feat(tls): operator-cert manager + events handler (3/4)#167
Closed
marceloneppel wants to merge 1 commit into
Closed
feat(tls): operator-cert manager + events handler (3/4)#167marceloneppel wants to merge 1 commit into
marceloneppel wants to merge 1 commit into
Conversation
b89e893 to
c7fcfd1
Compare
e455d54 to
1688527
Compare
Wire the operator-certificate TLSManager and TLS events handler into the lib charm and bump the library version. The manager fetches operator cert/key live from the tls_certificates V4 requirers (constructor-injected by the handler); only the peer CA is tracked in state for rotation. Unit tests for this layer land in the stacked tests PR.
1688527 to
90e7728
Compare
Member
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 3/4, stacked on #166. Wires the operator-certificate manager + events handler into the lib charm — the core of the live-fetch TLS subsystem.
What's here (5 files)
managers/tls.py(TLSManager): live-fetch getters (get_client_tls_files/get_peer_tls_files/get_peer_ca_bundlecallget_assigned_certificates()on demand — operator cert/key are never persisted),push_tls_files,rotate_peer_ca/clear_peer_ca(only the peer CA is tracked in state, for the rotation bundle), internal-peer CA/cert generation, andclient_tls_files_on_disk(the reload-bridge readiness guard). Constructed the [DPE-10062] Single kernel changes #168 way:TLSManager(state, workload, client_certificate, peer_certificate)— the requirers are constructor-injected, no post-init mutation.events/tls.py(TLS): owns the twoTLSCertificatesRequiresV4requirers, observescertificate_available+relation_broken, defers the file-push until the workload is ready, and re-requests certs on SAN changes. Reaches the manager viaself.charm.tls_manager.charms/abstract_charm.py: buildsTLSfirst, thenTLSManagerwith the handler's requirers injected.tests/unit/test_tls_manager.py,tests/unit/test_tls_events.py.Why live-fetch (not stored): the persist-to-peer-state approach came from the OpenSearch single-kernel lib, which runs tls_certificates V3 (cert delivered in the ephemeral event payload → must be stored). This lib runs V4, whose
get_assigned_certificates()re-reads the durable relation databag on demand, so storage is unnecessary and a flip→pre-migration rollback stays free of orphaned secrets. The manager+handler+wiring land together because the no-default constructor injection makes them inseparable (a charm can't constructTLSManagerwithout the requirers). Draft — not ready for review.