:
parent
379b99f17f
commit
6f043bb7ca
|
@ -84,6 +84,7 @@ def upload_signed_csr(*args):
|
|||
allow_any_name=action_config.get('allow-any-name'),
|
||||
max_ttl=action_config.get('max-ttl'))
|
||||
set_flag('charm.vault.ca.ready')
|
||||
set_flag('pki.backend.tuned')
|
||||
|
||||
|
||||
def generate_root_ca(*args):
|
||||
|
@ -104,6 +105,7 @@ def generate_root_ca(*args):
|
|||
hookenv.leader_set({'root-ca': root_ca})
|
||||
hookenv.action_set({'output': root_ca})
|
||||
set_flag('charm.vault.ca.ready')
|
||||
set_flag('pki.backend.tuned')
|
||||
|
||||
|
||||
def get_root_ca(*args):
|
||||
|
|
|
@ -25,8 +25,8 @@ def configure_pki_backend(client, name, ttl=None):
|
|||
backend_type='pki',
|
||||
description='Charm created PKI backend',
|
||||
mount_point=name,
|
||||
# Default ttl to 1 Year
|
||||
config={'max-lease-ttl': ttl or '87600h'})
|
||||
# Default ttl to 10 years
|
||||
config={'max_lease_ttl': ttl or '87600h'})
|
||||
|
||||
|
||||
def disable_pki_backend():
|
||||
|
@ -37,6 +37,20 @@ def disable_pki_backend():
|
|||
client.disable_secret_backend(CHARM_PKI_MP)
|
||||
|
||||
|
||||
def tune_pki_backend(ttl=None):
|
||||
"""Assert tuning options for Charm PKI backend
|
||||
|
||||
:param ttl: TTL
|
||||
:type ttl: str
|
||||
"""
|
||||
client = vault.get_local_client()
|
||||
if vault.is_backend_mounted(client, CHARM_PKI_MP):
|
||||
client.tune_secret_backend(
|
||||
backend_type='pki',
|
||||
mount_point=CHARM_PKI_MP,
|
||||
max_lease_ttl=ttl or '87600h')
|
||||
|
||||
|
||||
def is_ca_ready(client, name, role):
|
||||
"""Check if CA is ready for use
|
||||
|
||||
|
|
|
@ -743,3 +743,13 @@ def post_series_upgrade():
|
|||
"""Handler for post-series-upgrade.
|
||||
"""
|
||||
unitdata.kv().set('charm.vault.series-upgrading', False)
|
||||
|
||||
|
||||
@when('leadership.is_leader',
|
||||
'charm.vault.ca.ready')
|
||||
@when_not('pki.backend.tuned')
|
||||
def tune_pki_backend():
|
||||
"""Ensure Vault PKI backend is correctly tuned
|
||||
"""
|
||||
vault_pki.tune_pki_backend()
|
||||
set_flag('pki.backend.tuned')
|
||||
|
|
|
@ -23,5 +23,8 @@ target_deploy_status:
|
|||
ceph-osd:
|
||||
workload-status: waiting
|
||||
workload-status-message: "Incomplete relation: vault"
|
||||
ceph-mon:
|
||||
workload-status: waiting
|
||||
workload-status-message: "Monitor bootstrapped but waiting for number of OSDs to reach expected-osd-count (3)"
|
||||
tests:
|
||||
- zaza.charm_tests.vault.tests.VaultTest
|
||||
|
|
|
@ -25,7 +25,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
|
|||
ttl=42)
|
||||
client_mock.enable_secret_backend.assert_called_once_with(
|
||||
backend_type='pki',
|
||||
config={'max-lease-ttl': 42},
|
||||
config={'max_lease_ttl': 42},
|
||||
description='Charm created PKI backend',
|
||||
mount_point='my_backend')
|
||||
|
||||
|
@ -38,7 +38,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
|
|||
'my_backend')
|
||||
client_mock.enable_secret_backend.assert_called_once_with(
|
||||
backend_type='pki',
|
||||
config={'max-lease-ttl': '87600h'},
|
||||
config={'max_lease_ttl': '87600h'},
|
||||
description='Charm created PKI backend',
|
||||
mount_point='my_backend')
|
||||
|
||||
|
@ -364,3 +364,20 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
|
|||
'admin.local',
|
||||
'public.local']),
|
||||
(['10.0.0.10', '10.0.0.20'], ['admin.local', 'public.local']))
|
||||
|
||||
@patch.object(vault_pki.vault, 'get_local_client')
|
||||
@patch.object(vault_pki.vault, 'is_backend_mounted')
|
||||
def test_tune_secret_backend(self,
|
||||
is_backend_mounted,
|
||||
get_local_client):
|
||||
is_backend_mounted.return_value = True
|
||||
mock_client = mock.MagicMock()
|
||||
get_local_client.return_value = mock_client
|
||||
vault_pki.tune_pki_backend(ttl='3456h')
|
||||
is_backend_mounted.assert_called_with(mock_client,
|
||||
vault_pki.CHARM_PKI_MP)
|
||||
mock_client.tune_secret_backend.assert_called_with(
|
||||
backend_type='pki',
|
||||
mount_point=vault_pki.CHARM_PKI_MP,
|
||||
max_lease_ttl='3456h'
|
||||
)
|
||||
|
|
|
@ -730,3 +730,9 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
|
|||
tls.new_requests[2].set_cert.assert_has_calls([
|
||||
mock.call('crt2', 'key2'),
|
||||
])
|
||||
|
||||
@mock.patch.object(handlers, 'vault_pki')
|
||||
def test_tune_pki_backend(self, vault_pki):
|
||||
handlers.tune_pki_backend()
|
||||
vault_pki.tune_pki_backend.assert_called_once_with()
|
||||
self.set_flag.assert_called_once_with('pki.backend.tuned')
|
||||
|
|
Loading…
Reference in New Issue