Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use TLS lib v4 to manage certs #385

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: use TLS lib v4 to manage certs #385

wants to merge 4 commits into from
+1,761 −2,408

Conversation

DanielArndt
Copy link
Member

@DanielArndt DanielArndt commented Jan 31, 2025
edited
Loading

Issue

Closes #326

Reduce the code that must be managed by the o11y team.

Solution

Use the latest version of the TLS Interface Library (V4)

Context

The new version of the library attempts to encapsulate the boilerplate code needed to manage TLS certificates. This should largely (or entirely) replace cert_handler in most projects.

I'm making this PR to show how easy it should be to upgrade. I hope that using this as a template, you will be able to retire cert_handler entirely from every project. If not, please provide feedback on what could be improved!

Testing Instructions

Since I am largely unfamiliar with the project, I have relied on the e2e tests.

Upgrade Notes

This change will force a new private key for the charm and therefore request a new certificate. If the certificate is manually issued, it may need to be re-issued upon upgrade.

@DanielArndt DanielArndt marked this pull request as ready for review February 3, 2025 14:16
@DanielArndt DanielArndt requested a review from a team as a code owner February 3, 2025 14:16
@DanielArndt
Copy link
Member Author

I believe the test failures are unrelated to this PR, but I don't have permission to re-run them.

Specifically, test_upgrade_charm.py runs locally.

@lucabello
Copy link
Contributor

Hey Daniel, thanks a lot for this PR! I'll take a look at the tests :)

@lucabello lucabello changed the title Use TLS lib v4 to manage certs feat: use TLS lib v4 to manage certs Feb 5, 2025
@DanielArndt
Copy link
Member Author

So the failing upgrade test seemed to be a result of removing the peer relation (a1abcd7). It seems as though Juju sometimes "informs" the charm this relation is being removed before the code is actually refreshed. This caused the old code (cert_handler) to fail as the relation it was expecting to exist no longer existed.

The possible paths forward AFAICT:

  1. keep the unused peer relation around. We could remove it in a follow-up PR since cert handler will no longer be able to throw an error (this assumes there are no other errors thrown by other parts of the code)
  2. fix cert_handler (and any other code that may throw an error) to not throw an error when the peer relation is removed. I believe this is isolated to cert_handler.

@lucabello
Copy link
Contributor

I'll ask to prioritize this in the next pulse!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

chore: update libraries to new major versions
2 participants
@DanielArndt @lucabello