[DPE-5484] Add TLS flag + CA to relation databag

src/charm.py

@@ -1838,6 +1838,9 @@ def update_config(self, is_creating_backup: bool = False) -> bool:
             # in a bundle together with the TLS certificates operator. This flag is used to
             # know when to call the Patroni API using HTTP or HTTPS.
             self.unit_peer_data.update({"tls": "enabled" if self.is_tls_enabled else ""})
+            self.postgresql_client_relation.update_tls_flag(
+                "True" if self.is_tls_enabled else "False"
+            )
             logger.debug("Early exit update_config: Workload not started yet")
             return True
 
@@ -1918,6 +1921,7 @@ def _handle_postgresql_restart_need(self):
             # Ignore the error, as it happens only to indicate that the configuration has not changed.
             pass
         self.unit_peer_data.update({"tls": "enabled" if self.is_tls_enabled else ""})
+        self.postgresql_client_relation.update_tls_flag("True" if self.is_tls_enabled else "False")
 
         # Restart PostgreSQL if TLS configuration has changed
         # (so the both old and new connections use the configuration).

src/relations/postgresql_provider.py

@@ -111,6 +111,17 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
                 f"postgresql://{user}:{password}@{self.charm.primary_endpoint}:{DATABASE_PORT}/{database}",
             )
 
+            # Set TLS flag
+            self.database_provides.set_tls(
+                event.relation.id,
+                "True" if self.charm.is_tls_enabled else "False",
+            )
+
+            # Set TLS CA
+            if self.charm.is_tls_enabled:
+                _, ca, _ = self.charm.tls.get_tls_files()
+                self.database_provides.set_tls_ca(event.relation.id, ca)
+
             # Update the read-only endpoint.
             self.update_read_only_endpoint(event)
 
@@ -198,6 +209,18 @@ def update_read_only_endpoint(self, event: DatabaseRequestedEvent = None) -> Non
                 endpoints,
             )
 
+    def update_tls_flag(self, tls: str) -> None:
+        """Update TLS flag and CA in relation databag."""
+        relations = self.model.relations[self.relation_name]
+        if tls == "True":
+            _, ca, _ = self.charm.tls.get_tls_files()
+        else:
+            ca = ""
+
+        for relation in relations:
+            self.database_provides.set_tls(relation.id, tls)
+            self.database_provides.set_tls_ca(relation.id, ca)
+
     def _check_multiple_endpoints(self) -> bool:
         """Checks if there are relations with other endpoints."""
         relation_names = {relation.name for relation in self.charm.client_relations}

tests/unit/test_postgresql_provider.py

@@ -127,6 +127,7 @@ def test_on_database_requested(harness):
             "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}",
             "version": POSTGRESQL_VERSION,
             "database": f"{DATABASE}",
+            "tls": "False",
         }
 
         # Assert no BlockedStatus was set.
@@ -141,6 +142,7 @@ def test_on_database_requested(harness):
             "endpoints": "postgresql-k8s-primary.None.svc.cluster.local:5432",
             "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}",
             "read-only-endpoints": "postgresql-k8s-replicas.None.svc.cluster.local:5432",
+            "tls": "False",
         }
 
         # BlockedStatus due to a PostgreSQLCreateDatabaseError.
@@ -152,6 +154,7 @@ def test_on_database_requested(harness):
             "endpoints": "postgresql-k8s-primary.None.svc.cluster.local:5432",
             "read-only-endpoints": "postgresql-k8s-replicas.None.svc.cluster.local:5432",
             "uris": f"postgresql://{user}:test-password@postgresql-k8s-primary.None.svc.cluster.local:5432/{DATABASE}",
+            "tls": "False",
         }
 
         # BlockedStatus due to a PostgreSQLGetPostgreSQLVersionError.