Report when Vault service needs to be restarted for HA

Vault can act as the CA for etcd to allow it to operate in HA mode by
the leader first being unsealed in non-HA mode and providing the root CA
certificate, which allows it to provide a certificate to etcd. However,
at that point, the Vault service needs to be restarted and unsealed
again in order to pick up the HA configuration. Currenty, the status
just reports Vault as ready, potentially with multiple "active" units.
This change detects when the Vault service should be restarted to pick
up the HA configuration and reports it via status.

Change-Id: I40e813b1df4ab3b3301881385a5d713524698821

src/reactive/vault_handlers.py

@@ -838,6 +838,15 @@ def _assess_status():
             'to restart the service.')
         return
 
+    if is_flag_set('etcd.tls.available'):
+        client = vault.get_local_client()
+        if not client.ha_status['ha_enabled']:
+            status_set(
+                'active',
+                'Vault running as non-HA, manual intervention required '
+                'to restart the service.')
+            return
+
     status_set(
         'active',
         'Unit is ready '
@@ -856,10 +865,11 @@ def client_approle_authorized():
         vault.get_local_client()
         return True
     except (vault.hvac.exceptions.InternalServerError,
+            vault.hvac.exceptions.InvalidRequest,
             vault.VaultNotReady,
             vault.hvac.exceptions.VaultDown,
             vault.requests.exceptions.ReadTimeout):
-        log("InternalServerError: Unable to athorize approle. "
+        log("InternalServerError: Unable to authorize approle. "
             "This may indicate failure to communicate with the database ",
             "WARNING")
         log(traceback.format_exc(), level=ERROR)

unit_tests/test_reactive_vault_handlers.py

@@ -1154,3 +1154,30 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
         self.status_set.assert_called_with(
             'blocked', 'Load balancer failed: just because'
         )
+
+    @patch.object(handlers.vault, 'get_local_client')
+    @patch.object(handlers, 'leader_get')
+    @patch.object(handlers, 'client_approle_authorized')
+    @patch.object(handlers, '_assess_interface_groups')
+    @patch.object(handlers.vault, 'get_vault_health')
+    def test_assess_status_non_ha(self,
+                                  get_vault_health,
+                                  _assess_interface_groups,
+                                  _client_approle_authorized,
+                                  _leader_get,
+                                  get_local_client):
+        get_vault_health.return_value = self._health_response
+        self.snap.get_installed_version.return_value = '0.9.0'
+        self.endpoint_from_name().is_available = True
+        self.endpoint_from_name().has_response = False
+        self.is_flag_set.side_effect = lambda f: False
+        get_local_client.return_value.ha_status = {'ha_enabled': False}
+        handlers._assess_status()
+        self.assertIn('Unit is ready', self.status_set.call_args[0][1])
+        self.is_flag_set.side_effect = lambda f: f == 'etcd.tls.available'
+        handlers._assess_status()
+        self.assertIn('Vault running as non-HA',
+                      self.status_set.call_args[0][1])
+        get_local_client.return_value.ha_status = {'ha_enabled': True}
+        handlers._assess_status()
+        self.assertIn('Unit is ready', self.status_set.call_args[0][1])