feat(tls): operator-cert manager, events handler + release (3/4)#174
Draft
marceloneppel wants to merge 1 commit into
Draft
feat(tls): operator-cert manager, events handler + release (3/4)#174marceloneppel wants to merge 1 commit into
marceloneppel wants to merge 1 commit into
Conversation
c7fcfd1 to
f01bfee
Compare
90e7728 to
ab4b0c8
Compare
f01bfee to
1dd22a8
Compare
ab4b0c8 to
d59f0ac
Compare
Wire the operator-certificate TLSManager and TLS events handler into the lib charm and bump the library version. The manager fetches operator cert/key live from the tls_certificates V4 requirers (constructor-injected by the handler); only the peer CA is tracked in state for rotation. Unit tests for this layer land in the stacked tests PR. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
1dd22a8 to
c6aa083
Compare
d59f0ac to
1f84b9c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 3/4, stacked on tls-2-state-accessors. Wires the operator-certificate manager + events handler into the lib charm — the core of the live-fetch TLS subsystem — and bumps the library version.
What's here (~331 lines)
managers/tls.py(TLSManager): live-fetch getters (get_client_tls_files/get_peer_tls_files/get_peer_ca_bundlecallget_assigned_certificates()on demand — operator cert/key are never persisted),push_tls_files,rotate_peer_ca/clear_peer_ca(only the peer CA is tracked in state, for the rotation bundle), internal-peer CA/cert generation, andclient_tls_files_on_disk. Constructed the [DPE-10062] Single kernel changes #168 way:TLSManager(state, workload, client_certificate, peer_certificate)— requirers constructor-injected, no post-init mutation.events/tls.py(TLS): owns the twoTLSCertificatesRequiresV4requirers, observescertificate_available+relation_broken, defers the file-push until the workload is ready, re-requests certs on SAN changes. Reaches the manager viaself.charm.tls_manager. Constructor isTLS(charm, state)(the unusedworkloadparameter was dropped on the 2026-07-03 rebase).charms/abstract_charm.py: buildsTLSfirst, thenTLSManagerwith the handler's requirers injected.pyproject.toml+uv.lock: bump to16.3.3(16/edge shipped its own16.3.2via [DPE-10062] Unit tests and tweaks #176 while the stack was in flight; re-bumped on the 2026-07-03 rebase, kept monotonic).Why live-fetch (not stored): the persist-to-peer-state approach came from the OpenSearch single-kernel lib, which runs tls_certificates V3 (cert delivered in the ephemeral event payload → must be stored). This lib runs V4, whose
get_assigned_certificates()re-reads the durable relation databag on demand, so storage is unnecessary and a flip→pre-migration rollback stays free of orphaned secrets. Manager+handler+wiring land together because the no-default constructor injection couples them. Unit tests for this layer are in the stacked tests PR (part 4). Draft — not ready for review.(Recreated from the closed #167 after a branch rename + rebalance; the 594 lines of unit tests moved to part 4 to keep this PR near the ~500-line target.)