Skip to content

feat(tls): migrate TLS to the single-kernel library (VM)#1816

Draft
marceloneppel wants to merge 3 commits into
16/edgefrom
flip/tls-lib
Draft

feat(tls): migrate TLS to the single-kernel library (VM)#1816
marceloneppel wants to merge 3 commits into
16/edgefrom
flip/tls-lib

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jun 26, 2026

Copy link
Copy Markdown
Member

feat(tls): migrate TLS to the single-kernel library (VM)

Migrates the VM charm's TLS onto the single-kernel library's operator-cert handler (events.tls.TLS) + TLSManager. Originally stacked on the DPE-10062 Patroni/cluster port (#1788); #1788 has since merged into 16/edge, so this PR now diffs directly against 16/edge and contains only the TLS delta.

What's here (TLS delta)

  • Consume the lib TLS handler + manager: events handler owns the two requirers, constructor-injected into TLSManager; live-fetch getters (no operator-cert peer secrets, rollback-clean).
  • Reload bridge _reload_tls_after_push: reloads after the lib pushes certs; fires on relation_broken so detaching the TLS operator re-renders Patroni TLS-off. Internal-cert regeneration routed through _regenerate_internal_cert (generate → push → reload).
  • Remove src/relations/tls.py and push_tls_files_to_workload (now lib-owned); redirect operator-cert getters to tls_manager (incl. watcher.py patroni-cas and postgresql_provider.py).

Round-5 follow-ups (2026-07-03)

  • relation_broken bridge-ordering assertions: those registrations reference only self.on[...], so an __init__ reorder above the lib handler would silently run the reload before the lib clears state and pushes files — the prior test asserted membership without order.
  • Unit test for the bridge's except-and-defer branch (transient update_config failure defers instead of failing the hook).

Pin

Archive URL at the TLS lib stack tip (5a9fa05, lib #175), extras ["postgresql","vm"]. 16.3.3 unreleased (re-bumped after 16/edge shipped its own 16.3.2) → archive-URL interim; version-pin swap is the release-time step.

Validation

tox -e lint + tox -e unit green (VM, 223 passed). Integration on the CURRENT head (boomer-eely, 2026-07-03): test_deploy_active PASS; test_tls_enabled fails only at the known pre-existing get_secret_by_label harness bug (byte-identical to the 16/edge-era baseline on the same box — reads the app-password secret, not a TLS artifact; all TLS relation hooks executed and settled before it).

Draft — not ready for review. Base: 16/edge (#1788 merged).

@github-actions github-actions Bot added the Libraries: Out of sync The charm libs used are out-of-sync label Jun 29, 2026
@marceloneppel marceloneppel added the not bug or enhancement PR is not 'bug' or 'enhancement'. For release notes label Jun 29, 2026
@marceloneppel marceloneppel changed the base branch from 16/edge to dpe-10062-cluster2 July 2, 2026 18:47
@marceloneppel marceloneppel changed the title feat(tls): migrate TLS to the single-kernel library feat(tls): migrate TLS to the single-kernel library (VM) Jul 2, 2026
Base automatically changed from dpe-10062-cluster2 to 16/edge July 2, 2026 20:35
Consume the single-kernel library's operator-certificate TLS handler
(events.tls.TLS) and TLSManager instead of the charm-side src/relations/tls.py,
stacked on the DPE-10062 Patroni/cluster port (#1788). The TLS events handler
owns the two certificate requirers and is constructor-injected into TLSManager,
whose live-fetch getters read cert/key from them. A charm-side reload bridge
(_reload_tls_after_push) reloads PostgreSQL after the lib handler stores+pushes
certs; it also fires on relation_broken so detaching the TLS operator re-renders
Patroni with TLS disabled.

Removes src/relations/tls.py and push_tls_files_to_workload (now owned by the
lib), routes internal-cert regeneration through _regenerate_internal_cert,
redirects the operator-cert getters to tls_manager, and pins the library to the
TLS stack tip via archive URL (16.3.2 is not yet released).

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS lib stack was rebased onto current 16/edge and re-bumped to
16.3.3 because 16/edge had meanwhile shipped its own 16.3.2, and the
rebase dropped the dead workload parameter from the TLS events handler
constructor, so the pin and the construction call move together.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The relation_broken bridge registrations reference only self.on[...], so
an __init__ reorder above the lib handler's construction would silently
run the reload before the lib clears state and pushes files; the prior
test asserted membership without order. The bridge's except-and-defer
branch also had no coverage, so a refactor could drop the broad guard
without failing CI.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Libraries: Out of sync The charm libs used are out-of-sync not bug or enhancement PR is not 'bug' or 'enhancement'. For release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant