[DPE-8614] Enable Rest TLS

src/managers/config.py

@@ -40,15 +40,23 @@ def config(self) -> dict:
             "karapace_registry": True,
             # Replication properties
             "advertised_hostname": self.context.server.host,
-            "advertised_protocol": "http",
-            "advertised_port": None,
+            "advertised_protocol": "https" if self.context.cluster.tls_enabled else "http",
+            "advertised_port": None,  # defaults to "port"
             "client_id": f"sr-{self.context.server.unit_id}",
             "master_eligibility": True,
             # REST server options
             "host": self.context.server.host,
             "port": PORT,
-            "server_tls_certfile": None,  # running the server in HTTPS mode.
-            "server_tls_keyfile": None,
+            "registry_scheme": "https" if self.context.cluster.tls_enabled else "http",
+            "server_tls_cafile": self.workload.paths.ssl_cafile
+            if self.context.cluster.tls_enabled
+            else None,
+            "server_tls_certfile": self.workload.paths.ssl_certfile
+            if self.context.cluster.tls_enabled
+            else None,
+            "server_tls_keyfile": self.workload.paths.ssl_keyfile
+            if self.context.cluster.tls_enabled
+            else None,
             "access_logs_debug": False,
             "rest_authorization": False,
             "compatibility": "FULL",

tests/integration/helpers.py

@@ -24,6 +24,8 @@
 TLS_CERTIFICATES_OPERATOR = "tls-certificates-operator"
 DUMMY_NAME = "app"
 
+CA_FILE = "/tmp/ca-cert.pem"
+
 
 async def get_admin_credentials(ops_test: OpsTest, num_unit=0) -> str:
     """Use the charm action to retrieve the password for admin user.

tests/integration/test_tls.py

@@ -6,9 +6,21 @@
 import logging
 
 import pytest
-from helpers import APP_NAME, KAFKA, KARAPACE_CONTAINER, ZOOKEEPER, set_tls_private_key
+import requests
+from helpers import (
+    APP_NAME,
+    CA_FILE,
+    KAFKA,
+    KARAPACE_CONTAINER,
+    ZOOKEEPER,
+    get_address,
+    get_admin_credentials,
+    set_tls_private_key,
+)
 from pytest_operator.plugin import OpsTest
 
+from literals import PORT
+
 logger = logging.getLogger(__name__)
 
 TLS_NAME = "self-signed-certificates"
@@ -82,3 +94,35 @@ async def test_karapace_tls(ops_test: OpsTest):
 
     assert ops_test.model.applications[APP_NAME].status == "active"
     assert ops_test.model.applications[KAFKA].status == "active"
+
+
+@pytest.mark.abort_on_fail
+async def test_schema_creation(ops_test: OpsTest):
+    """Check that a schema can be registered using internal credentials."""
+    # Store the CA cert for requests
+    action = await ops_test.model.units.get(f"{TLS_NAME}/0").run_action("get-ca-certificate")
+    ca = await action.wait()
+    ca = ca.results.get("ca-certificate")
+    open(CA_FILE, "w").write(ca)
+
+    schema_name = "test-key"
+    operator_password = await get_admin_credentials(ops_test)
+    address = await get_address(ops_test=ops_test)
+    base_url = f"https://{address}:{PORT}"
+    auth = ("operator", operator_password)
+
+    # Create the schema
+    schema_data = {
+        "schema": '{"type": "record", "name": "Obj", "fields":[{"name": "age", "type": "int"}]}'
+    }
+
+    response = requests.post(
+        f"{base_url}/subjects/{schema_name}/versions",
+        json=schema_data,
+        headers={"Content-Type": "application/vnd.schemaregistry.v1+json"},
+        auth=auth,
+        verify=CA_FILE,
+    )
+    response.raise_for_status()
+    result = response.text
+    assert '{"id":1}' in result