Skip to content

feat(tls): operator-cert manager + events handler (3/4)#167

Closed
marceloneppel wants to merge 1 commit into
tls-2-state-accessorsfrom
tls-3-deferral
Closed

feat(tls): operator-cert manager + events handler (3/4)#167
marceloneppel wants to merge 1 commit into
tls-2-state-accessorsfrom
tls-3-deferral

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jun 26, 2026

Copy link
Copy Markdown
Member

Part 3/4, stacked on #166. Wires the operator-certificate manager + events handler into the lib charm — the core of the live-fetch TLS subsystem.

What's here (5 files)

  • managers/tls.py (TLSManager): live-fetch getters (get_client_tls_files / get_peer_tls_files / get_peer_ca_bundle call get_assigned_certificates() on demand — operator cert/key are never persisted), push_tls_files, rotate_peer_ca / clear_peer_ca (only the peer CA is tracked in state, for the rotation bundle), internal-peer CA/cert generation, and client_tls_files_on_disk (the reload-bridge readiness guard). Constructed the [DPE-10062] Single kernel changes #168 way: TLSManager(state, workload, client_certificate, peer_certificate) — the requirers are constructor-injected, no post-init mutation.
  • events/tls.py (TLS): owns the two TLSCertificatesRequiresV4 requirers, observes certificate_available + relation_broken, defers the file-push until the workload is ready, and re-requests certs on SAN changes. Reaches the manager via self.charm.tls_manager.
  • charms/abstract_charm.py: builds TLS first, then TLSManager with the handler's requirers injected.
  • tests/unit/test_tls_manager.py, tests/unit/test_tls_events.py.

Why live-fetch (not stored): the persist-to-peer-state approach came from the OpenSearch single-kernel lib, which runs tls_certificates V3 (cert delivered in the ephemeral event payload → must be stored). This lib runs V4, whose get_assigned_certificates() re-reads the durable relation databag on demand, so storage is unnecessary and a flip→pre-migration rollback stays free of orphaned secrets. The manager+handler+wiring land together because the no-default constructor injection makes them inseparable (a charm can't construct TLSManager without the requirers). Draft — not ready for review.

@marceloneppel marceloneppel changed the title feat(tls): defer push until workload-ready + TLS path/ownership fixes (3/4) feat(tls): operator-cert manager + events handler (3/4) Jul 1, 2026
Wire the operator-certificate TLSManager and TLS events handler into the lib
charm and bump the library version. The manager fetches operator cert/key live
from the tls_certificates V4 requirers (constructor-injected by the handler);
only the peer CA is tracked in state for rotation. Unit tests for this layer
land in the stacked tests PR.
@marceloneppel

Copy link
Copy Markdown
Member Author

Superseded by #174 after a branch rename + rebalance (tls-3-deferral → tls-3-manager-events; the version bump folded in, unit tests moved to #175). Auto-closed by the rename.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant