Skip to content

feat(tls): TLS state + workload file primitives (1/4)#165

Draft
marceloneppel wants to merge 2 commits into
16/edgefrom
tls-1-state
Draft

feat(tls): TLS state + workload file primitives (1/4)#165
marceloneppel wants to merge 2 commits into
16/edgefrom
tls-1-state

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jun 26, 2026

Copy link
Copy Markdown
Member

Part 1/4 of the single-kernel TLS subsystem, rebased onto 16/edge (post-#168) and split for reviewability. Adds the state and workload file primitives the TLS layer builds on — no operator-certificate storage (the subsystem is live-fetch throughout; see part 3).

What's here (9 files)

  • core/peer_relation.py: peer CA-rotation accessors (current_ca / old_ca, unit secrets) + the unit-databag address accessors the cert SANs consume (database_address, database_peers_address, replication_address, replication_offer_address, private_address, peer_addresses_no_ip).
  • workload/paths/{base,k8s,vm}.py: the abstract tls path property + substrate impls. K8s writes to the unversioned data dir (/var/lib/pg/data), matching where the charm-rendered patroni.yml reads .pem files.
  • workload/base.py + workload/{k8s,vm}.py: TLS-file mode/user/group + cross-substrate write path.
  • config/literals.py: TLS file-name constants.
  • tests/unit/conftest.py: patch get_postgresql_version (K8s versioned paths read refresh_versions.toml), mirroring [DPE-10062] Single kernel changes #168's test setup.

No operator-cert peer secrets are introduced here or anywhere in the stack — operator cert/key are fetched live from the tls_certificates V4 requirer (part 3). Draft — not ready for review.

@marceloneppel marceloneppel changed the title feat(tls): peer-state cert storage + TLSManager primitives (1/4) feat(tls): TLS state + workload file primitives (1/4) Jul 1, 2026
Introduce the low-level building blocks that the operator-certificate TLS flow composes on top of, so they can be reviewed on their own, ahead of the manager, events handler and charm wiring that consume them.

This covers the peer-relation databag accessors for CA rotation (current-ca/old-ca), the client-facing database-address, and the K8s-shaped peer address set that omits the ip key for parity with the pre-migration K8s charm; the workload file-ownership/mode primitives (user/group and the substrate-specific tls_file_mode, 0o600 on VM and 0o400 on K8s) plus user/group forwarding through write_text so TLS material is chowned correctly on both substrates; a per-substrate tls path; the TLS relation-name constants; and the unit-test harness fixture the later branches' TLS tests depend on.

The change is purely additive: the existing charm still constructs unchanged and the current unit suite is unaffected, which keeps this branch a safe, self-contained foundation for the stack.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS stack had overridden the K8s patroni_conf path to /etc/patroni, a
vestige of an earlier TLS-hardening lineage. #172's Patroni port renders
patroni.yaml at patroni_conf, so it must stay the data storage root
(/var/lib/pg/data); the override made a consuming charm run
'patroni /etc/patroni/patroni.yaml' against a config rendered elsewhere. TLS
writes its .pem files to the separate 'tls' path (also the data dir) and does
not read patroni_conf, so this revert is TLS-safe.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant