Merge branch 'main' into sync-main-16

Author: dragomirp

config.yaml

@@ -69,6 +69,12 @@ options:
       Enable synchronized sequential scans.
     type: boolean
     default: true
+  ldap_search_filter:
+    description: |
+      The LDAP search filter to match users with.
+      Example: (|(uid=$username)(email=$username))
+    type: string
+    default: "(uid=$username)"
   logging_client_min_messages:
     description: |
       Sets the message levels that are sent to the client.

src/charm.py

@@ -114,6 +114,7 @@
     WORKLOAD_OS_GROUP,
     WORKLOAD_OS_USER,
 )
+from ldap import PostgreSQLLDAP
 from patroni import NotReadyError, Patroni, SwitchoverFailedError, SwitchoverNotSyncError
 from relations.async_replication import (
     REPLICATION_CONSUMER_RELATION,
@@ -154,6 +155,7 @@ class CannotConnectError(Exception):
         PostgreSQL,
         PostgreSQLAsyncReplication,
         PostgreSQLBackups,
+        PostgreSQLLDAP,
         PostgreSQLProvider,
         PostgreSQLTLS,
         PostgreSQLUpgrade,
@@ -228,6 +230,7 @@ def __init__(self, *args):
         self.framework.observe(self.on.upgrade_charm, self._on_upgrade_charm)
         self.postgresql_client_relation = PostgreSQLProvider(self)
         self.backup = PostgreSQLBackups(self, "s3-parameters")
+        self.ldap = PostgreSQLLDAP(self, "ldap")
         self.tls = PostgreSQLTLS(self, PEER, [self.primary_endpoint, self.replicas_endpoint])
         self.async_replication = PostgreSQLAsyncReplication(self)
         self.restart_manager = RollingOpsManager(
@@ -1201,25 +1204,32 @@ def _on_get_password(self, event: ActionEvent) -> None:
         If no user is provided, the password of the operator user is returned.
         """
         username = event.params.get("username", USER)
+        if username not in PASSWORD_USERS and self.is_ldap_enabled:
+            event.fail("The action can be run only for system users when LDAP is enabled")
+            return
         if username not in PASSWORD_USERS:
             event.fail(
-                f"The action can be run only for users used by the charm or Patroni:"
+                f"The action can be run only for system users or Patroni:"
                 f" {', '.join(PASSWORD_USERS)} not {username}"
             )
             return
+
         event.set_results({"password": self.get_secret(APP_SCOPE, f"{username}-password")})
 
-    def _on_set_password(self, event: ActionEvent) -> None:
+    def _on_set_password(self, event: ActionEvent) -> None:  # noqa: C901
         """Set the password for the specified user."""
         # Only leader can write the new password into peer relation.
         if not self.unit.is_leader():
             event.fail("The action can be run only on leader unit")
             return
 
         username = event.params.get("username", USER)
+        if username not in SYSTEM_USERS and self.is_ldap_enabled:
+            event.fail("The action can be run only for system users when LDAP is enabled")
+            return
         if username not in SYSTEM_USERS:
             event.fail(
-                f"The action can be run only for users used by the charm:"
+                f"The action can be run only for system users:"
                 f" {', '.join(SYSTEM_USERS)} not {username}"
             )
             return
@@ -1615,6 +1625,21 @@ def _patroni(self):
             self.get_secret(APP_SCOPE, PATRONI_PASSWORD_KEY),
         )
 
+    @property
+    def is_connectivity_enabled(self) -> bool:
+        """Return whether this unit can be connected externally."""
+        return self.unit_peer_data.get("connectivity", "on") == "on"
+
+    @property
+    def is_ldap_charm_related(self) -> bool:
+        """Return whether this unit has an LDAP charm related."""
+        return self.app_peer_data.get("ldap_enabled", "False") == "True"
+
+    @property
+    def is_ldap_enabled(self) -> bool:
+        """Return whether this unit has LDAP enabled."""
+        return self.is_ldap_charm_related and self.is_cluster_initialised
+
     @property
     def is_primary(self) -> bool:
         """Return whether this unit is the primary instance."""
@@ -1907,8 +1932,9 @@ def update_config(self, is_creating_backup: bool = False) -> bool:
         logger.info("Updating Patroni config file")
         # Update and reload configuration based on TLS files availability.
         self._patroni.render_patroni_yml_file(
-            connectivity=self.unit_peer_data.get("connectivity", "on") == "on",
+            connectivity=self.is_connectivity_enabled,
             is_creating_backup=is_creating_backup,
+            enable_ldap=self.is_ldap_enabled,
             enable_tls=self.is_tls_enabled,
             is_no_sync_member=self.upgrade.is_no_sync_member,
             backup_id=self.app_peer_data.get("restoring-backup"),
@@ -2310,6 +2336,35 @@ def get_plugins(self) -> list[str]:
                 plugins.append(ext)
         return plugins
 
