[DPE-7309][DPE-7326] Switch to TLSv4 (#909)

* Switch to pydantic 2

* Initial tls v4

* Linting

* IP sans

* Add ips to dns sans

* Add back cert update on ip change

* Spaces addresses

* Add peer cert relation

* Fix rel check

* Revert to reload on cert change

* Get CA from the correct tls relation

* Apply suggestions from code review

Co-authored-by: Marcelo Henrique Neppel <[email protected]>

* Add optimizer_cpu_tuple_cost constraints

* Block on missing TLS rel

* Fix tls test

* Wrong key

* Dont update on rel mismatch

* Remove JujuVersion warning

* Split tls enabled flags

* Sync to dpl repo

* Bump lib and fix peer enablement

* Peer checks

* Internal cert

* Fix internal ca check

* Try not to deffer peer change

* Missed http calls

* Peer CAs bundle for requests

* Patroni magic config

* Magic config for other users

* Disable upgrade tests

* Cache old cas

* Remove logger

* Fix charm int test

* Correct schema and tls unit test

* Try to deffer if no certs

* Handle Retry errors

* Update libs

* Revert cluster changes

* Try getting alternative endpoints

* Move ip change block before conf validation

* Try to update IPs after potential deferrals

* Update log message

* Revert IP update tweaks

* Remove client cert

* Revert "Remove client cert"

This reverts commit 9ca2287.

* Squashed commit of the following:

commit da3dd59
Author: Dragomir Penev <[email protected]>
Date:   Wed Jun 4 01:05:15 2025 +0300

    Add sleep interval

commit 141efaf
Author: Dragomir Penev <[email protected]>
Date:   Wed Jun 4 00:35:32 2025 +0300

    Don't defer on raft removal

commit bcecb8c
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 23:44:30 2025 +0300

    Log raft removal error

commit d12515f
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 18:17:40 2025 +0300

    Use peer addrs directly

commit 03e5031
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 16:47:54 2025 +0300

    Use peer cert and key

commit 762a9e3
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 15:56:19 2025 +0300

    Disable unit tests

commit ee091df
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 15:50:40 2025 +0300

    Try to suppress update status

commit 24cdb8f
Merge: f3befdb fb27850
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 15:49:31 2025 +0300

    Merge branch 'tlsv4' into tlsv4-conditional-validation

commit f3befdb
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 14:29:01 2025 +0300

    Try to wait for idle again

commit a9e9d50
Author: Dragomir Penev <[email protected]>
Date:   Tue Jun 3 13:42:06 2025 +0300

    Bump timeout

commit 90a8f7d
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 23:59:12 2025 +0300

    Add reraising

commit aa6a1ea
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 21:36:39 2025 +0300

    Try bumping timeout

commit cf6e998
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 18:49:36 2025 +0300

    Try to update ips first

commit 08cea05
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 17:29:06 2025 +0300

    Try to update conf on IP change without validation

commit 6840707
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 16:55:30 2025 +0300

    Try to log the exception

commit e67489b
Author: Dragomir Penev <[email protected]>
Date:   Mon Jun 2 16:35:00 2025 +0300

    Debug network cut

---------

Co-authored-by: Marcelo Henrique Neppel <[email protected]>

Author: dragomirp

actions.yaml

@@ -97,9 +97,3 @@ restore:
     restore-to-time:
       type: string
       description: Point-in-time-recovery target in PSQL format.
-set-tls-private-key:
-  description: Set the private key, which will be used for certificate signing requests (CSR). Run for each unit separately.
-  params:
-    private-key:
-      type: string
-      description: The content of private key for communications with clients. Content will be auto-generated if this option is not specified.

lib/charms/postgresql_k8s/v0/postgresql.py

@@ -672,7 +672,9 @@ def list_users_from_relation(self) -> Set[str]:
         try:
             with self._connect_to_database() as connection, connection.cursor() as cursor:
                 cursor.execute(
-                    "SELECT usename FROM pg_catalog.pg_user WHERE usename LIKE 'relation_id_%';"
+                    "SELECT usename "
+                    "FROM pg_catalog.pg_user "
+                    "WHERE usename LIKE 'relation_id_%' OR usename LIKE 'relation-%';"
                 )
                 usernames = cursor.fetchall()
                 return {username[0] for username in usernames}

lib/charms/postgresql_k8s/v0/postgresql_tls.py

@@ -314,7 +314,7 @@ def _remove_stale_otel_sdk_packages():
 import opentelemetry
 import ops
 from opentelemetry.exporter.otlp.proto.common._internal.trace_encoder import (
-    encode_spans,
+    encode_spans # type: ignore
 )
 from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter
 from opentelemetry.sdk.resources import Resource
@@ -348,7 +348,7 @@ def _remove_stale_otel_sdk_packages():
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
 
-LIBPATCH = 7
+LIBPATCH = 8
 
 PYDEPS = ["opentelemetry-exporter-otlp-proto-http==1.21.0"]
 
@@ -704,7 +704,14 @@ def _get_server_cert(
             f"{charm_type}.{server_cert_attr} is None; sending traces over INSECURE connection."
         )
         return
-    elif not Path(server_cert).is_absolute():
+    if not isinstance(server_cert, (str, Path)):
+        logger.warning(
+            f"{charm_type}.{server_cert_attr} has unexpected type {type(server_cert)}; "
+            f"sending traces over INSECURE connection."
+        )
+        return
+    path = Path(server_cert)
+    if not path.is_absolute() or not path.exists():
         raise ValueError(
             f"{charm_type}.{server_cert_attr} should resolve to a valid tls cert absolute path (string | Path)); "
             f"got {server_cert} instead."