Merge "Enable MySQL DB TLS Communication"

2020-07-03 05:57:01 +00:00 · 2020-07-03 05:57:01 +00:00 · 56ad2e6c5e
parent ce8070a73f b989a4130a
commit 56ad2e6c5e
3 changed files with 31 additions and 0 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@ -225,6 +225,11 @@ def configure_vault_mysql(mysql):
        'storage_name': 'mysql',
        'mysql_db_relation': mysql,
    }
+    if mysql.ssl_ca():
+        _db_tls_ca_file = "/var/snap/vault/common/db-tls-ca.pem"
+        _db_tls_ca = base64.decodebytes(mysql.ssl_ca().encode())
+        write_file(_db_tls_ca_file, _db_tls_ca, perms=0o600)
+        context["tls_ca_file"] = _db_tls_ca_file
    configure_vault(context)


--- a/src/templates/vault.hcl.j2
+++ b/src/templates/vault.hcl.j2
@ -18,6 +18,9 @@ storage "mysql" {
  database = "{{ mysql_db_relation.database() }}"
  address = "{{ mysql_db_relation.db_host() }}:3306"
  max_connection_lifetime = "3600"
+  {%- if tls_ca_file %}
+  tls_ca_file = "{{ tls_ca_file }}"
+  {%- endif %}
 }
 {%- endif %}
 {%- if etcd_conn %}
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@ -180,6 +180,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
    @patch.object(handlers, 'configure_vault')
    def test_configure_vault_msql(self, configure_vault):
        mysql = mock.MagicMock()
+        mysql.ssl_ca.return_value = None
        mysql.allowed_units.return_value = ['vault/0']
        self.local_unit.return_value = 'vault/0'
        handlers.configure_vault_mysql(mysql)
@ -187,6 +188,28 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
            'storage_name': 'mysql',
            'mysql_db_relation': mysql})

+    @patch.object(handlers, 'base64')
+    @patch.object(handlers, 'write_file')
+    @patch.object(handlers, 'configure_vault')
+    def test_configure_vault_msql_tls(
+            self, configure_vault, write_file, base64):
+        _cert = "Certificate Authority"
+        mysql = mock.MagicMock()
+        mysql.ssl_ca.return_value = _cert
+        mysql.allowed_units.return_value = ['vault/0']
+        self.local_unit.return_value = 'vault/0'
+        _base64encoded = "Base64 Encoded"
+        base64.decodebytes.return_value = _base64encoded
+        handlers.configure_vault_mysql(mysql)
+        write_file.assert_called_once_with(
+            "/var/snap/vault/common/db-tls-ca.pem",
+            _base64encoded,
+            perms=0o600)
+        configure_vault.assert_called_once_with({
+            'storage_name': 'mysql',
+            'mysql_db_relation': mysql,
+            'tls_ca_file': '/var/snap/vault/common/db-tls-ca.pem'})
+
    @patch.object(handlers, 'configure_vault')
    def test_configure_vault_msql_noacl(self, configure_vault):
        mysql = mock.MagicMock()