Tests CA renewal in integration test

canonical · Sep 20, 2024 · 0615c69 · 0615c69
1 parent 6d68e3c
commit 0615c69
Showing 1 changed file with 21 additions and 8 deletions.
diff --git a/tests/integration/test_integration.py b/tests/integration/test_integration.py
@@ -140,7 +140,7 @@ async def test_given_tls_requirer_is_integrated_when_ca_common_name_config_chang
     await wait_for_requirer_certificates(ops_test=ops_test, ca_common_name=new_common_name)
 
 
-async def test_given_tls_requirer_is_integrated_when_certificate_expires_then_new_certificate_is_provided(  # noqa: E501
+async def test_given_tls_requirer_is_integrated_when_certificates_expires_then_new_certificate_is_provided(  # noqa: E501
     ops_test: OpsTest,
     deploy,
 ):
@@ -150,8 +150,8 @@ async def test_given_tls_requirer_is_integrated_when_certificate_expires_then_ne
     assert application
     await application.set_config(
         {
-            "root-ca-validity": "180s",
-            "certificate-validity": "60s",
+            "root-ca-validity": "2m",
+            "certificate-validity": "1m",
         }
     )
     await ops_test.model.wait_for_idle(
@@ -163,19 +163,32 @@ async def test_given_tls_requirer_is_integrated_when_certificate_expires_then_ne
     action_output = await wait_for_requirer_certificates(
         ops_test=ops_test, ca_common_name=new_common_name
     )
-    old_certificate = action_output.get("certificate", "")
+    new_common_name_certificate = action_output.get("certificate", "")
+    new_common_name_ca = action_output.get("ca-certificate", "")
 
-    assert old_certificate
+    assert new_common_name_certificate
 
     # Wait for the certificate to expire
     time.sleep(60)
 
     action_output = await wait_for_requirer_certificates(
         ops_test=ops_test, ca_common_name=new_common_name
     )
-    new_certificate = action_output.get("certificate", "")
-    assert new_certificate
-    assert new_certificate != old_certificate
+    renewed_certificate = action_output.get("certificate", "")
+    assert renewed_certificate
+    assert renewed_certificate != new_common_name_certificate
+    assert action_output.get("ca-certificate", "") == new_common_name_ca
+
+    # Wait for the CA certificate to expire
+    time.sleep(60)
+    action_output = await wait_for_requirer_certificates(
+        ops_test=ops_test, ca_common_name=new_common_name
+    )
+    new_certificate_with_new_ca = action_output.get("certificate", "")
+    new_ca = action_output.get("ca-certificate", "")
+    assert new_certificate_with_new_ca
+    assert new_certificate_with_new_ca != renewed_certificate
+    assert new_ca != new_common_name_ca
 
 
 async def test_given_charm_scaled_then_charm_does_not_crash(