Fix Pebble checks on workers when TLS is enabled #66
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
With the current, worker pebble checks, if TLS is enabled, the worker unit would be stuck in
BlockedStatus(node down)
with errors in workload logs indicating thatcertificate is valid for [coordinator hostname], not for [worker hostname]
. The reason is we're passing the worker, a cert requested by the coordinator with sans that don't contain workers' FQDNs.Solution
cluster_relation_changed_event
. This will try to add/remove the worker's SAN when its added/removed to the cluster.update-ca-certificates
to workloads to trust the CA.Context
Addition of
refresh_events
toCertHandler
library canonical/observability-libs#108Testing Instructions
Deploy S3, SSC
curl https://raw.githubusercontent.com/canonical/tempo-coordinator-k8s-operator/main/scripts/deploy_minio.py | MINIO_MODEL=test python3
juju deploy self-signed-certificates ssc --channel edge --trust
Pack & deploy Tempo coordinator and with this
cos-lib
Pack & deploy Tempo worker, with this
cos-lib
and passsocket.getfqdn()
toreadiness_check_endpoint
Integrate
jhack imtarix fill
Verify
Scale
juju add-unit tempo-worker
Verify