Merge "Use secret_id's with vault-kv relation"

2018-05-15 09:57:12 +00:00
parent ea1910f9cd 3b0e793feb
commit 9c78a515e1
7 changed files with 77 additions and 10 deletions
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@@ -45,6 +45,7 @@ from charms.reactive import (
    when,
    when_file_changed,
    when_not,
+    when_any,
 )

 from charms.reactive.relations import (
@@ -371,7 +372,7 @@ def file_change_auto_unlock_mode():


@when('leadership.is_leader')
-@when('endpoint.secrets.new-request')
+@when_any('endpoint.secrets.new-request', 'secrets.refresh')
 def configure_secrets_backend():
    """ Process requests for setup and access to simple kv secret backends """
    @tenacity.retry(wait=tenacity.wait_exponential(multiplier=1, max=10),
@@ -401,7 +402,8 @@ def configure_secrets_backend():
        return
    client.auth_approle(charm_role_id)

-    secrets = endpoint_from_flag('endpoint.secrets.new-request')
+    secrets = (endpoint_from_flag('endpoint.secrets.new-request') or
+               endpoint_from_flag('secrets.connected'))
    requests = secrets.requests()

    # Configure KV secret backends
@@ -412,6 +414,8 @@ def configure_secrets_backend():
            continue
        vault.configure_secret_backend(client, name=backend)

+    refresh_secrets = is_flag_set('secrets.refresh')
+
    # Configure AppRoles for application unit access
    for request in requests:
        # NOTE: backends must start with charm-
@@ -438,16 +442,27 @@ def configure_secrets_backend():
                                       hostname=hostname)
        )

+        cidr = '{}/32'.format(access_address)
+        new_role = (approle_name not in client.list_roles())
+
        approle_id = vault.configure_approle(
            client,
            name=approle_name,
-            cidr='{}/32'.format(access_address),
+            cidr=cidr,
            policies=[policy_name])

-        secrets.set_role_id(unit=unit,
-                            role_id=approle_id)
+        if new_role or refresh_secrets:
+            wrapped_secret = vault.generate_role_secret_id(
+                client,
+                name=approle_name,
+                cidr=cidr
+            )
+            secrets.set_role_id(unit=unit,
+                                role_id=approle_id,
+                                token=wrapped_secret)

    clear_flag('endpoint.secrets.new-request')
+    clear_flag('secrets.refresh')


@when('secrets.connected')