From eeb6076078f252fd7cbe34aaec23cefe000f2b8a Mon Sep 17 00:00:00 2001
From: marcoppenheimer <51744472+marcoppenheimer@users.noreply.github.com>
Date: Wed, 27 Nov 2024 11:23:54 +0000
Subject: [PATCH] fix: ensure certs are refreshed on SANs DNS changes (#276)

---
 src/events/broker.py | 14 +++++++++++---
 src/managers/tls.py  |  4 ++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/events/broker.py b/src/events/broker.py
index ebd5de77..fe32df84 100644
--- a/src/events/broker.py
+++ b/src/events/broker.py
@@ -251,16 +251,24 @@ def _on_config_changed(self, event: EventBase) -> None:
         expected_sans_ip = set(self.tls_manager.build_sans()["sans_ip"]) if current_sans else set()
         sans_ip_changed = current_sans_ip ^ expected_sans_ip
 
+        current_sans_dns = set(current_sans["sans_dns"]) if current_sans else set()
+        expected_sans_dns = (
+            set(self.tls_manager.build_sans()["sans_dns"]) if current_sans else set()
+        )
+        sans_dns_changed = current_sans_dns ^ expected_sans_dns
+
         # update environment
         self.config_manager.set_environment()
         self.charm.unit.set_workload_version(self.workload.get_version())
 
-        if sans_ip_changed:
+        if sans_ip_changed or sans_dns_changed:
             logger.info(
                 (
                     f'Broker {self.charm.unit.name.split("/")[1]} updating certificate SANs - '
-                    f"OLD SANs = {current_sans_ip - expected_sans_ip}, "
-                    f"NEW SANs = {expected_sans_ip - current_sans_ip}"
+                    f"OLD SANs IP = {current_sans_ip - expected_sans_ip}, "
+                    f"NEW SANs IP = {expected_sans_ip - current_sans_ip}, "
+                    f"OLD SANs DNS = {current_sans_dns - expected_sans_dns}, "
+                    f"NEW SANs DNS = {expected_sans_dns - current_sans_dns}"
                 )
             )
             self.charm.tls.certificates.on.certificate_expiring.emit(
diff --git a/src/managers/tls.py b/src/managers/tls.py
index 3ff90055..307e0782 100644
--- a/src/managers/tls.py
+++ b/src/managers/tls.py
@@ -189,9 +189,9 @@ def get_current_sans(self) -> Sans | None:
         for item in line.split(", "):
             san_type, san_value = item.split(":")
 
-            if san_type == "DNS":
+            if san_type.strip() == "DNS":
                 sans_dns.append(san_value)
-            if san_type == "IP Address":
+            if san_type.strip() == "IP Address":
                 sans_ip.append(san_value)
 
         return {"sans_ip": sorted(sans_ip), "sans_dns": sorted(sans_dns)}