feat(tls): migrate TLS to the single-kernel library (VM)#1816
Draft
marceloneppel wants to merge 3 commits into
Draft
feat(tls): migrate TLS to the single-kernel library (VM)#1816marceloneppel wants to merge 3 commits into
marceloneppel wants to merge 3 commits into
Conversation
602298f to
d5e5948
Compare
Consume the single-kernel library's operator-certificate TLS handler (events.tls.TLS) and TLSManager instead of the charm-side src/relations/tls.py, stacked on the DPE-10062 Patroni/cluster port (#1788). The TLS events handler owns the two certificate requirers and is constructor-injected into TLSManager, whose live-fetch getters read cert/key from them. A charm-side reload bridge (_reload_tls_after_push) reloads PostgreSQL after the lib handler stores+pushes certs; it also fires on relation_broken so detaching the TLS operator re-renders Patroni with TLS disabled. Removes src/relations/tls.py and push_tls_files_to_workload (now owned by the lib), routes internal-cert regeneration through _regenerate_internal_cert, redirects the operator-cert getters to tls_manager, and pins the library to the TLS stack tip via archive URL (16.3.2 is not yet released). Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
d5e5948 to
a036312
Compare
The TLS lib stack was rebased onto current 16/edge and re-bumped to 16.3.3 because 16/edge had meanwhile shipped its own 16.3.2, and the rebase dropped the dead workload parameter from the TLS events handler constructor, so the pin and the construction call move together. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The relation_broken bridge registrations reference only self.on[...], so an __init__ reorder above the lib handler's construction would silently run the reload before the lib clears state and pushes files; the prior test asserted membership without order. The bridge's except-and-defer branch also had no coverage, so a refactor could drop the broad guard without failing CI. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat(tls): migrate TLS to the single-kernel library (VM)
Migrates the VM charm's TLS onto the single-kernel library's operator-cert handler (
events.tls.TLS) +TLSManager. Originally stacked on the DPE-10062 Patroni/cluster port (#1788); #1788 has since merged into16/edge, so this PR now diffs directly against16/edgeand contains only the TLS delta.What's here (TLS delta)
TLSManager; live-fetch getters (no operator-cert peer secrets, rollback-clean)._reload_tls_after_push: reloads after the lib pushes certs; fires onrelation_brokenso detaching the TLS operator re-renders Patroni TLS-off. Internal-cert regeneration routed through_regenerate_internal_cert(generate → push → reload).src/relations/tls.pyandpush_tls_files_to_workload(now lib-owned); redirect operator-cert getters totls_manager(incl.watcher.pypatroni-casandpostgresql_provider.py).Round-5 follow-ups (2026-07-03)
relation_brokenbridge-ordering assertions: those registrations reference onlyself.on[...], so an__init__reorder above the lib handler would silently run the reload before the lib clears state and pushes files — the prior test asserted membership without order.update_configfailure defers instead of failing the hook).Pin
Archive URL at the TLS lib stack tip (
5a9fa05, lib #175), extras["postgresql","vm"]. 16.3.3 unreleased (re-bumped after16/edgeshipped its own 16.3.2) → archive-URL interim; version-pin swap is the release-time step.Validation
tox -e lint+tox -e unitgreen (VM, 223 passed). Integration on the CURRENT head (boomer-eely, 2026-07-03):test_deploy_activePASS;test_tls_enabledfails only at the known pre-existingget_secret_by_labelharness bug (byte-identical to the 16/edge-era baseline on the same box — reads the app-password secret, not a TLS artifact; all TLS relation hooks executed and settled before it).Draft — not ready for review. Base:
16/edge(#1788 merged).