From aa4a55e31a7d634cb5e9689cafd0b453798e07ae Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 11 Apr 2018 11:29:28 +0100 Subject: [PATCH] Add ssl-ca configuration option Allow charm users to provide the SSL Root CA certificate, supporting the use of an internal Root CA for PKI signing. This CA certificate will be provided to charms directly consuming the Vault HTTPS API. Change-Id: I866e9835c0f47236c160e8ff122eb2cb4fc3f053 --- src/config.yaml | 5 +++++ src/reactive/vault.py | 13 +++++++++++++ 2 files changed, 18 insertions(+) diff --git a/src/config.yaml b/src/config.yaml index 3d1b914..fbd8478 100644 --- a/src/config.yaml +++ b/src/config.yaml @@ -37,3 +37,8 @@ options: default: "" description: >- The SSL key, base64-encoded. + ssl-ca: + type: string + default: "" + description: >- + The SSL Root CA certificate, base64-encoded. diff --git a/src/reactive/vault.py b/src/reactive/vault.py index 1ae50a0..2a79fdf 100644 --- a/src/reactive/vault.py +++ b/src/reactive/vault.py @@ -1,5 +1,6 @@ import base64 import psycopg2 +import subprocess from charmhelpers.contrib.charmsupport.nrpe import ( NRPE, @@ -147,6 +148,13 @@ def configure_ssl(): status_set('active', 'SSL key and cert installed') else: remove_state('vault.ssl.available') + + if c['ssl-ca']: + ssl_ca = base64.decodestring(c['ssl-ca'].encode()) + write_file('/usr/local/share/ca-certificates/vault-ca.crt', + ssl_ca, perms=0o644) + subprocess.check_call(['update-ca-certificates', '--fresh']) + set_state('vault.ssl.configured') remove_state('configured') @@ -166,6 +174,11 @@ def ssl_key_changed(): remove_state('vault.ssl.configured') +@when('config.changed.ssl-ca') +def ssl_ca_changed(): + remove_state('vault.ssl.configured') + + @when('configured') @when('nrpe-external-master.available') @when_not('vault.nrpe.configured')