Merge branch 'main' into sync-main-16

Author: dragomirp

lib/charms/certificate_transfer_interface/v0/certificate_transfer.py

@@ -102,7 +102,13 @@ def _on_certificate_removed(self, event: CertificateRemovedEvent):
 
 from jsonschema import exceptions, validate  # type: ignore[import-untyped]
 from ops import Relation
-from ops.charm import CharmBase, CharmEvents, RelationBrokenEvent, RelationChangedEvent
+from ops.charm import (
+    CharmBase,
+    CharmEvents,
+    RelationBrokenEvent,
+    RelationChangedEvent,
+    RelationCreatedEvent,
+)
 from ops.framework import EventBase, EventSource, Handle, Object
 
 # The unique Charmhub library identifier, never change it
@@ -113,7 +119,7 @@ def _on_certificate_removed(self, event: CertificateRemovedEvent):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 9
+LIBPATCH = 11
 
 PYDEPS = ["jsonschema"]
 
@@ -136,6 +142,7 @@ def _on_certificate_removed(self, event: CertificateRemovedEvent):
                 "-----BEGIN CERTIFICATE-----\nMIIC6DCCAdCgAwIBAgIUW42TU9LSjEZLMCclWrvSwAsgRtcwDQYJKoZIhvcNAQEL\nBQAwIDELMAkGA1UEBhMCVVMxETAPBgNVBAMMCHdoYXRldmVyMB4XDTIzMDMyNDE4\nNDMxOVoXDTI0MDMyMzE4NDMxOVowPDELMAkGA1UEAwwCb2sxLTArBgNVBC0MJGUw\nNjVmMWI3LTE2OWEtNDE5YS1iNmQyLTc3OWJkOGM4NzIwNjCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAK42ixoklDH5K5i1NxXo/AFACDa956pE5RA57wlC\nBfgUYaIDRmv7TUVJh6zoMZSD6wjSZl3QgP7UTTZeHbvs3QE9HUwEkH1Lo3a8vD3z\neqsE2vSnOkpWWnPbfxiQyrTm77/LAWBt7lRLRLdfL6WcucD3wsGqm58sWXM3HG0f\nSN7PHCZUFqU6MpkHw8DiKmht5hBgWG+Vq3Zw8MNaqpwb/NgST3yYdcZwb58G2FTS\nZvDSdUfRmD/mY7TpciYV8EFylXNNFkth8oGNLunR9adgZ+9IunfRKj1a7S5GSwXU\nAZDaojw+8k5i3ikztsWH11wAVCiLj/3euIqq95z8xGycnKcCAwEAATANBgkqhkiG\n9w0BAQsFAAOCAQEAWMvcaozgBrZ/MAxzTJmp5gZyLxmMNV6iT9dcqbwzDtDtBvA/\n46ux6ytAQ+A7Bd3AubvozwCr1Id6g66ae0blWYRRZmF8fDdX/SBjIUkv7u9A3NVQ\nXN9gsEvK9pdpfN4ZiflfGSLdhM1STHycLmhG6H5s7HklbukMRhQi+ejbSzm/wiw1\nipcxuKhSUIVNkTLusN5b+HE2gwF1fn0K0z5jWABy08huLgbaEKXJEx5/FKLZGJga\nfpIzAdf25kMTu3gggseaAmzyX3AtT1i8A8nqYfe8fnnVMkvud89kq5jErv/hlMC9\n49g5yWQR2jilYYM3j9BHDuB+Rs+YS5BCep1JnQ==\n-----END CERTIFICATE-----\n",
                 "-----BEGIN CERTIFICATE-----\nMIIC6DCCAdCgAwIBAgIUdiBwE/CtaBXJl3MArjZen6Y8kigwDQYJKoZIhvcNAQEL\nBQAwIDELMAkGA1UEBhMCVVMxETAPBgNVBAMMCHdoYXRldmVyMB4XDTIzMDMyNDE4\nNDg1OVoXDTI0MDMyMzE4NDg1OVowPDELMAkGA1UEAwwCb2sxLTArBgNVBC0MJDEw\nMDdjNDBhLWUwYzMtNDVlOS05YTAxLTVlYjY0NWQ0ZmEyZDCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBANOnUl6JDlXpLMRr/PxgtfE/E5Yk6E/TkPkPL/Kk\ntUGjEi42XZDg9zn3U6cjTDYu+rfKY2jiitfsduW6DQIkEpz3AvbuCMbbgnFpcjsB\nYysLSMTmuz/AVPrfnea/tQTALcONCSy1VhAjGSr81ZRSMB4khl9StSauZrbkpJ1P\nshqkFSUyAi31mKrnXz0Es/v0Yi0FzAlgWrZ4u1Ld+Bo2Xz7oK4mHf7/93Jc+tEaM\nIqG6ocD0q8bjPp0tlSxftVADNUzWlZfM6fue5EXzOsKqyDrxYOSchfU9dNzKsaBX\nkxbHEeSUPJeYYj7aVPEfAs/tlUGsoXQvwWfRie8grp2BoLECAwEAATANBgkqhkiG\n9w0BAQsFAAOCAQEACZARBpHYH6Gr2a1ka0mCWfBmOZqfDVan9rsI5TCThoylmaXW\nquEiZ2LObI+5faPzxSBhr9TjJlQamsd4ywout7pHKN8ZGqrCMRJ1jJbUfobu1n2k\nUOsY4+jzV1IRBXJzj64fLal4QhUNv341lAer6Vz3cAyRk7CK89b/DEY0x+jVpyZT\n1osx9JtsOmkDTgvdStGzq5kPKWOfjwHkmKQaZXliCgqbhzcCERppp1s/sX6K7nIh\n4lWiEmzUSD3Hngk51KGWlpZszO5KQ4cSZ3HUt/prg+tt0ROC3pY61k+m5dDUa9M8\nRtMI6iTjzSj/UV8DiAx0yeM+bKoy4jGeXmaL3g==\n-----END CERTIFICATE-----\n",
             ],
+            "version": 0,
         }
     ],
     "properties": {
@@ -158,6 +165,13 @@ def _on_certificate_removed(self, event: CertificateRemovedEvent):
             "title": "CA public TLS certificate chain",
             "description": "CA public TLS certificate chain",
         },
+        "version": {
+            "$id": "#/properties/version",
+            "type": "integer",
+            "title": "Interface version",
+            "minimum": 0,
+            "description": "Highest supported version of this interface",
+        },
     },
     "anyOf": [{"required": ["certificate"]}, {"required": ["ca"]}, {"required": ["chain"]}],
     "additionalProperties": True,
@@ -277,6 +291,7 @@ def set_certificate(
         relation.data[self.model.unit]["certificate"] = certificate
         relation.data[self.model.unit]["ca"] = ca
         relation.data[self.model.unit]["chain"] = json.dumps(chain)
+        relation.data[self.model.unit]["version"] = str(LIBAPI)
 
