Skip to content

Commit

Permalink
Modified where the vault access comes from
Browse files Browse the repository at this point in the history
- Vault access address now comes from config as it would be difficult to determine programatically
- Added test to ensure JIMM enters an error state
  • Loading branch information
kian99 committed Jul 17, 2023
1 parent 0dfb8d5 commit 743af33
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 6 deletions.
5 changes: 5 additions & 0 deletions charms/jimm-k8s/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,8 @@ options:
dns-name:
type: string
description: DNS hostname that JIMM is being served from.
vault-access-address:
type: string
description: |
The source address for the connection to Vault.
This should be a single IP with no CIDR.
7 changes: 5 additions & 2 deletions charms/jimm-k8s/src/charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -507,9 +507,13 @@ def _get_network_address(self, event):
return str(self.model.get_binding(event.relation).network.egress_subnets[0].network_address)

def _on_vault_relation_joined(self, event):
if self.config.get("vault-access-address") is None:
logger.error("Missing config vault-access-address for vault relation")
raise ValueError("Missing config vault-access-address for vault relation")

event.relation.data[self.unit]["secret_backend"] = json.dumps(self._vault_path)
event.relation.data[self.unit]["hostname"] = json.dumps(socket.gethostname())
event.relation.data[self.unit]["access_address"] = json.dumps(self._get_network_address(event))
event.relation.data[self.unit]["access_address"] = self.config["vault-access-address"]
event.relation.data[self.unit]["isolated"] = json.dumps(False)

def _ensure_vault_file(self, event):
Expand Down Expand Up @@ -563,7 +567,6 @@ def _on_vault_relation_changed(self, event):
try:
logger.info(f"Received vault data: {event.relation.data[event.unit]}")
for key, value in event.relation.data[event.unit].items():
logger.info(f"Key: {key}, Value: {value}")
value = value.strip('"')
if "vault_url" in key:
addr = value
Expand Down
18 changes: 14 additions & 4 deletions charms/jimm-k8s/tests/unit/test_charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"candid-url": "test-candid-url",
"public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=",
"private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=",
"vault-access-address": "10.0.1.123",
}


Expand Down Expand Up @@ -276,11 +277,9 @@ def test_dashboard_relation_joined(self):
self.assertEqual(data["identity_provider_url"], "https://candid.example.com")
self.assertEqual(data["is_juju"], "False")

@patch("src.charm.JimmOperatorCharm._get_network_address")
@patch("socket.gethostname")
@patch("hvac.Client.sys")
def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_address):
get_network_address.return_value = "127.0.0.1:8080"
def test_vault_relation_joined(self, hvac_client_sys, gethostname):
gethostname.return_value = "test-hostname"
hvac_client_sys.unwrap.return_value = {
"key1": "value1",
Expand All @@ -304,6 +303,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a
"candid-url": "https://candid.example.com",
"controller-admins": "user1 user2 group1",
"uuid": "caaa4ba4-e2b5-40dd-9bf3-2bd26d6e17aa",
"vault-access-address": "10.0.1.123",
}
)
harness.set_leader(True)
Expand All @@ -323,7 +323,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a
'"charm-jimm-k8s-creds"',
)
self.assertEqual(data["hostname"], '"test-hostname"')
self.assertEqual(data["access_address"], '"127.0.0.1:8080"')
self.assertEqual(data["access_address"], "10.0.1.123")

harness.update_relation_data(
id,
Expand Down Expand Up @@ -359,3 +359,13 @@ def test_app_enters_blocked_state_if_vault_related_but_not_ready(self):
self.assertEqual(
self.harness.charm.unit.status.message, "Vault relation present but vault setup is not ready yet"
)

def test_app_raises_error_without_vault_config(self):
self.harness.enable_hooks()
minim_config_no_vault_config = MINIMAL_CONFIG.copy()
del minim_config_no_vault_config["vault-access-address"]
self.harness.update_config(minim_config_no_vault_config)
id = self.harness.add_relation("vault", "vault")
with self.assertRaises(ValueError) as e:
self.harness.add_relation_unit(id, "vault/0")
self.assertEqual(e, "Missing config vault-access-address for vault relation")

0 comments on commit 743af33

Please sign in to comment.