Skip to content

feat(tls): operator-cert manager, events handler + release (3/4)#174

Draft
marceloneppel wants to merge 1 commit into
tls-2-state-accessorsfrom
tls-3-manager-events
Draft

feat(tls): operator-cert manager, events handler + release (3/4)#174
marceloneppel wants to merge 1 commit into
tls-2-state-accessorsfrom
tls-3-manager-events

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jul 1, 2026

Copy link
Copy Markdown
Member

Part 3/4, stacked on tls-2-state-accessors. Wires the operator-certificate manager + events handler into the lib charm — the core of the live-fetch TLS subsystem — and bumps the library version.

What's here (~331 lines)

  • managers/tls.py (TLSManager): live-fetch getters (get_client_tls_files / get_peer_tls_files / get_peer_ca_bundle call get_assigned_certificates() on demand — operator cert/key are never persisted), push_tls_files, rotate_peer_ca / clear_peer_ca (only the peer CA is tracked in state, for the rotation bundle), internal-peer CA/cert generation, and client_tls_files_on_disk. Constructed the [DPE-10062] Single kernel changes #168 way: TLSManager(state, workload, client_certificate, peer_certificate) — requirers constructor-injected, no post-init mutation.
  • events/tls.py (TLS): owns the two TLSCertificatesRequiresV4 requirers, observes certificate_available + relation_broken, defers the file-push until the workload is ready, re-requests certs on SAN changes. Reaches the manager via self.charm.tls_manager. Constructor is TLS(charm, state) (the unused workload parameter was dropped on the 2026-07-03 rebase).
  • charms/abstract_charm.py: builds TLS first, then TLSManager with the handler's requirers injected.
  • pyproject.toml + uv.lock: bump to 16.3.3 (16/edge shipped its own 16.3.2 via [DPE-10062] Unit tests and tweaks #176 while the stack was in flight; re-bumped on the 2026-07-03 rebase, kept monotonic).

Why live-fetch (not stored): the persist-to-peer-state approach came from the OpenSearch single-kernel lib, which runs tls_certificates V3 (cert delivered in the ephemeral event payload → must be stored). This lib runs V4, whose get_assigned_certificates() re-reads the durable relation databag on demand, so storage is unnecessary and a flip→pre-migration rollback stays free of orphaned secrets. Manager+handler+wiring land together because the no-default constructor injection couples them. Unit tests for this layer are in the stacked tests PR (part 4). Draft — not ready for review.

(Recreated from the closed #167 after a branch rename + rebalance; the 594 lines of unit tests moved to part 4 to keep this PR near the ~500-line target.)

Wire the operator-certificate TLSManager and TLS events handler into the lib
charm and bump the library version. The manager fetches operator cert/key live
from the tls_certificates V4 requirers (constructor-injected by the handler);
only the peer CA is tracked in state for rotation. Unit tests for this layer
land in the stacked tests PR.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel marceloneppel force-pushed the tls-2-state-accessors branch from 1dd22a8 to c6aa083 Compare July 3, 2026 20:27
@marceloneppel marceloneppel force-pushed the tls-3-manager-events branch from d59f0ac to 1f84b9c Compare July 3, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant