diff --git a/charms/jimm-k8s/config.yaml b/charms/jimm-k8s/config.yaml index b718056a1..36934252a 100644 --- a/charms/jimm-k8s/config.yaml +++ b/charms/jimm-k8s/config.yaml @@ -63,3 +63,8 @@ options: dns-name: type: string description: DNS hostname that JIMM is being served from. + vault-access-address: + type: string + description: | + The source address for the connection to Vault. + This should be a single IP with no CIDR. diff --git a/charms/jimm-k8s/src/charm.py b/charms/jimm-k8s/src/charm.py index c8740de7d..c8613fd38 100755 --- a/charms/jimm-k8s/src/charm.py +++ b/charms/jimm-k8s/src/charm.py @@ -507,9 +507,13 @@ def _get_network_address(self, event): return str(self.model.get_binding(event.relation).network.egress_subnets[0].network_address) def _on_vault_relation_joined(self, event): + if self.config.get("vault-access-address") is None: + logger.error("Missing config vault-access-address for vault relation") + raise ValueError("Missing config vault-access-address for vault relation") + event.relation.data[self.unit]["secret_backend"] = json.dumps(self._vault_path) event.relation.data[self.unit]["hostname"] = json.dumps(socket.gethostname()) - event.relation.data[self.unit]["access_address"] = json.dumps(self._get_network_address(event)) + event.relation.data[self.unit]["access_address"] = self.config["vault-access-address"] event.relation.data[self.unit]["isolated"] = json.dumps(False) def _ensure_vault_file(self, event): diff --git a/charms/jimm-k8s/tests/unit/test_charm.py b/charms/jimm-k8s/tests/unit/test_charm.py index aa6bb6bbb..8482463b5 100644 --- a/charms/jimm-k8s/tests/unit/test_charm.py +++ b/charms/jimm-k8s/tests/unit/test_charm.py @@ -22,6 +22,7 @@ "candid-url": "test-candid-url", "public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", "private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", + "vault-access-address": "10.0.1.123", } @@ -276,11 +277,9 @@ def test_dashboard_relation_joined(self): self.assertEqual(data["identity_provider_url"], "https://candid.example.com") self.assertEqual(data["is_juju"], "False") - @patch("src.charm.JimmOperatorCharm._get_network_address") @patch("socket.gethostname") @patch("hvac.Client.sys") - def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_address): - get_network_address.return_value = "127.0.0.1:8080" + def test_vault_relation_joined(self, hvac_client_sys, gethostname): gethostname.return_value = "test-hostname" hvac_client_sys.unwrap.return_value = { "key1": "value1", @@ -304,6 +303,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a "candid-url": "https://candid.example.com", "controller-admins": "user1 user2 group1", "uuid": "caaa4ba4-e2b5-40dd-9bf3-2bd26d6e17aa", + "vault-access-address": "10.0.1.123", } ) harness.set_leader(True) @@ -323,7 +323,7 @@ def test_vault_relation_joined(self, hvac_client_sys, gethostname, get_network_a '"charm-jimm-k8s-creds"', ) self.assertEqual(data["hostname"], '"test-hostname"') - self.assertEqual(data["access_address"], '"127.0.0.1:8080"') + self.assertEqual(data["access_address"], "10.0.1.123") harness.update_relation_data( id, @@ -359,3 +359,13 @@ def test_app_enters_blocked_state_if_vault_related_but_not_ready(self): self.assertEqual( self.harness.charm.unit.status.message, "Vault relation present but vault setup is not ready yet" ) + + def test_app_raises_error_without_vault_config(self): + self.harness.enable_hooks() + minim_config_no_vault_config = MINIMAL_CONFIG.copy() + del minim_config_no_vault_config["vault-access-address"] + self.harness.update_config(minim_config_no_vault_config) + id = self.harness.add_relation("vault", "vault") + with self.assertRaises(ValueError) as e: + self.harness.add_relation_unit(id, "vault/0") + self.assertEqual(e, "Missing config vault-access-address for vault relation")