[DPE-6344] LDAP II: Include charm libs (#883)

Author: sinclert-canonical

lib/charms/certificate_transfer_interface/v0/certificate_transfer.py

@@ -6,8 +6,9 @@
 This class handles certificate request and renewal through
 the interaction with the TLS Certificates Operator.
 
-This library needs that https://charmhub.io/tls-certificates-interface/libraries/tls_certificates
-library is imported to work.
+This library needs that the following libraries are imported to work:
+- https://charmhub.io/certificate-transfer-interface/libraries/certificate_transfer
+- https://charmhub.io/tls-certificates-interface/libraries/tls_certificates
 
 It also needs the following methods in the charm class:
 — get_hostname_by_unit: to retrieve the DNS hostname of the unit.
@@ -24,6 +25,15 @@
 import socket
 from typing import List, Optional
 
+from charms.certificate_transfer_interface.v0.certificate_transfer import (
+    CertificateAvailableEvent as CertificateAddedEvent,
+)
+from charms.certificate_transfer_interface.v0.certificate_transfer import (
+    CertificateRemovedEvent as CertificateRemovedEvent,
+)
+from charms.certificate_transfer_interface.v0.certificate_transfer import (
+    CertificateTransferRequires,
+)
 from charms.tls_certificates_interface.v2.tls_certificates import (
     CertificateAvailableEvent,
     CertificateExpiringEvent,
@@ -45,11 +55,12 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version.
-LIBPATCH = 13
+LIBPATCH = 14
 
 logger = logging.getLogger(__name__)
 SCOPE = "unit"
-TLS_RELATION = "certificates"
+TLS_CREATION_RELATION = "certificates"
+TLS_TRANSFER_RELATION = "receive-ca-cert"
 
 
 class PostgreSQLTLS(Object):
@@ -63,18 +74,29 @@ def __init__(
         self.charm = charm
         self.peer_relation = peer_relation
         self.additional_dns_names = additional_dns_names or []
-        self.certs = TLSCertificatesRequiresV2(self.charm, TLS_RELATION)
+        self.certs_creation = TLSCertificatesRequiresV2(self.charm, TLS_CREATION_RELATION)
+        self.certs_transfer = CertificateTransferRequires(self.charm, TLS_TRANSFER_RELATION)
         self.framework.observe(
             self.charm.on.set_tls_private_key_action, self._on_set_tls_private_key
         )
         self.framework.observe(
-            self.charm.on[TLS_RELATION].relation_joined, self._on_tls_relation_joined
+            self.charm.on[TLS_CREATION_RELATION].relation_joined, self._on_tls_relation_joined
+        )
+        self.framework.observe(
+            self.charm.on[TLS_CREATION_RELATION].relation_broken, self._on_tls_relation_broken
+        )
+        self.framework.observe(
+            self.certs_creation.on.certificate_available, self._on_certificate_available
+        )
+        self.framework.observe(
+            self.certs_creation.on.certificate_expiring, self._on_certificate_expiring
         )
         self.framework.observe(
-            self.charm.on[TLS_RELATION].relation_broken, self._on_tls_relation_broken
+            self.certs_transfer.on.certificate_available, self._on_certificate_added
+        )
+        self.framework.observe(
+            self.certs_transfer.on.certificate_removed, self._on_certificate_removed
         )
-        self.framework.observe(self.certs.on.certificate_available, self._on_certificate_available)
-        self.framework.observe(self.certs.on.certificate_expiring, self._on_certificate_expiring)
 
     def _on_set_tls_private_key(self, event: ActionEvent) -> None:
         """Set the TLS private key, which will be used for requesting the certificate."""
@@ -93,8 +115,8 @@ def _request_certificate(self, param: Optional[str]):
         self.charm.set_secret(SCOPE, "key", key.decode("utf-8"))
         self.charm.set_secret(SCOPE, "csr", csr.decode("utf-8"))
 
-        if self.charm.model.get_relation(TLS_RELATION):
-            self.certs.request_certificate_creation(certificate_signing_request=csr)
+        if self.charm.model.get_relation(TLS_CREATION_RELATION):
+            self.certs_creation.request_certificate_creation(certificate_signing_request=csr)
 
     @staticmethod
     def _parse_tls_file(raw_content: str) -> bytes:
@@ -117,6 +139,7 @@ def _on_tls_relation_broken(self, event: RelationBrokenEvent) -> None:
         self.charm.set_secret(SCOPE, "ca", None)
         self.charm.set_secret(SCOPE, "cert", None)
         self.charm.set_secret(SCOPE, "chain", None)
+
         if not self.charm.update_config():
             logger.debug("Cannot update config at this moment")
             event.defer()
@@ -163,12 +186,52 @@ def _on_certificate_expiring(self, event: CertificateExpiringEvent) -> None:
             subject=self.charm.get_hostname_by_unit(self.charm.unit.name),
             **self._get_sans(),
         )
-        self.certs.request_certificate_renewal(
+        self.certs_creation.request_certificate_renewal(
             old_certificate_signing_request=old_csr,
             new_certificate_signing_request=new_csr,
         )
         self.charm.set_secret(SCOPE, "csr", new_csr.decode("utf-8"))
 
