From ee42a5b3fd2e309d1ced6daeff80682f807fbfdb Mon Sep 17 00:00:00 2001
From: Hemanth Nakkina <hemanth.nakkina@canonical.com>
Date: Tue, 7 Mar 2023 15:24:52 +0530
Subject: [PATCH] Use juju secrets for TLS private key

TLS private key for each unit is saved
in the peer data as plain text. Instead
the private key can be saved as juju
secret.

Change-Id: I29667115e67ceb552a8afdaef6361b0eb9b65ed1
---
 ops-sunbeam/ops_sunbeam/relation_handlers.py | 30 +++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/ops-sunbeam/ops_sunbeam/relation_handlers.py b/ops-sunbeam/ops_sunbeam/relation_handlers.py
index 994fc04f..6a8d89bf 100644
--- a/ops-sunbeam/ops_sunbeam/relation_handlers.py
+++ b/ops-sunbeam/ops_sunbeam/relation_handlers.py
@@ -807,10 +807,19 @@ class TlsCertificatesHandler(RelationHandler):
             event.defer()
             return
 
+        if "private_key" in peer_relation.data[self.charm.model.unit]:
+            # Secret already saved in peer_relation
+            return
+
         private_key = generate_private_key()
+        private_key_secret = self.model.app.add_secret(
+            {"private-key": private_key.decode()},
+            label=f"{self.charm.model.unit}-private-key",
+        )
+
         peer_relation.data[self.charm.model.unit].update(
             {
-                "private_key": private_key.decode(),
+                "private_key": private_key_secret.id,
             }
         )
 
@@ -828,9 +837,16 @@ class TlsCertificatesHandler(RelationHandler):
             event.defer()
             return
 
-        private_key = peer_relation.data[self.charm.model.unit].get(
+        private_key = None
+        private_key_secret_id = peer_relation.data[self.charm.model.unit].get(
             "private_key"
         )
+        if private_key_secret_id:
+            private_key_secret = self.model.get_secret(
+                id=private_key_secret_id
+            )
+            private_key = private_key_secret.get_content().get("private-key")
+
         csr = generate_csr(
             private_key=private_key.encode(),
             subject=self.charm.model.unit.name.replace("/", "-"),
@@ -916,9 +932,15 @@ class TlsCertificatesHandler(RelationHandler):
         ca_cert = certs["ca"] + "\n" + "\n".join(certs["chain"])
 
         peer_relation = self.model.get_relation("peers")
-        key = peer_relation.data[self.charm.model.unit].get(
-            "private_key", None
+        key = None
+        private_key_secret_id = peer_relation.data[self.charm.model.unit].get(
+            "private_key"
         )
+        if private_key_secret_id:
+            private_key_secret = self.model.get_secret(
+                id=private_key_secret_id
+            )
+            key = private_key_secret.get_content().get("private-key")
 
         ctxt = {
             "key": key,