+    def get_ldap_parameters(self) -> dict:
+        """Returns the LDAP configuration to use."""
+        if not self.is_cluster_initialised:
+            return {}
+        if not self.is_ldap_charm_related:
+            logger.debug("LDAP is not enabled")
+            return {}
+
+        relation_data = self.ldap.get_relation_data()
+        if relation_data is None:
+            return {}
+
+        params = {
+            "ldapbasedn": relation_data.base_dn,
+            "ldapbinddn": relation_data.bind_dn,
+            "ldapbindpasswd": relation_data.bind_password,
+            "ldaptls": relation_data.starttls,
+            "ldapurl": relation_data.urls[0],
+        }
+
+        # LDAP authentication parameters that are exclusive to
+        # one of the two supported modes (simple bind or search+bind)
+        # must be put at the very end of the parameters string
+        params.update({
+            "ldapsearchfilter": self.config.ldap_search_filter,
+        })
+
+        return params
+
 
 if __name__ == "__main__":
     main(PostgresqlOperatorCharm, use_juju_for_storage=True)

src/config.py

@@ -27,6 +27,7 @@ class CharmConfig(BaseConfigModel):
     instance_max_locks_per_transaction: int | None
     instance_password_encryption: str | None
     instance_synchronize_seqscans: bool | None
+    ldap_search_filter: str | None
     logging_client_min_messages: str | None
     logging_log_connections: bool | None
     logging_log_disconnections: bool | None

src/ldap.py

@@ -0,0 +1,85 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""LDAP implementation."""
+
+import logging
+
+from charms.glauth_k8s.v0.ldap import (
+    LdapProviderData,
+    LdapReadyEvent,
+    LdapRequirer,
+    LdapUnavailableEvent,
+)
+from charms.postgresql_k8s.v0.postgresql_tls import (
+    TLS_TRANSFER_RELATION,
+)
+from ops import Relation
+from ops.framework import Object
+from ops.model import ActiveStatus, BlockedStatus
+
+logger = logging.getLogger(__name__)
+
+
+class PostgreSQLLDAP(Object):
+    """In this class, we manage PostgreSQL LDAP access."""
+
+    def __init__(self, charm, relation_name: str):
+        """Manager of PostgreSQL LDAP."""
+        super().__init__(charm, "ldap")
+        self.charm = charm
+        self.relation_name = relation_name
+
+        # LDAP relation handles the config options for LDAP access
+        self.ldap = LdapRequirer(self.charm, self.relation_name)
+        self.framework.observe(self.ldap.on.ldap_ready, self._on_ldap_ready)
+        self.framework.observe(self.ldap.on.ldap_unavailable, self._on_ldap_unavailable)
+
+    @property
+    def ca_transferred(self) -> bool:
+        """Return whether the CA certificate has been transferred."""
+        ca_transferred_relations = self.model.relations[TLS_TRANSFER_RELATION]
+
+        for relation in ca_transferred_relations:
+            if relation.app.name == self._relation.app.name:
+                return True
+
+        return False
+
+    @property
+    def _relation(self) -> Relation:
+        """Return the relation object."""
+        return self.model.get_relation(self.relation_name)
+
+    def _on_ldap_ready(self, event: LdapReadyEvent) -> None:
+        """Handler for the LDAP ready event."""
+        if not self.ca_transferred:
+            self.charm.unit.status = BlockedStatus("LDAP insecure. Send LDAP server certificate")
+            event.defer()
+            return
+
+        logger.debug("Enabling LDAP connection")
+        if self.charm.unit.is_leader():
+            self.charm.app_peer_data.update({"ldap_enabled": "True"})
+
+        self.charm.update_config()
+        self.charm.unit.status = ActiveStatus()
+
+    def _on_ldap_unavailable(self, _: LdapUnavailableEvent) -> None:
+        """Handler for the LDAP unavailable event."""
+        logger.debug("Disabling LDAP connection")
+        if self.charm.unit.is_leader():
+            self.charm.app_peer_data.update({"ldap_enabled": "False"})
+
+        self.charm.update_config()
+
+    def get_relation_data(self) -> LdapProviderData | None:
+        """Get the LDAP info from the LDAP Provider class."""
+        data = self.ldap.consume_ldap_relation_data(relation=self._relation)
+        if data is None:
+            logger.warning("LDAP relation is not ready")
+
+        if not self.charm.is_connectivity_enabled:
+            logger.warning("LDAP server will not be accessible")
+
+        return data

