[DPE-5965] - Set private key with juju secrets #29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This pull request added CA rotation to the charm. ### TLS Certificate Management Enhancements: * **New TLS CA Rotation States:** - Added `TLSCARotationState` enum to represent different stages of CA rotation (`src/literals.py`). * **CA Rotation and Cleanup Methods:** - Introduced methods in `TLSManager` for setting CA rotation state, checking CA status across servers, and cleaning up old CAs (`src/managers/tls.py`). [[1]](diffhunk://#diff-a2c036f44ae9bbab595aad84b23bc3106a342c5ab12f7b0cf3d26268b51cdc83R136-R204) [[2]](diffhunk://#diff-a2c036f44ae9bbab595aad84b23bc3106a342c5ab12f7b0cf3d26268b51cdc83L57-R102) * **Event Handling Updates:** - Added `CleanCAEvent` to handle CA cleanup events and integrated it into the `TLSEvents` class (`src/events/tls.py`). [[1]](diffhunk://#diff-3dfb4a104b407f7d4b2e07795a63745a09cde228a8dbe86602e7b72ea600fbe4L15-R57) [[2]](diffhunk://#diff-3dfb4a104b407f7d4b2e07795a63745a09cde228a8dbe86602e7b72ea600fbe4R88-R89) [[3]](diffhunk://#diff-3dfb4a104b407f7d4b2e07795a63745a09cde228a8dbe86602e7b72ea600fbe4R229-R243) ### Codebase Improvements: * **Logging Enhancements:** - Improved logging messages to provide more context during rolling restarts and CA rotations (`src/charm.py`). [[1]](diffhunk://#diff-b9ed39bbc9c0387bd3e07da31d13373745534a1cd723d3e292c73496b12e307cL68-R78) [[2]](diffhunk://#diff-b9ed39bbc9c0387bd3e07da31d13373745534a1cd723d3e292c73496b12e307cR178-R202)
reneradoi
requested changes
Jan 28, 2025
There was a problem hiding this comment.
Thank you Smail, I really appreciate the work you did and all the back-and-forth with the TLS team.
Unfortunately the TLS v4 lib has another couple of flaws here. Especially:
- not being able to have separate private keys for multiple use cases
- not being able to provide a user-supplied private key when regenerating it
are major downsides from my point of view. We should only consider the solution implemented here as a workaround, as it introduced potential liabilities to our code when we need to access "protected" methods of the lib to fulfill our use cases.
We as a team should make a decision here if we want to go with the workaround for now or request these features to be delivered by the TLS team and postponing the TLS private key topic until then.
This pull request updates multiple test files to replace the `wait_for_idle` method with the `wait_until` method for better consistency and reliability in test execution. Changes in test files: * [`tests/integration/ha/test_scaling.py`](diffhunk://#diff-1511afef9daad75af5001b5c55a0fb9dfc6ba38d784615be51dd492e4a330309R18): Imported `wait_until` from `helpers_deployment` and replaced `wait_for_idle` with `wait_until` in `test_build_and_deploy` and `test_scale_up` functions. [[1]](diffhunk://#diff-1511afef9daad75af5001b5c55a0fb9dfc6ba38d784615be51dd492e4a330309R18) [[2]](diffhunk://#diff-1511afef9daad75af5001b5c55a0fb9dfc6ba38d784615be51dd492e4a330309L42-R43) [[3]](diffhunk://#diff-1511afef9daad75af5001b5c55a0fb9dfc6ba38d784615be51dd492e4a330309L63-R65) * [`tests/integration/test_charm.py`](diffhunk://#diff-08291d7f4ad7b2caecacb6ae26af540ebbaede9fe42d5e8e1b39d2bdefe4c2d4R20): Imported `wait_until` from `helpers_deployment` and replaced `wait_for_idle` with `wait_until` in `test_build_and_deploy` and `test_update_admin_password` functions. [[1]](diffhunk://#diff-08291d7f4ad7b2caecacb6ae26af540ebbaede9fe42d5e8e1b39d2bdefe4c2d4R20) [[2]](diffhunk://#diff-08291d7f4ad7b2caecacb6ae26af540ebbaede9fe42d5e8e1b39d2bdefe4c2d4L41-R42) [[3]](diffhunk://#diff-08291d7f4ad7b2caecacb6ae26af540ebbaede9fe42d5e8e1b39d2bdefe4c2d4L98-R99) [[4]](diffhunk://#diff-08291d7f4ad7b2caecacb6ae26af540ebbaede9fe42d5e8e1b39d2bdefe4c2d4L107-R108) * [`tests/integration/tls/test_ca_rotation.py`](diffhunk://#diff-a8362a8580830e574ae0f1e2fbd35adbf5ea51ed2ae3a85e78c5a2eebaa4d0c7R25): Imported `wait_until` from `helpers_deployment` and replaced `wait_for_idle` with `wait_until` in `test_build_and_deploy_with_tls` function. [[1]](diffhunk://#diff-a8362a8580830e574ae0f1e2fbd35adbf5ea51ed2ae3a85e78c5a2eebaa4d0c7R25) [[2]](diffhunk://#diff-a8362a8580830e574ae0f1e2fbd35adbf5ea51ed2ae3a85e78c5a2eebaa4d0c7L56-R57) [[3]](diffhunk://#diff-a8362a8580830e574ae0f1e2fbd35adbf5ea51ed2ae3a85e78c5a2eebaa4d0c7L131-R133) * [`tests/integration/tls/test_private_key_rotation.py`](diffhunk://#diff-858b4ba3b588d303d7396271ac3575bbe9585625ee8b278feb1411524d533a97R32): Imported `wait_until` from `helpers_deployment` and replaced `wait_for_idle` with `wait_until` in `test_build_and_deploy_with_tls` and `test_set_private_key` functions. [[1]](diffhunk://#diff-858b4ba3b588d303d7396271ac3575bbe9585625ee8b278feb1411524d533a97R32) [[2]](diffhunk://#diff-858b4ba3b588d303d7396271ac3575bbe9585625ee8b278feb1411524d533a97L63-R64) [[3]](diffhunk://#diff-858b4ba3b588d303d7396271ac3575bbe9585625ee8b278feb1411524d533a97L170-R171) [[4]](diffhunk://#diff-858b4ba3b588d303d7396271ac3575bbe9585625ee8b278feb1411524d533a97L235-R236) * [`tests/integration/tls/test_tls.py`](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0R25): Imported `wait_until` from `helpers_deployment` and replaced `wait_for_idle` with `wait_until` in multiple functions including `test_build_and_deploy_with_tls`, `test_disable_tls`, `test_enable_tls`, `test_disable_and_enable_peer_tls`, `test_disable_and_enable_client_tls`, and `test_certificate_expiration`. [[1]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0R25) [[2]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L57-R58) [[3]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L119-R120) [[4]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L175-R176) [[5]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L246-R247) [[6]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L302-R303) [[7]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L371-R372) [[8]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L423-R424) [[9]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L490-R491) [[10]](diffhunk://#diff-5877b0903d94204b2a76f3b252020e23fc436bd77688fe77e00a66b864ac9fe0L549-R550)
Mehdi-Bendriss
previously approved these changes
Feb 6, 2025
Co-authored-by: Mehdi Bendriss <[email protected]>
Mehdi-Bendriss
approved these changes
Feb 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces the ability to set TLS private keys through a config option to pass a juju secret id.
The TLS v4 lib used is forked here.
Config and literals:
config.yaml: Added a new configuration optiontls-private-keyfor specifying the private key for TLS certificates.src/literals.py: IntroducedTLS_PRIVATE_KEY_CONFIGconstant to reference the new configuration option.Event Handling Updates:
src/events/etcd.py: Updated event handlers to manage the TLS private key, including fetching and updating the private key from secrets. [1] [2] [3]Testing Improvements:
tests/integration/helpers.py: Added a helper functionadd_secretto facilitate adding secrets during integration tests.tests/integration/tls/test_private_key_rotation.py: Added new integration tests to verify the private key rotation functionality and ensure the cluster remains accessible after key changes.tests/unit/test_tls.py: Expanded unit tests to cover the new TLS private key configuration and handling.