From e793be3221cb13b4316b5ef350ec9ef56e31a33a Mon Sep 17 00:00:00 2001 From: Lucas Gameiro Borges Date: Wed, 2 Oct 2024 00:46:53 +0000 Subject: [PATCH 1/4] add tls flag to relation databag --- src/charm.py | 4 ++++ src/relations/postgresql_provider.py | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/src/charm.py b/src/charm.py index dadaa4b34b..06216f5bd7 100755 --- a/src/charm.py +++ b/src/charm.py @@ -1836,6 +1836,9 @@ def update_config(self, is_creating_backup: bool = False) -> bool: # in a bundle together with the TLS certificates operator. This flag is used to # know when to call the Patroni API using HTTP or HTTPS. self.unit_peer_data.update({"tls": "enabled" if self.is_tls_enabled else ""}) + self.postgresql_client_relation.update_tls_flag( + "True" if self.is_tls_enabled else "False" + ) logger.debug("Early exit update_config: Workload not started yet") return True @@ -1916,6 +1919,7 @@ def _handle_postgresql_restart_need(self): # Ignore the error, as it happens only to indicate that the configuration has not changed. pass self.unit_peer_data.update({"tls": "enabled" if self.is_tls_enabled else ""}) + self.postgresql_client_relation.update_tls_flag("True" if self.is_tls_enabled else "False") # Restart PostgreSQL if TLS configuration has changed # (so the both old and new connections use the configuration). diff --git a/src/relations/postgresql_provider.py b/src/relations/postgresql_provider.py index 6018501278..d7ec54ff26 100644 --- a/src/relations/postgresql_provider.py +++ b/src/relations/postgresql_provider.py @@ -111,6 +111,12 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None: f"postgresql://{user}:{password}@{self.charm.primary_endpoint}:{DATABASE_PORT}/{database}", ) + # Set TLS flag + self.database_provides.set_tls( + event.relation.id, + "True" if self.charm.is_tls_enabled else "False", + ) + # Update the read-only endpoint. self.update_read_only_endpoint(event) @@ -198,6 +204,12 @@ def update_read_only_endpoint(self, event: DatabaseRequestedEvent = None) -> Non endpoints, ) + def update_tls_flag(self, tls: str) -> None: + """Update TLS flag in relation databag.""" + relations = self.model.relations[self.relation_name] + for relation in relations: + self.database_provides.set_tls(relation.id, tls) + def _check_multiple_endpoints(self) -> bool: """Checks if there are relations with other endpoints.""" relation_names = {relation.name for relation in self.charm.client_relations} From 733f4811f935e0e713ef8e2f9f82bb7becde2670 Mon Sep 17 00:00:00 2001 From: Lucas Gameiro Borges Date: Wed, 2 Oct 2024 00:51:49 +0000 Subject: [PATCH 2/4] fix unit test --- tests/unit/test_postgresql_provider.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/unit/test_postgresql_provider.py b/tests/unit/test_postgresql_provider.py index e441697599..e56b392387 100644 --- a/tests/unit/test_postgresql_provider.py +++ b/tests/unit/test_postgresql_provider.py @@ -127,6 +127,7 @@ def test_on_database_requested(harness): "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}", "version": POSTGRESQL_VERSION, "database": f"{DATABASE}", + "tls": "False", } # Assert no BlockedStatus was set. @@ -141,6 +142,7 @@ def test_on_database_requested(harness): "endpoints": "postgresql-k8s-primary.None.svc.cluster.local:5432", "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}", "read-only-endpoints": "postgresql-k8s-replicas.None.svc.cluster.local:5432", + "tls": "False", } # BlockedStatus due to a PostgreSQLCreateDatabaseError. @@ -152,6 +154,7 @@ def test_on_database_requested(harness): "endpoints": "postgresql-k8s-primary.None.svc.cluster.local:5432", "read-only-endpoints": "postgresql-k8s-replicas.None.svc.cluster.local:5432", "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}", + "tls": "False", } # BlockedStatus due to a PostgreSQLGetPostgreSQLVersionError. From 5717cc5a888f7319e44c5feb159383ce47a33982 Mon Sep 17 00:00:00 2001 From: Lucas Gameiro Borges Date: Fri, 18 Oct 2024 14:27:52 +0000 Subject: [PATCH 3/4] add CA --- src/relations/postgresql_provider.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/relations/postgresql_provider.py b/src/relations/postgresql_provider.py index d7ec54ff26..fc9455b77d 100644 --- a/src/relations/postgresql_provider.py +++ b/src/relations/postgresql_provider.py @@ -117,6 +117,11 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None: "True" if self.charm.is_tls_enabled else "False", ) + # Set TLS CA + if self.charm.is_tls_enabled: + _, ca, _ = self.charm.tls.get_tls_files() + self.database_provides.set_tls_ca(event.relation.id, ca) + # Update the read-only endpoint. self.update_read_only_endpoint(event) @@ -210,6 +215,11 @@ def update_tls_flag(self, tls: str) -> None: for relation in relations: self.database_provides.set_tls(relation.id, tls) + if tls == "True": + _, ca, _ = self.charm.tls.get_tls_files() + for relation in relations: + self.database_provides.set_tls_ca(relation.id, ca) + def _check_multiple_endpoints(self) -> bool: """Checks if there are relations with other endpoints.""" relation_names = {relation.name for relation in self.charm.client_relations} From c88430fa74a7bd55a5ea07df436e87dc5abadb94 Mon Sep 17 00:00:00 2001 From: Lucas Gameiro Borges Date: Fri, 18 Oct 2024 21:21:55 +0000 Subject: [PATCH 4/4] fix ca removal --- src/relations/postgresql_provider.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/relations/postgresql_provider.py b/src/relations/postgresql_provider.py index fc9455b77d..b6398f8216 100644 --- a/src/relations/postgresql_provider.py +++ b/src/relations/postgresql_provider.py @@ -210,15 +210,16 @@ def update_read_only_endpoint(self, event: DatabaseRequestedEvent = None) -> Non ) def update_tls_flag(self, tls: str) -> None: - """Update TLS flag in relation databag.""" + """Update TLS flag and CA in relation databag.""" relations = self.model.relations[self.relation_name] - for relation in relations: - self.database_provides.set_tls(relation.id, tls) - if tls == "True": _, ca, _ = self.charm.tls.get_tls_files() - for relation in relations: - self.database_provides.set_tls_ca(relation.id, ca) + else: + ca = "" + + for relation in relations: + self.database_provides.set_tls(relation.id, tls) + self.database_provides.set_tls_ca(relation.id, ca) def _check_multiple_endpoints(self) -> bool: """Checks if there are relations with other endpoints."""