src/patroni.py

@@ -114,6 +114,17 @@ def rock_postgresql_version(self) -> str | None:
         snap_meta = container.pull("/meta.charmed-postgresql/snap.yaml")
         return yaml.safe_load(snap_meta)["version"]
 
+    @staticmethod
+    def _dict_to_hba_string(_dict: dict[str, Any]) -> str:
+        """Transform a dictionary into a Host Based Authentication valid string."""
+        for key, value in _dict.items():
+            if isinstance(value, bool):
+                _dict[key] = int(value)
+            if isinstance(value, str):
+                _dict[key] = f'"{value}"'
+
+        return " ".join(f"{key}={value}" for key, value in _dict.items())
+
     def _get_alternative_patroni_url(
         self, attempt: AttemptManager, alternative_endpoints: list[str] | None = None
     ) -> str:
@@ -503,6 +514,7 @@ def render_patroni_yml_file(
         self,
         connectivity: bool = False,
         is_creating_backup: bool = False,
+        enable_ldap: bool = False,
         enable_tls: bool = False,
         is_no_sync_member: bool = False,
         stanza: str | None = None,
@@ -518,6 +530,7 @@ def render_patroni_yml_file(
 
         Args:
             connectivity: whether to allow external connections to the database.
+            enable_ldap: whether to enable LDAP authentication.
             enable_tls: whether to enable TLS.
             is_creating_backup: whether this unit is creating a backup.
             is_no_sync_member: whether this member shouldn't be a synchronous standby
@@ -534,9 +547,13 @@ def render_patroni_yml_file(
         # Open the template patroni.yml file.
         with open("templates/patroni.yml.j2") as file:
             template = Template(file.read())
+
+        ldap_params = self._charm.get_ldap_parameters()
+
         # Render the template file with the correct values.
         rendered = template.render(
             connectivity=connectivity,
+            enable_ldap=enable_ldap,
             enable_tls=enable_tls,
             endpoint=self._endpoint,
             endpoints=self._endpoints,
@@ -562,6 +579,7 @@ def render_patroni_yml_file(
             pg_parameters=parameters,
             primary_cluster_endpoint=self._charm.async_replication.get_primary_cluster_endpoint(),
             extra_replication_endpoints=self._charm.async_replication.get_standby_endpoints(),
+            ldap_parameters=self._dict_to_hba_string(ldap_params),
             patroni_password=self._patroni_password,
         )
         self._render_file(f"{self._storage_path}/patroni.yml", rendered, 0o644)

templates/patroni.yml.j2

@@ -140,7 +140,11 @@ postgresql:
   {%- if not connectivity %}
   - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 reject
   - {{ 'hostssl' if enable_tls else 'host' }} all all {{ endpoint }}.{{ namespace }}.svc.cluster.local md5
-  {% else %}
+  {%- elif enable_ldap %}
+  - {{ 'hostssl' if enable_tls else 'host' }} all +identity_access 0.0.0.0/0 ldap {{ ldap_parameters }}
+  - {{ 'hostssl' if enable_tls else 'host' }} all +internal_access 0.0.0.0/0 md5
+  - {{ 'hostssl' if enable_tls else 'host' }} all +relation_access 0.0.0.0/0 md5
+  {%- else %}
   - {{ 'hostssl' if enable_tls else 'host' }} all all 0.0.0.0/0 md5
   {%- endif %}
   - {{ 'hostssl' if enable_tls else 'host' }} replication replication 127.0.0.1/32 md5