     def remove_certificate(self, relation_id: int) -> None:
         """Remove a given certificate from relation data.
@@ -339,6 +354,9 @@ def __init__(
         self.framework.observe(
             charm.on[relationship_name].relation_broken, self._on_relation_broken
         )
+        self.framework.observe(
+            charm.on[relationship_name].relation_created, self._on_relation_created
+        )
 
     @staticmethod
     def _relation_data_is_valid(relation_data: dict) -> bool:
@@ -393,9 +411,21 @@ def _on_relation_broken(self, event: RelationBrokenEvent) -> None:
         """
         self.on.certificate_removed.emit(relation_id=event.relation.id)
 
+    def _on_relation_created(self, event: RelationCreatedEvent) -> None:
+        """Handle relation created event.
+
+        Args:
+            event: Juju event
+
+        Returns:
+            None
+        """
+        if self.model.unit.is_leader():
+            event.relation.data[self.model.app]["version"] = str(LIBAPI)
+
     def is_ready(self, relation: Relation) -> bool:
         """Check if the relation is ready by checking that it has valid relation data."""
-        relation_data = _load_relation_data(relation.data[relation.app])
+        relation_data = _load_relation_data(relation.data[relation.units.pop()])
         if not self._relation_data_is_valid(relation_data):
             logger.warning("Provider relation data did not pass JSON Schema validation: ")
             return False

lib/charms/data_platform_libs/v0/data_interfaces.py

@@ -331,7 +331,7 @@ def _on_topic_requested(self, event: TopicRequestedEvent):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 41
+LIBPATCH = 42
 
 PYDEPS = ["ops>=2.0.0"]
 
@@ -960,6 +960,7 @@ class Data(ABC):
         "username": SECRET_GROUPS.USER,
         "password": SECRET_GROUPS.USER,
         "uris": SECRET_GROUPS.USER,
+        "read-only-uris": SECRET_GROUPS.USER,
         "tls": SECRET_GROUPS.TLS,
         "tls-ca": SECRET_GROUPS.TLS,
     }
@@ -1700,7 +1701,7 @@ def set_tls_ca(self, relation_id: int, tls_ca: str) -> None:
 class RequirerData(Data):
     """Requirer-side of the relation."""
 
-    SECRET_FIELDS = ["username", "password", "tls", "tls-ca", "uris"]
+    SECRET_FIELDS = ["username", "password", "tls", "tls-ca", "uris", "read-only-uris"]
 
     def __init__(
         self,
@@ -2368,7 +2369,7 @@ def _delete_relation_data(self, relation: Relation, fields: List[str]) -> None:
                 self.secret_fields,
                 fields,
                 self._update_relation_secret,
-                data={field: self.deleted_label for field in fields},
+                data=dict.fromkeys(fields, self.deleted_label),
             )
         else:
             _, normal_fields = self._process_secret_fields(
@@ -2749,6 +2750,19 @@ def uris(self) -> Optional[str]:
 
         return self.relation.data[self.relation.app].get("uris")
 
+    @property
+    def read_only_uris(self) -> Optional[str]:
+        """Returns the readonly connection URIs."""
+        if not self.relation.app:
+            return None
+
+        if self.secrets_enabled:
+            secret = self._get_secret("user")
+            if secret:
+                return secret.get("read-only-uris")
+
+        return self.relation.data[self.relation.app].get("read-only-uris")
+
     @property
     def version(self) -> Optional[str]:
         """Returns the version of the database.
@@ -2855,6 +2869,15 @@ def set_uris(self, relation_id: int, uris: str) -> None:
         """
         self.update_relation_data(relation_id, {"uris": uris})
 
+    def set_read_only_uris(self, relation_id: int, uris: str) -> None:
+        """Set the database readonly connection URIs in the application relation databag.
+
+        Args:
+            relation_id: the identifier for a particular relation.
+            uris: connection URIs.
+        """
+        self.update_relation_data(relation_id, {"read-only-uris": uris})
+
     def set_version(self, relation_id: int, version: str) -> None:
         """Set the database version in the application relation databag.
 

lib/charms/glauth_k8s/v0/ldap.py

@@ -147,7 +147,7 @@ def _on_ldap_requested(self, event: LdapRequestedEvent) -> None:
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 9
+LIBPATCH = 10
 
 PYDEPS = ["pydantic"]
 
@@ -178,13 +178,13 @@ def field_validator(*args: Any, **kwargs: Any) -> Callable:
 
     encoders_config = {}
 
-    def field_serializer(field_name: str, mode: Optional[str] = None) -> Callable:
+    def field_serializer(*fields: str, mode: Optional[str] = None) -> Callable:
         def _field_serializer(f: Callable, *args: Any, **kwargs: Any) -> Callable:
             @wraps(f)
             def wrapper(self: object, *args: Any, **kwargs: Any) -> Any:
                 return f(self, *args, **kwargs)
 
-            encoders_config[wrapper] = field_name
+            encoders_config[wrapper] = fields
             return wrapper
 
         return _field_serializer
@@ -195,9 +195,10 @@ def __init__(self, name: str, bases: Tuple[object], attrs: Dict) -> None:
                 self._encoders = {}
 
             self._encoders.update({
-                encoders_config[func]: func
+                encoder: func
                 for func in attrs.values()
                 if callable(func) and func in encoders_config
+                for encoder in encoders_config[func]
             })
 
             super().__init__(name, bases, attrs)
@@ -284,6 +285,7 @@ def remove(self) -> None:
 
 class LdapProviderBaseData(BaseModel):
     urls: List[str] = Field(frozen=True)
+    ldaps_urls: List[str] = Field(frozen=True)
     base_dn: str = Field(frozen=True)
     starttls: StrictBool = Field(frozen=True)
 
@@ -301,7 +303,21 @@ def validate_ldap_urls(cls, vs: List[str] | str) -> List[str]:
 
         return vs
 
-    @field_serializer("urls")
+    @field_validator("ldaps_urls", mode="before")
+    @classmethod
+    def validate_ldaps_urls(cls, vs: List[str] | str) -> List[str]:
+        if isinstance(vs, str):
+            vs = json.loads(vs)
+            if isinstance(vs, str):
+                vs = [vs]
+
+        for v in vs:
+            if not v.startswith("ldaps://"):
+                raise ValidationError.from_exception_data("Invalid LDAPS URL scheme.")
+
+        return vs
+
+    @field_serializer("urls", "ldaps_urls")
     def serialize_list(self, urls: List[str]) -> str:
         return str(json.dumps(urls))
 

lib/charms/loki_k8s/v1/loki_push_api.py

@@ -9,7 +9,7 @@
 This document explains how to use the two principal objects this library provides:
 
 - `LokiPushApiProvider`: This object is meant to be used by any Charmed Operator that needs to
-implement the provider side of the `loki_push_api` relation interface: for instance, a Loki charm.
+implement the provider side of the `loki_push_api` relation interface. For instance, a Loki charm.
 The provider side of the relation represents the server side, to which logs are being pushed.
 
