Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS implementation #36

Merged
merged 6 commits into from
Sep 8, 2022
Merged

TLS implementation #36

merged 6 commits into from
Sep 8, 2022

Conversation

marceloneppel
Copy link
Member

@marceloneppel marceloneppel commented Sep 6, 2022
edited
Loading

Issue

  • PostgreSQL charm needs to have a way to enable TLS in the connections between instances and from the client applications to the PostgreSQL server.

Solution

  • This PR continues to solve that issue by implementing the interaction with https://github.com/canonical/tls-certificates-operator using lib/charms/postgresql_k8s/v0/postgresql_tls.py and uploading certificates to the PostgreSQL container to enable TLS. It doesn't take care of enabling TLS on Patroni API, only on PostgreSQL connections.

Context

  • This PR should be merged only after TLS relations files #35.
  • Files that you can skip during review:
    • tests/unit/test_charm.py (because it changed mostly because of a refactor on method names)
  • You can FOCUS your review on:
    • src/charm.py (ignoring the changes to get_secret and set_secret methods, which was only a refactor needed to use them outside the class, like in lib/charms/postgresql_k8s/v0/postgresql_tls.py; FOCUS on the other methods, that push TLS files to the container and later enable/disable TLS, also performing a rolling restart, which is needed for the other instances to start to use TLS in the replication connection)
    • templates/patroni.yml.j2 (changes to enable/disable SSL in the client and other instances connections; this is something specific to PostgreSQL/Patroni)

Testing

  • Unit tests were updated on tests/unit/test_charm.py and tests/unit/test_patroni.py.
  • Unit tests were added for from the previous PR through tests/unit/test_postgresql_tls.py.
  • Integration tests were added in the next PR.

Release Notes

  • Add TLS implementation.

@marceloneppel marceloneppel changed the base branch from main to tls-relations September 6, 2022 09:57
@marceloneppel marceloneppel mentioned this pull request Sep 6, 2022
Merged
@marceloneppel marceloneppel marked this pull request as ready for review September 6, 2022 10:44
marcoppenheimer
marcoppenheimer reviewed Sep 6, 2022
View reviewed changes
src/charm.py Outdated
Comment on lines 725 to 728
enable_tls = False
key, ca, cert = self.tls.get_tls_files()
if None not in [key, ca, cert]:
enable_tls = True
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, but I wonder if it's more explicit having a:

enable_tls = all(self.tls.get_tls_files())

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I will change it here. Thanks Marc!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated on 9e4d481.

src/charm.py
if not self._patroni.member_started:
return

restart_postgresql = enable_tls != self.postgresql.is_tls_enabled()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, I think it would be more obviously parsable to have boring if's here.

if self.postgresql.is_tls_enabled() != enable_tls:
	self.on[self.restart_manager.name].acquire_lock.emit()

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this specific part of the code, the check must be made before self._patroni.reload_patroni_configuration() is called (because it enables TLS, which is a step needed before restarting PostgreSQL).

self._patroni.reload_patroni_configuration() is called before the if because it is also needed when other configuration change.

Is it ok to keep the check this way due to that needs?

WRFitch
WRFitch approved these changes Sep 6, 2022
View reviewed changes
tests/unit/test_postgresql_tls.py Outdated Show resolved Hide resolved
@marceloneppel marceloneppel mentioned this pull request Sep 6, 2022
Merged
Base automatically changed from tls-relations to main September 6, 2022 19:23
@marceloneppel marceloneppel merged commit 347dce7 into main Sep 8, 2022
@marceloneppel marceloneppel deleted the tls-implementation branch September 8, 2022 12:08
This was referenced Sep 9, 2022
Merged
Merged
github-actions bot added a commit to canonical/test-runners-2-github-x64-postgresql-k8s-operator that referenced this pull request May 20, 2024
@github-actions
Allure report canonical#36
39a117a
BON4 pushed a commit to BON4/postgresql-k8s-operator that referenced this pull request May 20, 2024
@marceloneppel @WRFitch
TLS implementation (canonical#36)
db7e38e 
* Import files

* Add TLS implementation

* Update tests/unit/test_postgresql_tls.py

Co-authored-by: Will Fitch <WRFitch@outlook.com>

* Add required functions and variable for regex

* Improve TLS check

Co-authored-by: Will Fitch <WRFitch@outlook.com>
github-actions bot added a commit to canonical/test-runners-2-is-x64-postgresql-k8s-operator that referenced this pull request May 20, 2024
@github-actions
Allure report canonical#36
129662e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoppenheimer marcoppenheimer marcoppenheimer approved these changes

@WRFitch WRFitch WRFitch approved these changes

@delgod delgod Awaiting requested review from delgod

@zmraul zmraul Awaiting requested review from zmraul

@paulomach paulomach Awaiting requested review from paulomach

@Mehdi-Bendriss Mehdi-Bendriss Awaiting requested review from Mehdi-Bendriss

@MiaAltieri MiaAltieri Awaiting requested review from MiaAltieri

@shayancanonical shayancanonical Awaiting requested review from shayancanonical

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marceloneppel @WRFitch @marcoppenheimer