Skip to content

[DPE-10615] Migrate TLS to the single-kernel library (VM)#1816

Draft
marceloneppel wants to merge 10 commits into
16/edgefrom
flip/tls-lib
Draft

[DPE-10615] Migrate TLS to the single-kernel library (VM)#1816
marceloneppel wants to merge 10 commits into
16/edgefrom
flip/tls-lib

Conversation

@marceloneppel

@marceloneppel marceloneppel commented Jun 26, 2026

Copy link
Copy Markdown
Member

Issue

The VM charm owns its TLS subsystem (src/relations/tls.py, push_tls_files_to_workload) duplicated from the K8s charm and the single-kernel library's now-equivalent events.tls.TLS + TLSManager.

Solution

Migrates the VM charm's TLS onto the library's operator-cert handler (events.tls.TLS) + TLSManager. The events handler owns the two requirers and is constructor-injected into TLSManager; live-fetch getters (no operator-cert peer secrets, rollback-clean).

  • Bump postgresql-charms-single-kernel from 16.3.2 to 16.3.3 to consume the lib TLS handler + manager; redirect the operator-cert getters to tls_manager (incl. watcher.py patroni-cas and postgresql_provider.py).
  • Reload bridge _reload_tls_after_push: reloads after the lib pushes certs; fires on relation_broken so detaching the TLS operator re-renders Patroni with TLS off.
  • Internal-cert regeneration routed through _regenerate_internal_cert (generate → push → reload; reload=False at bootstrap, where the leader/replica already renders patroni.yml and the internal cert does not toggle ssl).
  • Remove src/relations/tls.py and push_tls_files_to_workload (now lib-owned).
  • Rewrote tests/unit/test_tls.py to cover the lib-backed wiring (reload bridge guards, is_tls_enabled redirect, internal-cert CN-mismatch path) instead of the removed relations.tls.TLS module; renamed TLSTLSManager patch targets in tests/unit/test_charm.py and dropped the now-deleted test_push_tls_files_to_workload.

The bridge and its four observers are transitional — they stay charm-side only until the update_config/Patroni-config subsystem ports to the library, at which point push+reload become a single lib-owned atomic step and these charm methods are removed.

Checklist

  • I have added or updated any relevant documentation.
  • I have cleaned any remaining cloud resources from my accounts.

@github-actions github-actions Bot added the Libraries: Out of sync The charm libs used are out-of-sync label Jun 29, 2026
@marceloneppel marceloneppel added the not bug or enhancement PR is not 'bug' or 'enhancement'. For release notes label Jun 29, 2026
@marceloneppel marceloneppel changed the base branch from 16/edge to dpe-10062-cluster2 July 2, 2026 18:47
@marceloneppel marceloneppel changed the title feat(tls): migrate TLS to the single-kernel library feat(tls): migrate TLS to the single-kernel library (VM) Jul 2, 2026
Base automatically changed from dpe-10062-cluster2 to 16/edge July 2, 2026 20:35
Consume the single-kernel library's operator-certificate TLS handler
(events.tls.TLS) and TLSManager instead of the charm-side src/relations/tls.py,
stacked on the DPE-10062 Patroni/cluster port (#1788). The TLS events handler
owns the two certificate requirers and is constructor-injected into TLSManager,
whose live-fetch getters read cert/key from them. A charm-side reload bridge
(_reload_tls_after_push) reloads PostgreSQL after the lib handler stores+pushes
certs; it also fires on relation_broken so detaching the TLS operator re-renders
Patroni with TLS disabled.

Removes src/relations/tls.py and push_tls_files_to_workload (now owned by the
lib), routes internal-cert regeneration through _regenerate_internal_cert,
redirects the operator-cert getters to tls_manager, and pins the library to the
TLS stack tip via archive URL (16.3.2 is not yet released).

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS lib stack was rebased onto current 16/edge and re-bumped to
16.3.3 because 16/edge had meanwhile shipped its own 16.3.2, and the
rebase dropped the dead workload parameter from the TLS events handler
constructor, so the pin and the construction call move together.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The relation_broken bridge registrations reference only self.on[...], so
an __init__ reorder above the lib handler's construction would silently
run the reload before the lib clears state and pushes files; the prior
test asserted membership without order. The bridge's except-and-defer
branch also had no coverage, so a refactor could drop the broad guard
without failing CI.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Absorb the single remaining 16/edge commit (ca93296: renovate bump to
published single-kernel 16.3.2) since the branch last merged 16/edge.
#1788 (Patroni-port) and the 5a9fa05 lib pin / 2-arg TLS migration are
already on this branch. Keep the branch's unreleased-lib archive-URL pin
(5a9fa05) over 16/edge's published-16.3.2 dep, since this branch tests
the unreleased TLS handler.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

# Conflicts:
#	poetry.lock
#	pyproject.toml
Absorb 16/edge deps bumps (946cb61: Python deps, 24a7609: lock
maintenance) landed since the last merge. Keep the branch's unreleased-lib
archive-URL pin (5a9fa05) over 16/edge's published-16.3.2 dep, since
this branch tests the unreleased TLS handler.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

# Conflicts:
#	poetry.lock
Re-pin the unreleased single-kernel library from 5a9fa05 to a1d2178,
the rebased TLS-stack tip. a1d2178 includes the operator-cert manager/
events handler (the migration payload) plus the docstring/comment cleanup
that dropped stale operator-repo file-path references and #168/V3-V4 idiom
mentions from the lib. The 5a9fa05→a1d2178 diff is docstring/comment-only,
so no charm-side code changes are required.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel marceloneppel changed the title feat(tls): migrate TLS to the single-kernel library (VM) [DPE-10615] Migrate TLS to the single-kernel library (VM) Jul 8, 2026
Remove _platform_machine, _observers_for, and the three
reload-bridge observer-ordering tests that exercised charm-side
__init__ wiring now that the bridge itself is transitional and
scheduled to leave the charm when update_config ports to the lib.

_platform_machine was redundant: refresh_versions.toml keys both
x86_64 and aarch64, so the platform.machine() snap-revision lookup
succeeds natively on either arch without the monkeypatch (proven by
the suite passing on aarch64 after removal). Its harness dependency
and the now-unused TLS_CLIENT/TLS_PEER_RELATION imports go with it.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS flip branch pinned postgresql-charms-single-kernel to a GitHub
archive URL (commit a1d2178) to test unreleased lib changes. 16.3.3 is
now published to PyPI carrying the same TLS state + manager/events
content, so restore the published-version pin form and regenerate
poetry.lock against the PyPI wheel/tarball.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

# Conflicts:
#	poetry.lock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Libraries: Out of sync The charm libs used are out-of-sync not bug or enhancement PR is not 'bug' or 'enhancement'. For release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant