[DPE-6344] Persist transferred certificates upon start (#953)

sinclert-canonical · web-flow · commit 083b3036c243 · 2025-05-05T09:57:26.000+02:00
diff --git a/lib/charms/postgresql_k8s/v0/postgresql_tls.py b/lib/charms/postgresql_k8s/v0/postgresql_tls.py
@@ -23,7 +23,7 @@
 import logging
 import re
 import socket
-from typing import List, Optional
+from typing import Iterator, List, Optional
 
 from charms.certificate_transfer_interface.v0.certificate_transfer import (
     CertificateAvailableEvent as CertificateAddedEvent,
@@ -55,7 +55,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version.
-LIBPATCH = 14
+LIBPATCH = 15
 
 logger = logging.getLogger(__name__)
 SCOPE = "unit"
@@ -269,6 +269,17 @@ def is_ip_address(address: str) -> bool:
             "sans_dns": sans_dns,
         }
 
+    def get_ca_secret_names(self) -> Iterator[str]:
+        """Get a secret-name for each relation fulfilling the CA transfer interface.
+
+        Returns:
+            Secret name for a CA transfer fulfilled interface.
+        """
+        relations = self.charm.model.relations.get(TLS_TRANSFER_RELATION, [])
+
+        for relation in relations:
+            yield f"ca-{relation.app.name}"
+
     def get_tls_files(self) -> (Optional[str], Optional[str], Optional[str]):
         """Prepare TLS files in special PostgreSQL way.
 
diff --git a/src/charm.py b/src/charm.py
@@ -998,7 +998,9 @@ def _on_postgresql_pebble_ready(self, event: WorkloadEvent) -> None:
             return
 
         try:
-            self.push_tls_files_to_workload(container)
+            self.push_tls_files_to_workload()
+            for ca_secret_name in self.tls.get_ca_secret_names():
+                self.push_ca_file_into_workload(ca_secret_name)
         except (PathError, ProtocolError) as e:
             logger.error(
                 "Deferring on_postgresql_pebble_ready: Cannot push TLS certificates: %r", e
@@ -1893,10 +1895,9 @@ def _push_file_to_workload(self, container: Container, file_path: str, file_data
             group=WORKLOAD_OS_GROUP,
         )
 
-    def push_tls_files_to_workload(self, container: Container = None) -> bool:
+    def push_tls_files_to_workload(self) -> bool:
         """Uploads TLS files to the workload container."""
-        if container is None:
-            container = self.unit.get_container("postgresql")
+        container = self.unit.get_container("postgresql")
 
         key, ca, cert = self.tls.get_tls_files()
 