+    def _on_certificate_added(self, event: CertificateAddedEvent) -> None:
+        """Enable TLS when TLS certificate is added."""
+        relation = self.charm.model.get_relation(TLS_TRANSFER_RELATION, event.relation_id)
+        if relation is None:
+            logger.error("Relationship not established anymore.")
+            return
+
+        secret_name = f"ca-{relation.app.name}"
+        self.charm.set_secret(SCOPE, secret_name, event.ca)
+
+        try:
+            if not self.charm.push_ca_file_into_workload(secret_name):
+                logger.debug("Cannot push TLS certificates at this moment")
+                event.defer()
+                return
+        except (PebbleConnectionError, PathError, ProtocolError, RetryError) as e:
+            logger.error("Cannot push TLS certificates: %r", e)
+            event.defer()
+            return
+
+    def _on_certificate_removed(self, event: CertificateRemovedEvent) -> None:
+        """Disable TLS when TLS certificate is removed."""
+        relation = self.charm.model.get_relation(TLS_TRANSFER_RELATION, event.relation_id)
+        if relation is None:
+            logger.error("Relationship not established anymore.")
+            return
+
+        secret_name = f"ca-{relation.app.name}"
+        self.charm.set_secret(SCOPE, secret_name, None)
+
+        try:
+            if not self.charm.clean_ca_file_from_workload(secret_name):
+                logger.debug("Cannot clean CA certificates at this moment")
+                event.defer()
+                return
+        except (PebbleConnectionError, PathError, ProtocolError, RetryError) as e:
+            logger.error("Cannot clean CA certificates: %r", e)
+            event.defer()
+            return
+
     def _get_sans(self) -> dict:
         """Create a list of Subject Alternative Names for a PostgreSQL unit.
 

lib/charms/glauth_k8s/v0/ldap.py

@@ -63,10 +63,17 @@ requires:
     interface: tls-certificates
     limit: 1
     optional: true
+  receive-ca-cert:
+    interface: certificate_transfer
+    optional: true
   s3-parameters:
     interface: s3
     limit: 1
     optional: true
+  ldap:
+    interface: ldap
+    limit: 1
+    optional: true
   logging:
     interface: loki_push_api
     limit: 1

lib/charms/postgresql_k8s/v0/postgresql_tls.py

@@ -32,6 +32,8 @@ cosl = ">=0.0.50"
 opentelemetry-exporter-otlp-proto-http = "1.21.0"
 # tls_certificates_interface/v2/tls_certificates.py
 cryptography = "*"
+# certificate_transfer_interface/v0/certificate_transfer.py
+# tls_certificates_interface/v2/tls_certificates.py
 jsonschema = "*"
 
 [tool.poetry.group.format]

metadata.yaml

@@ -216,6 +216,8 @@ def __init__(self, *args):
         self.framework.observe(self.on.promote_to_primary_action, self._on_promote_to_primary)
         self.framework.observe(self.on.get_primary_action, self._on_get_primary)
         self.framework.observe(self.on.update_status, self._on_update_status)
+
+        self._certs_path = "/usr/local/share/ca-certificates"
         self._storage_path = self.meta.storages["pgdata"].location
         self.pgdata_path = f"{self._storage_path}/pgdata"
 
@@ -1809,6 +1811,17 @@ def _peers(self) -> Relation:
         """
         return self.model.get_relation(PEER)
 
+    def _push_file_to_workload(self, container: Container, file_path: str, file_data: str) -> None:
+        """Uploads a file into the provided container."""
+        container.push(
+            file_path,
+            file_data,
+            make_dirs=True,
+            permissions=0o400,
+            user=WORKLOAD_OS_USER,
+            group=WORKLOAD_OS_GROUP,
+        )
+
     def push_tls_files_to_workload(self, container: Container = None) -> bool:
         """Uploads TLS files to the workload container."""
         if container is None:
@@ -1817,41 +1830,36 @@ def push_tls_files_to_workload(self, container: Container = None) -> bool:
         key, ca, cert = self.tls.get_tls_files()
 
