handler: correctly handle vault sealed exception

In situation where the vault service is restarted the service should be unsealed. It apears that some parts of the code do not handle the exception correctly which results the unit to be in an error state. In the code to handle that we check whether the service is well unsealed. If that not the case juju will report the service as blocked asking user to unseal it. Change-Id: I1b4d83eb4c944a98a06cc457f51d0fb9d0b9a6ce Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
2019-11-12 10:02:31 +00:00 · 2019-11-12 10:02:31 +00:00 · fb166e451e
parent 77033874d1
commit fb166e451e
2 changed files with 27 additions and 5 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@ -734,11 +734,15 @@ def takeover_cert_leadership():
      'charm.vault.ca.ready',
      'certificates.available')
 def publish_ca_info():
+    client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
    tls = endpoint_from_flag('certificates.available')
-    tls.set_ca(vault_pki.get_ca())
-    chain = vault_pki.get_chain()
-    if chain:
-        tls.set_chain(chain)
+    if client.is_sealed():
+        log("Unable to publish ca info, service sealed.")
+    else:
+        tls.set_ca(vault_pki.get_ca())
+        chain = vault_pki.get_chain()
+        if chain:
+            tls.set_chain(chain)


@when('leadership.is_leader',
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@ -723,8 +723,16 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
            vault_ca='test-ca'
        )

+    def _set_sealed(self, _vault, status):
+        hvac_client = mock.MagicMock()
+        _vault.get_client.return_value = hvac_client
+        hvac_client.is_sealed.return_value = status
+
+    @mock.patch.object(handlers, 'vault')
    @mock.patch.object(handlers, 'vault_pki')
-    def test_publish_ca_info(self, vault_pki):
+    def test_publish_ca_info(self, vault_pki, _vault):
+        self._set_sealed(_vault, False)
+
        tls = self.endpoint_from_flag.return_value
        vault_pki.get_ca.return_value = 'ca'
        vault_pki.get_chain.return_value = 'chain'
@ -732,6 +740,16 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
        tls.set_ca.assert_called_with('ca')
        tls.set_chain.assert_called_with('chain')

+    @mock.patch.object(handlers, 'vault')
+    @mock.patch.object(handlers, 'vault_pki')
+    def test_publish_ca_info_sealed(self, vault_pki, _vault):
+        self._set_sealed(_vault, True)
+
+        tls = self.endpoint_from_flag.return_value
+        handlers.publish_ca_info()
+        assert not tls.set_ca.called
+        assert not tls.set_chain.called
+
    @mock.patch.object(handlers, 'vault_pki')
    def test_publish_global_client_cert_already_gend(self, vault_pki):
        tls = self.endpoint_from_flag.return_value