Skip to content

[DPE-10608] Operator-cert manager, events handler + release (3/4)#178

Merged
marceloneppel merged 6 commits into
16/edgefrom
tls-3-manager-events
Jul 10, 2026
Merged

[DPE-10608] Operator-cert manager, events handler + release (3/4)#178
marceloneppel merged 6 commits into
16/edgefrom
tls-3-manager-events

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jul 9, 2026

Copy link
Copy Markdown
Member

Part 3/4, stacked on tls-2-state-accessors. Wires the operator-certificate manager + events handler into the lib charm — the core of the live-fetch TLS subsystem — and bumps the library version.

What's here

  • managers/tls.py (TLSManager): live-fetch getters (get_client_tls_files / get_peer_tls_files / get_peer_ca_bundle call get_assigned_certificates() on demand — operator cert/key are never persisted), push_tls_files, rotate_peer_ca / clear_peer_ca (only the peer CA is tracked in state, for the rotation bundle), internal-peer CA/cert generation, and client_tls_files_on_disk.
  • events/tls.py (TLS): owns the two TLSCertificatesRequiresV4 requirers, observes certificate_available + relation_broken, defers the file-push until the workload is ready, re-requests certs on SAN changes. Reaches the manager via self.charm.tls_manager.
  • charms/abstract_charm.py: builds TLS first, then TLSManager with the handler's requirers injected.
  • pyproject.toml + uv.lock: bump to 16.3.3.

Introduce the low-level building blocks that the operator-certificate TLS flow composes on top of, so they can be reviewed on their own, ahead of the manager, events handler and charm wiring that consume them.

This covers the peer-relation databag accessors for CA rotation (current-ca/old-ca), the client-facing database-address, and the K8s-shaped peer address set that omits the ip key for parity with the pre-migration K8s charm; the workload file-ownership/mode primitives (user/group and the substrate-specific tls_file_mode, 0o600 on VM and 0o400 on K8s) plus user/group forwarding through write_text so TLS material is chowned correctly on both substrates; a per-substrate tls path; the TLS relation-name constants; and the unit-test harness fixture the later branches' TLS tests depend on.

The change is purely additive: the existing charm still constructs unchanged and the current unit suite is unaffected, which keeps this branch a safe, self-contained foundation for the stack.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS stack had overridden the K8s patroni_conf path to /etc/patroni, a
vestige of an earlier TLS-hardening lineage. #172's Patroni port renders
patroni.yaml at patroni_conf, so it must stay the data storage root
(/var/lib/pg/data); the override made a consuming charm run
'patroni /etc/patroni/patroni.yaml' against a config rendered elsewhere. TLS
writes its .pem files to the separate 'tls' path (also the data dir) and does
not read patroni_conf, so this revert is TLS-safe.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Layer the certificate-SAN and common-name policy onto CharmState, on top of the raw peer-databag accessors from the previous branch, so the substrate-specific certificate identity is reviewable as a unit with its own tests before any manager or handler consumes it.

K8s must regain the parity the migration had dropped: common_hosts has to advertise the primary/replicas Service FQDNs and the resolved pod FQDN, and the operator-cert common name has to be the endpoints FQDN (wildcarded past the 64-char CN limit) rather than the VM-style host/address; the peer SAN set must exclude the ip key the original K8s charm never emitted. VM behaviour is left host/address-derived as before. The CharmState charm parameter is also widened to ops.CharmBase so the state object no longer depends on the concrete charm type.

These accessors are additive and only read state, so the existing charm keeps constructing unchanged.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
…cstring

The 'migration had switched this to VM-style ...; restore the endpoints-FQDN
CN for K8s parity' sentence narrates a completed regression fix and is
redundant with the preceding 'Matches the original K8s charm' line. The
format, wildcard rule, and parity rationale already carry the load-bearing
context; the migration history belongs in the original commit message, not
the docstring.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Wire the operator-certificate TLSManager and TLS events handler into the lib
charm and bump the library version. The manager fetches operator cert/key live
from the tls_certificates V4 requirers (constructor-injected by the handler);
only the peer CA is tracked in state for rotation. Unit tests for this layer
land in the stacked tests PR.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Bring tls-3-manager-events up to date with 16/edge (now carries squashed
1/4 #165 + 2/4 #177). Reconciles cleanly: 16/edge's content is already
present in this branch via the unsquashed 1/4/2/4 commits.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
marceloneppel marked this pull request as ready for review July 9, 2026 17:38
@marceloneppel
marceloneppel requested a review from a team as a code owner July 9, 2026 17:38
@marceloneppel
marceloneppel requested review from carlcsaposs-canonical, dragomirp, juju-charm-bot and taurus-forever and removed request for a team July 9, 2026 17:38
@marceloneppel
marceloneppel merged commit 834c90e into 16/edge Jul 10, 2026
8 of 11 checks passed
@marceloneppel
marceloneppel deleted the tls-3-manager-events branch July 10, 2026 12:28
marceloneppel added a commit that referenced this pull request Jul 10, 2026
Bring tls-4-tests up to date with 16/edge (now carries squashed 1/4 #165,
2/4 #177, 3/4 #178). Content-neutral: 16/edge's 1/4-3/4 content is already
present via the unsquashed commits, so the merge only adds ancestry.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants