[DPE-10615] Migrate TLS to the single-kernel library (VM)#1816
Draft
marceloneppel wants to merge 10 commits into
Draft
[DPE-10615] Migrate TLS to the single-kernel library (VM)#1816marceloneppel wants to merge 10 commits into
marceloneppel wants to merge 10 commits into
Conversation
602298f to
d5e5948
Compare
Consume the single-kernel library's operator-certificate TLS handler (events.tls.TLS) and TLSManager instead of the charm-side src/relations/tls.py, stacked on the DPE-10062 Patroni/cluster port (#1788). The TLS events handler owns the two certificate requirers and is constructor-injected into TLSManager, whose live-fetch getters read cert/key from them. A charm-side reload bridge (_reload_tls_after_push) reloads PostgreSQL after the lib handler stores+pushes certs; it also fires on relation_broken so detaching the TLS operator re-renders Patroni with TLS disabled. Removes src/relations/tls.py and push_tls_files_to_workload (now owned by the lib), routes internal-cert regeneration through _regenerate_internal_cert, redirects the operator-cert getters to tls_manager, and pins the library to the TLS stack tip via archive URL (16.3.2 is not yet released). Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
d5e5948 to
a036312
Compare
The TLS lib stack was rebased onto current 16/edge and re-bumped to 16.3.3 because 16/edge had meanwhile shipped its own 16.3.2, and the rebase dropped the dead workload parameter from the TLS events handler constructor, so the pin and the construction call move together. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The relation_broken bridge registrations reference only self.on[...], so an __init__ reorder above the lib handler's construction would silently run the reload before the lib clears state and pushes files; the prior test asserted membership without order. The bridge's except-and-defer branch also had no coverage, so a refactor could drop the broad guard without failing CI. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Absorb the single remaining 16/edge commit (ca93296: renovate bump to published single-kernel 16.3.2) since the branch last merged 16/edge. #1788 (Patroni-port) and the 5a9fa05 lib pin / 2-arg TLS migration are already on this branch. Keep the branch's unreleased-lib archive-URL pin (5a9fa05) over 16/edge's published-16.3.2 dep, since this branch tests the unreleased TLS handler. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> # Conflicts: # poetry.lock # pyproject.toml
Absorb 16/edge deps bumps (946cb61: Python deps, 24a7609: lock maintenance) landed since the last merge. Keep the branch's unreleased-lib archive-URL pin (5a9fa05) over 16/edge's published-16.3.2 dep, since this branch tests the unreleased TLS handler. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> # Conflicts: # poetry.lock
Re-pin the unreleased single-kernel library from 5a9fa05 to a1d2178, the rebased TLS-stack tip. a1d2178 includes the operator-cert manager/ events handler (the migration payload) plus the docstring/comment cleanup that dropped stale operator-repo file-path references and #168/V3-V4 idiom mentions from the lib. The 5a9fa05→a1d2178 diff is docstring/comment-only, so no charm-side code changes are required. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Remove _platform_machine, _observers_for, and the three reload-bridge observer-ordering tests that exercised charm-side __init__ wiring now that the bridge itself is transitional and scheduled to leave the charm when update_config ports to the lib. _platform_machine was redundant: refresh_versions.toml keys both x86_64 and aarch64, so the platform.machine() snap-revision lookup succeeds natively on either arch without the monkeypatch (proven by the suite passing on aarch64 after removal). Its harness dependency and the now-unused TLS_CLIENT/TLS_PEER_RELATION imports go with it. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
The TLS flip branch pinned postgresql-charms-single-kernel to a GitHub archive URL (commit a1d2178) to test unreleased lib changes. 16.3.3 is now published to PyPI carrying the same TLS state + manager/events content, so restore the published-version pin form and regenerate poetry.lock against the PyPI wheel/tarball. Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> # Conflicts: # poetry.lock
This was referenced Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
The VM charm owns its TLS subsystem (
src/relations/tls.py,push_tls_files_to_workload) duplicated from the K8s charm and the single-kernel library's now-equivalentevents.tls.TLS+TLSManager.Solution
Migrates the VM charm's TLS onto the library's operator-cert handler (
events.tls.TLS) +TLSManager. The events handler owns the two requirers and is constructor-injected intoTLSManager; live-fetch getters (no operator-cert peer secrets, rollback-clean).postgresql-charms-single-kernelfrom 16.3.2 to 16.3.3 to consume the lib TLS handler + manager; redirect the operator-cert getters totls_manager(incl.watcher.pypatroni-casandpostgresql_provider.py)._reload_tls_after_push: reloads after the lib pushes certs; fires onrelation_brokenso detaching the TLS operator re-renders Patroni with TLS off._regenerate_internal_cert(generate → push → reload;reload=Falseat bootstrap, where the leader/replica already renderspatroni.ymland the internal cert does not togglessl).src/relations/tls.pyandpush_tls_files_to_workload(now lib-owned).tests/unit/test_tls.pyto cover the lib-backed wiring (reload bridge guards,is_tls_enabledredirect, internal-cert CN-mismatch path) instead of the removedrelations.tls.TLSmodule; renamedTLS→TLSManagerpatch targets intests/unit/test_charm.pyand dropped the now-deletedtest_push_tls_files_to_workload.The bridge and its four observers are transitional — they stay charm-side only until the
update_config/Patroni-config subsystem ports to the library, at which point push+reload become a single lib-owned atomic step and these charm methods are removed.Checklist