def test_get_vault_health(self, requests, get_api_url):
get_api_url.return_value = "https://vault.demo.com:8200"
mock_response = mock.MagicMock()
mock_response.json.return_value = self._health_response
requests.get.return_value = mock_response
self.assertEqual(vault.get_vault_health(), self._health_response)
requests.get.assert_called_with("http://127.0.0.1:8220/v1/sys/health")
mock_response.json.assert_called_once()
def _assess_status():
"""Assess status of relations and services for local unit"""
if is_flag_set('snap.channel.invalid'):
status_set('blocked',
'Invalid snap channel '
'configured: {}'.format(config('channel')))
return
if is_flag_set('config.dns_vip.invalid'):
status_set('blocked',
'vip and dns-ha-access-record configured')
return
health = None
if service_running('vault'):
health = vault.get_vault_health()
application_version_set(health.get('version'))
_missing_interfaces = []
_incomplete_interfaces = []
_assess_interface_groups(REQUIRED_INTERFACES, optional=False,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
_assess_interface_groups(OPTIONAL_INTERFACES, optional=True,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
if _missing_interfaces or _incomplete_interfaces:
state = 'blocked' if _missing_interfaces else 'waiting'
status_set(state, ', '.join(_missing_interfaces +
_incomplete_interfaces))
return
if not service_running('vault'):
status_set('blocked', 'Vault service not running')
return
if not health['initialized']:
status_set('blocked', 'Vault needs to be initialized')
return
if health['sealed']:
status_set('blocked', 'Unit is sealed')
return
mlock_disabled = is_container() or config('disable-mlock')
status_set(
'active',
'Unit is ready '
'(active: {}, mlock: {})'.format(
str(not health['standby']).lower(),
'disabled' if mlock_disabled else 'enabled'
)
)
def _assess_status():
"""Assess status of relations and services for local unit"""
if is_flag_set('snap.channel.invalid'):
status_set(
'blocked', 'Invalid snap channel '
'configured: {}'.format(config('channel')))
return
if is_flag_set('config.dns_vip.invalid'):
status_set('blocked', 'vip and dns-ha-access-record configured')
return
if is_flag_set('config.lb_vip.invalid'):
status_set('blocked', 'lb-provider and vip are mutually exclusive')
return
if is_flag_set('config.lb_dns.invalid'):
status_set(
'blocked', 'lb-provider and dns-ha-access-record are '
'mutually exclusive')
return
if unitdata.kv().get('charm.vault.series-upgrading'):
status_set(
"blocked", "Ready for do-release-upgrade and reboot. "
"Set complete when finished.")
return
if is_flag_set('failed.to.start'):
status_set("blocked",
"Vault failed to start; check journalctl -u vault")
return
_missing_interfaces = []
_incomplete_interfaces = []
_assess_interface_groups(REQUIRED_INTERFACES,
optional=False,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
if _missing_interfaces or _incomplete_interfaces:
state = 'blocked' if _missing_interfaces else 'waiting'
status_set(state,
', '.join(_missing_interfaces + _incomplete_interfaces))
return
health = None
if service_running('vault'):
try:
health = vault.get_vault_health()
except Exception:
log(traceback.format_exc(), level=ERROR)
status_set('blocked', 'Vault health check failed')
return
else:
status_set('blocked', 'Vault service not running')
return
if health.get('version'):
application_version_set(health.get('version'))
else:
application_version_set('Unknown')
status_set('blocked', 'Unknown vault version')
return
if not health['initialized']:
status_set('blocked', 'Vault needs to be initialized')
return
if health['sealed']:
status_set('blocked', 'Unit is sealed')
return
if not leader_get(vault.CHARM_ACCESS_ROLE_ID):
status_set(
'blocked',
'Vault charm not yet authorized: run authorize-charm action.')
