Report 'Missing CA' if certs relation exist but CA not configured

If vault/leader has certificate relationship with other apps but root CA is either not configured or cleared by action 'disable-pki', the status should be set to 'Blocked, Missing CA' Also add unit test for checking 'missing-CA' status Closes-Bug: #1940451 Change-Id: I2f0093c0ae6949693f2ad1ea4729b690c932b4b1
2021-11-02 19:34:45 +00:00 · 2021-11-02 19:34:45 +00:00 · 5151d01ee2
parent fbf6cc5494
commit 5151d01ee2
3 changed files with 24 additions and 0 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@ -817,6 +817,11 @@ def _assess_status():
        status_set('blocked', 'Missing CA cert')
        return

+    has_certs_relation = is_flag_set('certificates.available')
+    if is_leader and has_certs_relation and not has_ca:
+        status_set('blocked', 'Missing CA cert')
+        return
+
    _assess_interface_groups(OPTIONAL_INTERFACES, optional=True,
                             missing_interfaces=_missing_interfaces,
                             incomplete_interfaces=_incomplete_interfaces)
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -6,6 +6,7 @@
 pyparsing<3.0.0  # aodhclient is pinned in zaza and needs pyparsing < 3.0.0, but cffi also needs it, so pin here.
 cffi==1.14.6; python_version < '3.6'  # cffi 1.15.0 drops support for py35.

+
 setuptools<50.0.0  # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85

 stestr>=2.2.0
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@ -483,6 +483,24 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
        handlers._assess_status()
        self.status_set.assert_called_with('blocked', 'Missing CA cert')

+    @patch.object(handlers, 'leader_get')
+    @patch.object(handlers, 'client_approle_authorized')
+    @patch.object(handlers, '_assess_interface_groups')
+    @patch.object(handlers.vault, 'get_vault_health')
+    def test_assess_status_missing_ca_certs_available(
+            self, get_vault_health,
+            _assess_interface_groups,
+            _client_approle_authorized,
+            _leader_get):
+        flags = ['certificates.available']
+        self.is_flag_set.side_effect = lambda f: f in flags
+        get_vault_health.return_value = self._health_response
+        handlers._assess_status()
+        self.status_set.assert_called_with('active', mock.ANY)
+        flags.append('leadership.is_leader')
+        handlers._assess_status()
+        self.status_set.assert_called_with('blocked', 'Missing CA cert')
+
    def test_assess_interface_groups(self):
        flags = {
            'db.master.available': True,