Skip to content

Commit

Permalink
chore: update charm libraries (#602)
Browse files Browse the repository at this point in the history
  • Loading branch information
observability-noctua-bot authored May 3, 2024
1 parent d35f2ea commit 69b500c
Showing 1 changed file with 20 additions and 3 deletions.
23 changes: 20 additions & 3 deletions lib/charms/observability_libs/v1/cert_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@

LIBID = "b5cd5cd580f3428fa5f59a8876dcbe6a"
LIBAPI = 1
LIBPATCH = 7
LIBPATCH = 8

VAULT_SECRET_LABEL = "cert-handler-private-vault"

Expand Down Expand Up @@ -349,21 +349,38 @@ def __init__(
)

def _on_upgrade_charm(self, _):
has_privkey = self.vault.get_value("private-key")

self._migrate_vault()

# If we already have a csr, but the pre-migration vault has no privkey stored,
# the csr must have been signed with a privkey that is now outdated and utterly lost.
# So we throw away the csr and generate a new one (and a new privkey along with it).
if not has_privkey and self._csr:
logger.debug("CSR and privkey out of sync after charm upgrade. Renewing CSR.")
# this will call `self.private_key` which will generate a new privkey.
self._generate_csr(renew=True)

def _migrate_vault(self):
peer_backend = _RelationVaultBackend(self.charm, relation_name="peers")

if self._check_juju_supports_secrets():
# we are on recent juju
if self.vault.retrieve():
# we already were on recent juju: nothing to migrate
logger.debug(
"Private key is already stored as a juju secret. Skipping private key migration."
)
return

# we used to be on old juju: our secret stuff is in peer data
if peer_backend.retrieve():
if contents := peer_backend.retrieve():
logger.debug(
"Private key found in relation data. "
"Migrating private key to a juju secret."
)
# move over to secret-backed storage
self.vault.store(peer_backend.retrieve())
self.vault.store(contents)

# clear the peer storage
peer_backend.clear()
Expand Down

0 comments on commit 69b500c

Please sign in to comment.