add tls and tls-ca fields to databag (#666)

Author: Lucas Gameiro

src/charm.py

@@ -1709,6 +1709,9 @@ def update_config(self, is_creating_backup: bool = False) -> bool:
             # in a bundle together with the TLS certificates operator. This flag is used to
             # know when to call the Patroni API using HTTP or HTTPS.
             self.unit_peer_data.update({"tls": "enabled" if enable_tls else ""})
+            self.postgresql_client_relation.update_tls_flag(
+                "True" if self.is_tls_enabled else "False"
+            )
             logger.debug("Early exit update_config: Workload not started yet")
             return True
 
@@ -1784,6 +1787,7 @@ def _handle_postgresql_restart_need(self, enable_tls: bool) -> None:
             # Ignore the error, as it happens only to indicate that the configuration has not changed.
             pass
         self.unit_peer_data.update({"tls": "enabled" if enable_tls else ""})
+        self.postgresql_client_relation.update_tls_flag("True" if self.is_tls_enabled else "False")
 
         # Restart PostgreSQL if TLS configuration has changed
         # (so the both old and new connections use the configuration).

src/relations/postgresql_provider.py

@@ -108,6 +108,17 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
             # Set the database name
             self.database_provides.set_database(event.relation.id, database)
 
+            # Set TLS flag
+            self.database_provides.set_tls(
+                event.relation.id,
+                "True" if self.charm.is_tls_enabled else "False",
+            )
+
+            # Set TLS CA
+            if self.charm.is_tls_enabled:
+                _, ca, _ = self.charm.tls.get_tls_files()
+                self.database_provides.set_tls_ca(event.relation.id, ca)
+
             # Update the read/write and read-only endpoints.
             self.update_endpoints(event)
 
@@ -215,6 +226,18 @@ def update_endpoints(self, event: DatabaseRequestedEvent = None) -> None:
                 f"postgresql://{user}:{password}@{self.charm.primary_endpoint}:{DATABASE_PORT}/{database}",
             )
 
+    def update_tls_flag(self, tls: str) -> None:
+        """Update TLS flag and CA in relation databag."""
+        relations = self.model.relations[self.relation_name]
+        if tls == "True":
+            _, ca, _ = self.charm.tls.get_tls_files()
+        else:
+            ca = ""
+
+        for relation in relations:
+            self.database_provides.set_tls(relation.id, tls)
+            self.database_provides.set_tls_ca(relation.id, ca)
+
     def _check_multiple_endpoints(self) -> bool:
         """Checks if there are relations with other endpoints."""
         relation_names = {relation.name for relation in self.charm.client_relations}

tests/unit/test_postgresql_provider.py

@@ -142,6 +142,7 @@ def test_on_database_requested(harness):
             "password": "test-password",
             "version": POSTGRESQL_VERSION,
             "database": f"{DATABASE}",
+            "tls": "False",
         }
 
         # Assert no BlockedStatus was set.
@@ -153,6 +154,7 @@ def test_on_database_requested(harness):
         # No data is set in the databag by the database.
         assert harness.get_relation_data(rel_id, harness.charm.app.name) == {
             "data": f'{{"database": "{DATABASE}", "extra-user-roles": "{EXTRA_USER_ROLES}"}}',
+            "tls": "False",
         }
 
         # BlockedStatus due to a PostgreSQLCreateDatabaseError.
@@ -161,6 +163,7 @@ def test_on_database_requested(harness):
         # No data is set in the databag by the database.
         assert harness.get_relation_data(rel_id, harness.charm.app.name) == {
             "data": f'{{"database": "{DATABASE}", "extra-user-roles": "{EXTRA_USER_ROLES}"}}',
+            "tls": "False",
         }
 
         # BlockedStatus due to a PostgreSQLGetPostgreSQLVersionError.