feat(tls): TLS state + workload file primitives (1/4)#165
Draft
marceloneppel wants to merge 2 commits into
Draft
feat(tls): TLS state + workload file primitives (1/4)#165marceloneppel wants to merge 2 commits into
marceloneppel wants to merge 2 commits into
Conversation
db1bcb2 to
2127465
Compare
2127465 to
f370152
Compare
Introduce the low-level building blocks that the operator-certificate TLS flow composes on top of, so they can be reviewed on their own, ahead of the manager, events handler and charm wiring that consume them. This covers the peer-relation databag accessors for CA rotation (current-ca/old-ca), the client-facing database-address, and the K8s-shaped peer address set that omits the ip key for parity with the pre-migration K8s charm; the workload file-ownership/mode primitives (user/group and the substrate-specific tls_file_mode, 0o600 on VM and 0o400 on K8s) plus user/group forwarding through write_text so TLS material is chowned correctly on both substrates; a per-substrate tls path; the TLS relation-name constants; and the unit-test harness fixture the later branches' TLS tests depend on. The change is purely additive: the existing charm still constructs unchanged and the current unit suite is unaffected, which keeps this branch a safe, self-contained foundation for the stack. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS stack had overridden the K8s patroni_conf path to /etc/patroni, a vestige of an earlier TLS-hardening lineage. #172's Patroni port renders patroni.yaml at patroni_conf, so it must stay the data storage root (/var/lib/pg/data); the override made a consuming charm run 'patroni /etc/patroni/patroni.yaml' against a config rendered elsewhere. TLS writes its .pem files to the separate 'tls' path (also the data dir) and does not read patroni_conf, so this revert is TLS-safe. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
ea0c33c to
6dbc899
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 1/4 of the single-kernel TLS subsystem, rebased onto
16/edge(post-#168) and split for reviewability. Adds the state and workload file primitives the TLS layer builds on — no operator-certificate storage (the subsystem is live-fetch throughout; see part 3).What's here (9 files)
core/peer_relation.py: peer CA-rotation accessors (current_ca/old_ca, unit secrets) + the unit-databag address accessors the cert SANs consume (database_address,database_peers_address,replication_address,replication_offer_address,private_address,peer_addresses_no_ip).workload/paths/{base,k8s,vm}.py: the abstracttlspath property + substrate impls. K8s writes to the unversioned data dir (/var/lib/pg/data), matching where the charm-rendered patroni.yml reads.pemfiles.workload/base.py+workload/{k8s,vm}.py: TLS-file mode/user/group + cross-substrate write path.config/literals.py: TLS file-name constants.tests/unit/conftest.py: patchget_postgresql_version(K8s versioned paths readrefresh_versions.toml), mirroring [DPE-10062] Single kernel changes #168's test setup.No operator-cert peer secrets are introduced here or anywhere in the stack — operator cert/key are fetched live from the tls_certificates V4 requirer (part 3). Draft — not ready for review.