From 79a149bfc54c271231634c9bb8d941161d17a93b Mon Sep 17 00:00:00 2001 From: Liam Young Date: Mon, 14 Oct 2019 08:53:42 +0000 Subject: [PATCH] Facade for vault & basic_setup_and_unseal Add a facade for interacting with vault and a function which unseals vault units (useful when vault units have been rebooted). --- zaza/openstack/charm_tests/vault/setup.py | 34 ++++++-------- zaza/openstack/charm_tests/vault/utils.py | 56 +++++++++++++++++++++++ 2 files changed, 71 insertions(+), 19 deletions(-) diff --git a/zaza/openstack/charm_tests/vault/setup.py b/zaza/openstack/charm_tests/vault/setup.py index 37bd332..ca97bf0 100644 --- a/zaza/openstack/charm_tests/vault/setup.py +++ b/zaza/openstack/charm_tests/vault/setup.py @@ -33,26 +33,22 @@ def basic_setup(cacert=None, unseal_and_authorize=False): :param unseal_and_authorize: Whether to unseal and authorize vault. :type unseal_and_authorize: bool """ - clients = vault_utils.get_clients(cacert=cacert) - vip_client = vault_utils.get_vip_client(cacert=cacert) - if vip_client: - unseal_client = vip_client - else: - unseal_client = clients[0] - initialized = vault_utils.is_initialized(unseal_client) - # The credentials are written to a file to allow the tests to be re-run - # this is mainly useful for manually working on the tests. - if initialized: - vault_creds = vault_utils.get_credentails() - else: - vault_creds = vault_utils.init_vault(unseal_client) - vault_utils.store_credentails(vault_creds) - - # For use by charms or bundles other than vault + vault_svc = vault_utils.VaultFacade(cacert=cacert) if unseal_and_authorize: - vault_utils.unseal_all(clients, vault_creds['keys'][0]) - vault_utils.auth_all(clients, vault_creds['root_token']) - vault_utils.run_charm_authorize(vault_creds['root_token']) + vault_svc.unseal() + vault_svc.authorize() + + +def basic_setup_and_unseal(cacert=None): + """Initialize (if needed) and unseal vault. + + :param cacert: Path to CA cert used for vaults api cert. + :type cacert: str + """ + vault_svc = vault_utils.VaultFacade(cacert=cacert) + vault_svc.unseal() + for unit in zaza.model.get_units('vault'): + zaza.model.run_on_unit(unit.name, './hooks/update-status') def auto_initialize(cacert=None, validation_application='keystone'): diff --git a/zaza/openstack/charm_tests/vault/utils.py b/zaza/openstack/charm_tests/vault/utils.py index 9491bfd..b6f4cf5 100644 --- a/zaza/openstack/charm_tests/vault/utils.py +++ b/zaza/openstack/charm_tests/vault/utils.py @@ -33,6 +33,62 @@ CharmVaultClient = collections.namedtuple( 'CharmVaultClient', ['addr', 'hvac_client', 'vip_client']) +class VaultFacade: + """Provide a facade for interacting with vault. + + For example to setup new vault deployment:: + + vault_svc = VaultFacade() + vault_svc.unseal() + vault_svc.authorize() + """ + + def __init__(self, cacert=None, initialize=True): + """Create a facade for interacting with vault. + + :param cacert: Path to CA cert used for vaults api cert. + :type cacert: str + :param initialize: Whether to initialize vault. + :type initialize: bool + """ + self.clients = get_clients(cacert=cacert) + self.vip_client = get_vip_client(cacert=cacert) + if self.vip_client: + self.unseal_client = self.vip_client + else: + self.unseal_client = self.clients[0] + self.initialized = is_initialized(self.unseal_client) + if initialize: + self.initialize() + + @property + def is_initialized(self): + """Check if vault is initialized.""" + return self.initialized + + def initialize(self): + """Initialise vault and store resulting credentials.""" + if self.is_initialized: + self.vault_creds = get_credentails() + else: + self.vault_creds = init_vault(self.unseal_client) + store_credentails(self.vault_creds) + self.initialized = is_initialized(self.unseal_client) + + def unseal(self): + """Unseal all the vaults clients.""" + unseal_all(self.clients, self.vault_creds['keys'][0]) + + def authorize(self): + """Authorize charm to perfom certain actions. + + Run vault charm action to authorize the charm to perform a limited + set of calls against the vault API. + """ + auth_all(self.clients, self.vault_creds['root_token']) + run_charm_authorize(self.vault_creds['root_token']) + + def get_unit_api_url(ip): """Return URL for api access.