return
if not client_approle_authorized():
status_set('blocked', 'Vault cannot authorize approle')
return
lb_provider = endpoint_from_name('lb-provider')
is_leader = is_flag_set('leadership.is_leader')
if is_leader and lb_provider and lb_provider.is_available:
if not lb_provider.has_response:
status_set('waiting', 'Waiting for load balancer')
return
response = lb_provider.get_response('vault')
if response.error:
status_set(
'blocked', 'Load balancer failed: '
'{}'.format(response.error_message or response.error_fields))
return
is_leader = is_flag_set('leadership.is_leader')
has_ca = is_flag_set('charm.vault.ca.ready')
has_cert_reqs = is_flag_set('certificates.certs.requested')
if is_leader and has_cert_reqs and not has_ca:
status_set('blocked', 'Missing CA cert')
return
has_certs_relation = is_flag_set('certificates.available')
if is_leader and has_certs_relation and not has_ca:
status_set('blocked', 'Missing CA cert')
return
_assess_interface_groups(OPTIONAL_INTERFACES,
optional=True,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
if _missing_interfaces or _incomplete_interfaces:
state = 'blocked' if _missing_interfaces else 'waiting'
status_set(state,
', '.join(_missing_interfaces + _incomplete_interfaces))
return
mlock_disabled = is_container() or config('disable-mlock')
vault_installed_version = snap.get_installed_version('vault')
vault_running_version = health.get('version')
if vault_installed_version != vault_running_version:
status_set(
'active',
'New version of vault installed, manual intervention required '
'to restart the service.')
return
if is_flag_set('etcd.tls.available'):
client = vault.get_local_client()
if not client.ha_status['ha_enabled']:
status_set(
'active',
'Vault running as non-HA, manual intervention required '
'to restart the service.')
return
status_set(
'active', 'Unit is ready '
'(active: {}, mlock: {})'.format(
str(not health['standby']).lower(),
'disabled' if mlock_disabled else 'enabled'))
def _assess_status():
"""Assess status of relations and services for local unit"""
if is_flag_set('snap.channel.invalid'):
status_set(
'blocked', 'Invalid snap channel '
'configured: {}'.format(config('channel')))
return
if is_flag_set('config.dns_vip.invalid'):
status_set('blocked', 'vip and dns-ha-access-record configured')
return
if unitdata.kv().get('charm.vault.series-upgrading'):
status_set(
"blocked", "Ready for do-release-upgrade and reboot. "
"Set complete when finished.")
return
if is_flag_set('failed.to.start'):
status_set("blocked",
"Vault failed to start; check journalctl -u vault")
return
_missing_interfaces = []
_incomplete_interfaces = []
_assess_interface_groups(REQUIRED_INTERFACES,
optional=False,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
_assess_interface_groups(OPTIONAL_INTERFACES,
optional=True,
missing_interfaces=_missing_interfaces,
incomplete_interfaces=_incomplete_interfaces)
if _missing_interfaces or _incomplete_interfaces:
state = 'blocked' if _missing_interfaces else 'waiting'
status_set(state,
', '.join(_missing_interfaces + _incomplete_interfaces))
return
health = None
if service_running('vault'):
try:
health = vault.get_vault_health()
except Exception:
log(traceback.format_exc(), level=ERROR)
status_set('blocked', 'Vault health check failed')
return
else:
status_set('blocked', 'Vault service not running')
return
if health.get('version'):
application_version_set(health.get('version'))
else:
application_version_set('Unknown')
status_set('blocked', 'Unknown vault version')
return
if not health['initialized']:
status_set('blocked', 'Vault needs to be initialized')
return
if health['sealed']:
status_set('blocked', 'Unit is sealed')
return
if not leader_get(vault.CHARM_ACCESS_ROLE_ID):
status_set(
'blocked',
'Vault charm not yet authorized: run authorize-charm action.')
return
if not client_approle_authorized():
status_set('blocked', 'Vault cannot authorize approle')
return
mlock_disabled = is_container() or config('disable-mlock')
vault_installed_version = snap.get_installed_version('vault')
vault_running_version = health.get('version')
if vault_installed_version != vault_running_version:
status_set(
'active',
'New version of vault installed, manual intervention required '
'to restart the service.')
return
status_set(
'active', 'Unit is ready '
'(active: {}, mlock: {})'.format(
str(not health['standby']).lower(),
'disabled' if mlock_disabled else 'enabled'))
