Skip to content

Commit

Permalink
[Fix] Improve logging and policy application
Browse files Browse the repository at this point in the history
Remove any modification to unit status from the kv handler, replaced by
logging calls.
Move KV policy to dedicated file.
  • Loading branch information
gboutry committed Sep 22, 2023
1 parent ca40902 commit af3b700
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 15 deletions.
13 changes: 8 additions & 5 deletions src/charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -276,14 +276,14 @@ def _on_new_vault_kv_client_attached(self, event: NewVaultKvClientAttachedEvent)
return

if not self._is_peer_relation_created():
self.unit.status = WaitingStatus("Waiting for peer relation")
logger.debug("Peer relation not created, deferring event")
event.defer()
return

try:
root_token, _ = self._get_initialization_secret_from_peer_relation()
except PeerSecretError:
self.unit.status = WaitingStatus("Waiting for vault initialization secret")
logger.debug("Vault initialization secret not set in peer relation, deferring event")
event.defer()
return

Expand All @@ -294,22 +294,25 @@ def _on_new_vault_kv_client_attached(self, event: NewVaultKvClientAttachedEvent)
ca_certificate,
) = self._get_certificates_secret_in_peer_relation()
except PeerSecretError:
self.unit.status = WaitingStatus("Waiting for vault certificate to be available")
logger.debug("Vault certificate secret not set in peer relation, deferring event")
event.defer()
return

relation = self.model.get_relation(event.relation_name, event.relation_id)

if relation is None or relation.app is None:
logger.debug("Relation or remote application is None, skipping")
logger.warning(
"Relation or remote application is missing,"
"this should not happen, skipping event"
)
return

vault = Vault(url=self._api_address)
vault.set_token(token=root_token)
vault.enable_approle_auth()

if not vault.is_api_available():
self.unit.status = WaitingStatus("Waiting for vault to be available")
logger.debug("Vault is not available, deferring event")
event.defer()
return

Expand Down
6 changes: 6 additions & 0 deletions src/kv_mount.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
path "{mount}/*" {{
capabilities = ["create", "read", "update", "delete", "list"]
}}
path "sys/internal/ui/mounts/{mount}" {{
capabilities = ["read"]
}}
13 changes: 3 additions & 10 deletions src/vault.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,6 @@

logger = logging.getLogger(__name__)

KV_MOUNT_HCL = """
path "{mount}/*" {{
capabilities = ["create", "read", "update", "delete", "list"]
}}
path "sys/internal/ui/mounts/{mount}" {{
capabilities = ["read"]
}}
"""


class VaultError(Exception):
"""Exception raised for Vault errors."""
Expand Down Expand Up @@ -109,7 +100,9 @@ def configure_kv_mount(self, name: str):

def configure_kv_policy(self, policy: str, mount: str):
"""Create/update a policy within vault to access the KV mount."""
self._client.sys.create_or_update_policy(policy, KV_MOUNT_HCL.format(mount=mount))
with open("src/kv_mount.hcl", "r") as fd:
mount_policy = fd.read()
self._client.sys.create_or_update_policy(policy, mount_policy.format(mount=mount))

def configure_approle(self, name: str, cidrs: List[str], policies: List[str]) -> str:
"""Create/update a role within vault associating the supplied policies."""
Expand Down

0 comments on commit af3b700

Please sign in to comment.