-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: refactor certs generation and add tests (#104)
* refactor: lint method for generating certs * refactor: method for generatig certs, extract sslconfig to a file * feat: refactor and test cert generation * feat: more refactoring of cert generation - moved gen_certs to certs.py - added gen_certs_if_missing - test gen_certs_if_missing - remove unneeded mocked_gen_certs fixture * fix: pin microk8s to 1.24 * feat: add error handling to push certs * fix: return after generating certs * fix: add microk8s add-ons to CI * fix: use Jinja to render template * fix: remove set model name * feat: raise GenericCharmRuntimeError * fix: restart controller test fixtures --------- Co-authored-by: Daniela Plascencia <daniela.plascencia@canonical.com>
- Loading branch information
Showing
5 changed files
with
274 additions
and
149 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# Copyright 2023 Canonical Ltd. | ||
# See LICENSE file for licensing details. | ||
|
||
|
||
import tempfile | ||
from pathlib import Path | ||
from subprocess import check_call | ||
|
||
from jinja2 import Template | ||
|
||
SSL_CONFIG_FILE = "src/templates/ssl.conf.j2" | ||
|
||
|
||
def gen_certs(service_name: str, namespace: str, webhook_service: str): | ||
"""Generate certificates.""" | ||
|
||
template = Template(Path(SSL_CONFIG_FILE).read_text()) | ||
ssl_conf = template.render( | ||
service_name=str(service_name), | ||
namespace=str(namespace), | ||
webhook_server_service=str(webhook_service), | ||
) | ||
|
||
with tempfile.TemporaryDirectory() as tmp_dir: | ||
tmp_path = Path(tmp_dir) | ||
(tmp_path / "ssl.conf").write_text(ssl_conf) | ||
|
||
# execute OpenSSL commands | ||
check_call(["openssl", "genrsa", "-out", tmp_path / "ca.key", "2048"]) | ||
check_call(["openssl", "genrsa", "-out", tmp_path / "server.key", "2048"]) | ||
check_call( | ||
[ | ||
"openssl", | ||
"req", | ||
"-x509", | ||
"-new", | ||
"-sha256", | ||
"-nodes", | ||
"-days", | ||
"3650", | ||
"-key", | ||
tmp_path / "ca.key", | ||
"-subj", | ||
"/CN=127.0.0.1", | ||
"-out", | ||
tmp_path / "ca.crt", | ||
] | ||
) | ||
check_call( | ||
[ | ||
"openssl", | ||
"req", | ||
"-new", | ||
"-sha256", | ||
"-key", | ||
tmp_path / "server.key", | ||
"-out", | ||
tmp_path / "server.csr", | ||
"-config", | ||
tmp_path / "ssl.conf", | ||
] | ||
) | ||
check_call( | ||
[ | ||
"openssl", | ||
"x509", | ||
"-req", | ||
"-sha256", | ||
"-in", | ||
tmp_path / "server.csr", | ||
"-CA", | ||
tmp_path / "ca.crt", | ||
"-CAkey", | ||
tmp_path / "ca.key", | ||
"-CAcreateserial", | ||
"-out", | ||
tmp_path / "cert.pem", | ||
"-days", | ||
"365", | ||
"-extensions", | ||
"v3_ext", | ||
"-extfile", | ||
tmp_path / "ssl.conf", | ||
] | ||
) | ||
|
||
ret_certs = { | ||
"cert": (tmp_path / "cert.pem").read_text(), | ||
"key": (tmp_path / "server.key").read_text(), | ||
"ca": (tmp_path / "ca.crt").read_text(), | ||
} | ||
|
||
# cleanup temporary files | ||
for file in tmp_path.glob("cert-gen-*"): | ||
file.unlink() | ||
|
||
return ret_certs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.