From 6f043bb7ca8710dd7c1746297b6f98f743c3499a Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 16 Jan 2019 14:09:13 +0200 Subject: [PATCH] Correct key name for PKI backend TTL Switch max-lease-ttl -> max_lease_ttl inline with Vault API docs to ensure that certs can be issued for more than 30 days. Existing deployments with PKI enabled will be re-tuned to set max_lease_ttl to 10 years, correcting any existing PKI enablement. Certificates must be re-issued to use the TTL as provided during upload of the signed CSR for an Intermediate certificate. For deploys using the internally signed Root CA, the root CA must be re-generated using the 'disable-pki' and 'generate-root-ca' actions. Change-Id: I6a771090e320404c605d2170c7915c3c22a3ea2c Closes-Bug: 1788945 --- src/actions/actions.py | 2 ++ src/lib/charm/vault_pki.py | 18 ++++++++++++++++-- src/reactive/vault_handlers.py | 10 ++++++++++ src/tests/tests.yaml | 3 +++ unit_tests/test_lib_charm_vault_pki.py | 21 +++++++++++++++++++-- unit_tests/test_reactive_vault_handlers.py | 6 ++++++ 6 files changed, 56 insertions(+), 4 deletions(-) diff --git a/src/actions/actions.py b/src/actions/actions.py index a9f55be..5213423 100755 --- a/src/actions/actions.py +++ b/src/actions/actions.py @@ -84,6 +84,7 @@ def upload_signed_csr(*args): allow_any_name=action_config.get('allow-any-name'), max_ttl=action_config.get('max-ttl')) set_flag('charm.vault.ca.ready') + set_flag('pki.backend.tuned') def generate_root_ca(*args): @@ -104,6 +105,7 @@ def generate_root_ca(*args): hookenv.leader_set({'root-ca': root_ca}) hookenv.action_set({'output': root_ca}) set_flag('charm.vault.ca.ready') + set_flag('pki.backend.tuned') def get_root_ca(*args): diff --git a/src/lib/charm/vault_pki.py b/src/lib/charm/vault_pki.py index 04d8e9b..cdc68af 100644 --- a/src/lib/charm/vault_pki.py +++ b/src/lib/charm/vault_pki.py @@ -25,8 +25,8 @@ def configure_pki_backend(client, name, ttl=None): backend_type='pki', description='Charm created PKI backend', mount_point=name, - # Default ttl to 1 Year - config={'max-lease-ttl': ttl or '87600h'}) + # Default ttl to 10 years + config={'max_lease_ttl': ttl or '87600h'}) def disable_pki_backend(): @@ -37,6 +37,20 @@ def disable_pki_backend(): client.disable_secret_backend(CHARM_PKI_MP) +def tune_pki_backend(ttl=None): + """Assert tuning options for Charm PKI backend + + :param ttl: TTL + :type ttl: str + """ + client = vault.get_local_client() + if vault.is_backend_mounted(client, CHARM_PKI_MP): + client.tune_secret_backend( + backend_type='pki', + mount_point=CHARM_PKI_MP, + max_lease_ttl=ttl or '87600h') + + def is_ca_ready(client, name, role): """Check if CA is ready for use diff --git a/src/reactive/vault_handlers.py b/src/reactive/vault_handlers.py index 1c2239d..106f081 100644 --- a/src/reactive/vault_handlers.py +++ b/src/reactive/vault_handlers.py @@ -743,3 +743,13 @@ def post_series_upgrade(): """Handler for post-series-upgrade. """ unitdata.kv().set('charm.vault.series-upgrading', False) + + +@when('leadership.is_leader', + 'charm.vault.ca.ready') +@when_not('pki.backend.tuned') +def tune_pki_backend(): + """Ensure Vault PKI backend is correctly tuned + """ + vault_pki.tune_pki_backend() + set_flag('pki.backend.tuned') diff --git a/src/tests/tests.yaml b/src/tests/tests.yaml index aa22f23..ce9dc67 100644 --- a/src/tests/tests.yaml +++ b/src/tests/tests.yaml @@ -23,5 +23,8 @@ target_deploy_status: ceph-osd: workload-status: waiting workload-status-message: "Incomplete relation: vault" + ceph-mon: + workload-status: waiting + workload-status-message: "Monitor bootstrapped but waiting for number of OSDs to reach expected-osd-count (3)" tests: - zaza.charm_tests.vault.tests.VaultTest diff --git a/unit_tests/test_lib_charm_vault_pki.py b/unit_tests/test_lib_charm_vault_pki.py index b29bf94..660f3e5 100644 --- a/unit_tests/test_lib_charm_vault_pki.py +++ b/unit_tests/test_lib_charm_vault_pki.py @@ -25,7 +25,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): ttl=42) client_mock.enable_secret_backend.assert_called_once_with( backend_type='pki', - config={'max-lease-ttl': 42}, + config={'max_lease_ttl': 42}, description='Charm created PKI backend', mount_point='my_backend') @@ -38,7 +38,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): 'my_backend') client_mock.enable_secret_backend.assert_called_once_with( backend_type='pki', - config={'max-lease-ttl': '87600h'}, + config={'max_lease_ttl': '87600h'}, description='Charm created PKI backend', mount_point='my_backend') @@ -364,3 +364,20 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase): 'admin.local', 'public.local']), (['10.0.0.10', '10.0.0.20'], ['admin.local', 'public.local'])) + + @patch.object(vault_pki.vault, 'get_local_client') + @patch.object(vault_pki.vault, 'is_backend_mounted') + def test_tune_secret_backend(self, + is_backend_mounted, + get_local_client): + is_backend_mounted.return_value = True + mock_client = mock.MagicMock() + get_local_client.return_value = mock_client + vault_pki.tune_pki_backend(ttl='3456h') + is_backend_mounted.assert_called_with(mock_client, + vault_pki.CHARM_PKI_MP) + mock_client.tune_secret_backend.assert_called_with( + backend_type='pki', + mount_point=vault_pki.CHARM_PKI_MP, + max_lease_ttl='3456h' + ) diff --git a/unit_tests/test_reactive_vault_handlers.py b/unit_tests/test_reactive_vault_handlers.py index 959f375..c1f64c5 100644 --- a/unit_tests/test_reactive_vault_handlers.py +++ b/unit_tests/test_reactive_vault_handlers.py @@ -730,3 +730,9 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase): tls.new_requests[2].set_cert.assert_has_calls([ mock.call('crt2', 'key2'), ]) + + @mock.patch.object(handlers, 'vault_pki') + def test_tune_pki_backend(self, vault_pki): + handlers.tune_pki_backend() + vault_pki.tune_pki_backend.assert_called_once_with() + self.set_flag.assert_called_once_with('pki.backend.tuned')