         if key is not None:
-            container.push(
-                f"{self._storage_path}/{TLS_KEY_FILE}",
-                key,
-                make_dirs=True,
-                permissions=0o400,
-                user=WORKLOAD_OS_USER,
-                group=WORKLOAD_OS_GROUP,
-            )
+            self._push_file_to_workload(container, f"{self._storage_path}/{TLS_KEY_FILE}", key)
         if ca is not None:
-            container.push(
-                f"{self._storage_path}/{TLS_CA_FILE}",
-                ca,
-                make_dirs=True,
-                permissions=0o400,
-                user=WORKLOAD_OS_USER,
-                group=WORKLOAD_OS_GROUP,
-            )
-            container.push(
-                "/usr/local/share/ca-certificates/ca.crt",
-                ca,
-                make_dirs=True,
-                permissions=0o400,
-                user=WORKLOAD_OS_USER,
-                group=WORKLOAD_OS_GROUP,
-            )
+            self._push_file_to_workload(container, f"{self._storage_path}/{TLS_CA_FILE}", ca)
+            self._push_file_to_workload(container, f"{self._certs_path}/ca.crt", ca)
             container.exec(["update-ca-certificates"]).wait()
         if cert is not None:
-            container.push(
-                f"{self._storage_path}/{TLS_CERT_FILE}",
-                cert,
-                make_dirs=True,
-                permissions=0o400,
-                user=WORKLOAD_OS_USER,
-                group=WORKLOAD_OS_GROUP,
+            self._push_file_to_workload(container, f"{self._storage_path}/{TLS_CERT_FILE}", cert)
+
+        return self.update_config()
+
+    def push_ca_file_into_workload(self, secret_name: str) -> bool:
+        """Uploads CA certificate into the workload container."""
+        container = self.unit.get_container("postgresql")
+        certificates = self.get_secret(UNIT_SCOPE, secret_name)
+
+        if certificates is not None:
+            self._push_file_to_workload(
+                container=container,
+                file_path=f"{self._certs_path}/{secret_name}.crt",
+                file_data=certificates,
             )
+            container.exec(["update-ca-certificates"]).wait()
+
+        return self.update_config()
+
+    def clean_ca_file_from_workload(self, secret_name: str) -> bool:
+        """Cleans up CA certificate from the workload container."""
+        container = self.unit.get_container("postgresql")
+        container.remove_path(f"{self._certs_path}/{secret_name}.crt")
+        container.exec(["update-ca-certificates"]).wait()
 
         return self.update_config()
 

pyproject.toml

@@ -840,7 +840,9 @@ async def backup_operations(
         ops_test, charm, 2, database_app_name=database_app_name, wait_for_idle=False
     )
 
-    await ops_test.model.relate(database_app_name, tls_certificates_app_name)
+    await ops_test.model.relate(
+        f"{database_app_name}:certificates", f"{tls_certificates_app_name}:certificates"
+    )
     async with ops_test.fast_forward(fast_interval="60s"):
         await ops_test.model.wait_for_idle(
             apps=[database_app_name], status="active", timeout=1000, raise_on_error=False

src/charm.py

@@ -66,7 +66,9 @@ async def pitr_backup_operations(
     logger.info(
         "integrating self-signed-certificates with postgresql and waiting them to stabilize"
     )
-    await ops_test.model.relate(database_app_name, tls_certificates_app_name)
+    await ops_test.model.relate(
+        f"{database_app_name}:certificates", f"{tls_certificates_app_name}:certificates"
+    )
     async with ops_test.fast_forward(fast_interval="60s"):
         await ops_test.model.wait_for_idle(
             apps=[database_app_name, tls_certificates_app_name],

tests/integration/helpers.py

@@ -66,7 +66,9 @@ async def pitr_backup_operations(
     logger.info(
         "integrating self-signed-certificates with postgresql and waiting them to stabilize"
     )
-    await ops_test.model.relate(database_app_name, tls_certificates_app_name)
+    await ops_test.model.relate(
+        f"{database_app_name}:certificates", f"{tls_certificates_app_name}:certificates"
+    )
     async with ops_test.fast_forward(fast_interval="60s"):
         await ops_test.model.wait_for_idle(
             apps=[database_app_name, tls_certificates_app_name],

tests/integration/test_backups_pitr_aws.py

@@ -79,7 +79,9 @@ async def test_tls(ops_test: OpsTest) -> None:
             tls_certificates_app_name, config=tls_config, channel=tls_channel, base=CHARM_BASE
         )
         # Relate it to the PostgreSQL to enable TLS.
-        await ops_test.model.relate(DATABASE_APP_NAME, tls_certificates_app_name)
+        await ops_test.model.relate(
+            f"{DATABASE_APP_NAME}:certificates", f"{tls_certificates_app_name}:certificates"
+        )
         await ops_test.model.wait_for_idle(status="active", timeout=1000, raise_on_error=False)
 
         # Wait for all units enabling TLS.