 - `LokiPushApiConsumer`: This object is meant to be used by any Charmed Operator that needs to
@@ -546,7 +546,7 @@ def __init__(self, ...):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 15
+LIBPATCH = 16
 
 PYDEPS = ["cosl"]
 
@@ -1756,8 +1756,11 @@ def _on_logging_relation_changed(self, event: RelationEvent):
 
         self.on.loki_push_api_endpoint_joined.emit()
 
-    def _reinitialize_alert_rules(self):
+    def reload_alerts(self) -> None:
         """Reloads alert rules and updates all relations."""
+        self._reinitialize_alert_rules()
+
+    def _reinitialize_alert_rules(self):
         for relation in self._charm.model.relations[self._relation_name]:
             self._handle_alert_rules(relation)
 

lib/charms/tempo_coordinator_k8s/v0/tracing.py

@@ -110,7 +110,7 @@ def __init__(self, *args):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 6
+LIBPATCH = 7
 
 PYDEPS = ["pydantic"]
 
@@ -780,7 +780,16 @@ def __init__(
         self.framework.observe(events.relation_broken, self._on_tracing_relation_broken)
 
         if protocols:
-            self.request_protocols(protocols)
+            # we can't be sure that the current event context supports read/writing relation data for this relation,
+            # so we catch ModelErrors. This is because we're doing this in init.
+            try:
+                self.request_protocols(protocols)
+            except ModelError as e:
+                logger.error(
+                    f"encountered error {e} while attempting to request_protocols."
+                    f"The relation must be gone."
+                )
+                pass
 
     def request_protocols(
         self, protocols: Sequence[ReceiverProtocol], relation: Optional[Relation] = None
@@ -795,26 +804,11 @@ def request_protocols(
                 "You need to pass a nonempty sequence of protocols to `request_protocols`."
             )
 
-        try:
-            if self._charm.unit.is_leader():
-                for relation in relations:
-                    TracingRequirerAppData(
-                        receivers=list(protocols),
-                    ).dump(relation.data[self._charm.app])
-
-        except ModelError as e:
-            # args are bytes
-            msg = e.args[0]
-            if isinstance(msg, bytes):
-                if msg.startswith(
-                    b"ERROR cannot read relation application settings: permission denied"
-                ):
-                    logger.error(
-                        f"encountered error {e} while attempting to request_protocols."
-                        f"The relation must be gone."
-                    )
-                    return
-            raise
+        if self._charm.unit.is_leader():
+            for relation in relations:
+                TracingRequirerAppData(
+                    receivers=list(protocols),
+                ).dump(relation.data[self._charm.app])
 
     @property
     def relations(self) -> List[Relation]:

src/relations/postgresql_provider.py

@@ -136,7 +136,7 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
                 self.database_provides.set_tls_ca(event.relation.id, ca)
 
             # Update the read-only endpoint.
-            self.update_read_only_endpoint(event)
+            self.update_read_only_endpoint(event, user, password)
 
             # Set the database version.
             self.database_provides.set_version(
@@ -200,7 +200,13 @@ def _on_relation_broken(self, event: RelationBrokenEvent) -> None:
                 f"Failed to delete user during {self.relation_name} relation broken event"
             )
 
-    def update_read_only_endpoint(self, event: DatabaseRequestedEvent = None) -> None:
+    def update_read_only_endpoint(
+        self,
+        event: DatabaseRequestedEvent | None = None,
+        user: str | None = None,
+        password: str | None = None,
+        database: str | None = None,
+    ) -> None:
         """Set the read-only endpoint only if there are replicas."""
         if not self.charm.unit.is_leader():
             return
@@ -209,18 +215,43 @@ def update_read_only_endpoint(self, event: DatabaseRequestedEvent = None) -> Non
         endpoints = (
             f"{self.charm.replicas_endpoint}:{DATABASE_PORT}"
             if len(self.charm._peers.units) > 0
-            else ""
+            else f"{self.charm.primary_endpoint}:{DATABASE_PORT}"
         )
 
         # Get the current relation or all the relations
         # if this is triggered by another type of event.
         relations = [event.relation] if event else self.model.relations[self.relation_name]
+        if not event:
+            user = None
+            password = None
+            database = None
 
         for relation in relations:
             self.database_provides.set_read_only_endpoints(
                 relation.id,
                 endpoints,
             )
+            # Make sure that the URI will be a secret
+            if (
+                secret_fields := self.database_provides.fetch_relation_field(
+                    relation.id, "requested-secrets"
+                )
+            ) and "read-only-uris" in secret_fields:
+                if not user or not password or not database:
+                    user = f"relation_id_{relation.id}"
+                    database = self.database_provides.fetch_relation_field(relation.id, "database")
+                    password = self.database_provides.fetch_my_relation_field(
+                        relation.id, "password"
+                    )
+
+                self.database_provides.set_read_only_uris(
+                    relation.id,
+                    f"postgresql://{user}:{password}@{endpoints}/{database}",
+                )
+            # Reset the creds for the next iteration
+            user = None
+            password = None
+            database = None
 
     def update_tls_flag(self, tls: str) -> None:
         """Update TLS flag and CA in relation databag."""