Modified where the vault access comes from

- Vault access address now comes from config as it would be difficult to determine programatically - Added test to ensure JIMM enters an error state
canonical · Jul 17, 2023 · 743af33 · 743af33
1 parent 0dfb8d5
commit 743af33
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/charms/jimm-k8s/config.yaml b/charms/jimm-k8s/config.yaml
@@ -63,3 +63,8 @@ options:
   dns-name:
     type: string
     description: DNS hostname that JIMM is being served from.
+  vault-access-address:
+    type: string
+    description: |
+      The source address for the connection to Vault. 
+      This should be a single IP with no CIDR.
diff --git a/charms/jimm-k8s/src/charm.py b/charms/jimm-k8s/src/charm.py
@@ -507,9 +507,13 @@ def _get_network_address(self, event):
         return str(self.model.get_binding(event.relation).network.egress_subnets[0].network_address)
 
     def _on_vault_relation_joined(self, event):
+        if self.config.get("vault-access-address") is None:
+            logger.error("Missing config vault-access-address for vault relation")
+            raise ValueError("Missing config vault-access-address for vault relation")
+
         event.relation.data[self.unit]["secret_backend"] = json.dumps(self._vault_path)
         event.relation.data[self.unit]["hostname"] = json.dumps(socket.gethostname())
-        event.relation.data[self.unit]["access_address"] = json.dumps(self._get_network_address(event))
+        event.relation.data[self.unit]["access_address"] = self.config["vault-access-address"]
         event.relation.data[self.unit]["isolated"] = json.dumps(False)
 
     def _ensure_vault_file(self, event):
@@ -563,7 +567,6 @@ def _on_vault_relation_changed(self, event):
         try:
             logger.info(f"Received vault data: {event.relation.data[event.unit]}")
             for key, value in event.relation.data[event.unit].items():
-                logger.info(f"Key: {key}, Value: {value}")
                 value = value.strip('"')
                 if "vault_url" in key:
                     addr = value

diff --git a/charms/jimm-k8s/tests/unit/test_charm.py b/charms/jimm-k8s/tests/unit/test_charm.py
@@ -22,6 +22,7 @@
     "candid-url": "test-candid-url",
     "public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=",
     "private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=",
+    "vault-access-address": "10.0.1.123",
 }
 
 
@@ -276,11 +277,9 @@ def test_dashboard_relation_joined(self):
         self.assertEqual(data["identity_provider_url"], "https://candid.example.com")
         self.assertEqual(data["is_juju"], "False")
 
-    @patch("src.charm.JimmOperatorCharm._get_network_address")
     @patch("socket.gethostname")
     @patch("hvac.Client.sys")
-    def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_address):
-        get_network_address.return_value = "127.0.0.1:8080"
+    def test_vault_relation_joined(self, hvac_client_sys, gethostname):
         gethostname.return_value = "test-hostname"
         hvac_client_sys.unwrap.return_value = {
             "key1": "value1",
@@ -304,6 +303,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a
                 "candid-url": "https://candid.example.com",
                 "controller-admins": "user1 user2 group1",
                 "uuid": "caaa4ba4-e2b5-40dd-9bf3-2bd26d6e17aa",
+                "vault-access-address": "10.0.1.123",
             }
         )
         harness.set_leader(True)
@@ -323,7 +323,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a
             '"charm-jimm-k8s-creds"',
         )
         self.assertEqual(data["hostname"], '"test-hostname"')
-        self.assertEqual(data["access_address"], '"127.0.0.1:8080"')
+        self.assertEqual(data["access_address"], "10.0.1.123")
 
         harness.update_relation_data(
             id,
@@ -359,3 +359,13 @@ def test_app_enters_blocked_state_if_vault_related_but_not_ready(self):
         self.assertEqual(
             self.harness.charm.unit.status.message, "Vault relation present but vault setup is not ready yet"
         )
+
+    def test_app_raises_error_without_vault_config(self):
+        self.harness.enable_hooks()
+        minim_config_no_vault_config = MINIMAL_CONFIG.copy()
+        del minim_config_no_vault_config["vault-access-address"]
+        self.harness.update_config(minim_config_no_vault_config)
+        id = self.harness.add_relation("vault", "vault")
+        with self.assertRaises(ValueError) as e:
+            self.harness.add_relation_unit(id, "vault/0")
+            self.assertEqual(e, "Missing config vault-access-address for vault relation")