[DPE-9663] Support error propagation in TLS relation#29
[DPE-9663] Support error propagation in TLS relation#29reneradoi merged 19 commits intoconfig-for-certificate-extra-sansfrom
Conversation
…s' into tls-relation-error-field # Conflicts: # tests/unit/test_tls.py
Mehdi-Bendriss
left a comment
Mehdi-Bendriss
left a comment
There was a problem hiding this comment.
Thanks René, small comments on my side
| csr.certificate_signing_request | ||
| for csr in self.client_certificate.get_csrs_from_requirer_relation_data() | ||
| ]: | ||
| logger.error("Certificate request was denied: %s", event.error.message) |
There was a problem hiding this comment.
I have 2 questions here:
- do we ever expect to receive from this hook a CSR we didn't create ourselves? if yes, how?
- if yes, we should also log when a CSR is not ours
There was a problem hiding this comment.
In theory we should not, but as we have the same safeguard in place for the certificate available event ... I've added some error logging for this case.
| value=TEST_VALUE, | ||
| ) | ||
| assert result == "OK", "Failed to write data without TLS" | ||
|
|
There was a problem hiding this comment.
Can you add an additional test where you remove the relation with Vault and the status goes away?
There was a problem hiding this comment.
Good idea - I found a nice improvement for the tls-relation-broken workflow on checking that.
| ) | ||
|
|
||
| logger.info("Secret access will be granted now - wait for updated password") | ||
| juju.grant_secret(identifier=secret_name, app=APP_NAME) |
There was a problem hiding this comment.
Is this to fix the flakiness we've been noticing on CI?
There was a problem hiding this comment.
Yes. I was investigating these tests locally and found that the update-status triggered by fast_forward can happen before the secret gets granted, and then the purpose of fast_forward gets defeated. So I moved it.
reneradoi
merged commit b3cce13
into
config-for-certificate-extra-sans
3 participants
This PR adds support for error propagation from a TLS provider in accordance with TE202.
The operator observes the newly added
certificate-deniedevent and displays ablockedstatus in case client TLS is enabled and the TLS provider is sendingrequest_errorsover the TLS relation interface.The PR also adds integration test coverage with Vault as TLS provider.