Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS implementation #30

Merged
merged 44 commits into from
Sep 19, 2022
Merged

TLS implementation #30

merged 44 commits into from
Sep 19, 2022

Conversation

marceloneppel
Copy link
Member

@marceloneppel marceloneppel commented Sep 7, 2022
edited
Loading

Issue

  • Jira issue: DPE-510
  • PostgreSQL charm needs to have a way to enable TLS in the connections between instances and from the client applications to the PostgreSQL server.
  • For that, the charm should implement the interaction with the TLS Certificates Operator and use the certificates provided by it to enable TLS on PostgreSQL client and internal (replication) connections.

Solution

  • This PR continues to solve that issue by implementing the interaction with https://github.com/canonical/tls-certificates-operator using lib/charms/postgresql_k8s/v0/postgresql_tls.py and uploading certificates to the PostgreSQL container to enable TLS. It doesn't take care of enabling TLS on Patroni API, only on PostgreSQL connections.

Context

  • This PR consists on REPLICATING what was already reviewed on TLS implementation postgresql-k8s-operator#36 to the PostgreSQL VM charm.
  • Files that you can skip during review:
    • tests/unit/test_charm.py (because it changed mostly because of a refactor on method names)
  • You can FOCUS your review on:
    • src/charm.py (ignoring the changes to get_secret and set_secret methods, which was only a refactor needed to use them outside the class, like in lib/charms/postgresql_k8s/v0/postgresql_tls.py; FOCUS on the other methods, that push TLS files to the workload directory and later enable/disable TLS, also performing a rolling restart, which is needed for the other instances to start to use TLS in the replication connection). Also, there is a way to update the certificates if the unit IP changes.
    • templates/patroni.yml.j2 (changes to enable/disable SSL in the client and other instances connections; this is something specific to PostgreSQL/Patroni)
    • Both above files have pretty similar implementation that the one made on TLS implementation postgresql-k8s-operator#36.
  • Using IP addresses on certificates because the hostname that is exposed inside the VMs can be based on IP addresses (like ip-172-31-54-71) in clouds other than LXD (like AWS), so they will also change with the IP addresses changing (so the IP address is used as the hostname can behave even different on other clouds).

Testing

  • Unit tests were updated on tests/unit/test_charm.py and tests/unit/test_patroni.py.
  • Integration tests were added in the next PR.

Release Notes

  • Add TLS implementation.

@marceloneppel
Change charm database user
4a0399e
@marceloneppel
Fix unit tests
37c0639
@marceloneppel
Fix integration test call
d05d991
@marceloneppel
Merge branch 'main' into new-user
52226c7
@marceloneppel
Merge branch 'main' into new-user
13c5aa9
@marceloneppel
Fix user name in library
aa61f60
@marceloneppel
Fix user
991de5f
@marceloneppel
Add default postgres user creation
db18ba6
@marceloneppel
Change action name
61946da
@marceloneppel
Rework secrets management
5f01c6e
@marceloneppel
Add password rotation logic
aa14718
@marceloneppel
Add user to the action parameters
9e7fdfd
@marceloneppel
Add separate environments for different tests
12a4a7b
@marceloneppel
Add all dependencies
bc723d1
@marceloneppel
Merge branch 'password-rotation' into parallelize-tests
3e22732
@marceloneppel
Add pytest marks
2d90e03
@marceloneppel
Merge branch 'password-rotation' into parallelize-tests
3fab9c6
@marceloneppel
Merge branch 'main' into password-rotation
82a9a68
@marceloneppel
Fix action description
3f259d5
@marceloneppel
Fix method docstring
56ff42a
@marceloneppel
Fix pytest mark
62cc604
@marceloneppel
Fix pytest markers
63004b4
@marceloneppel
Merge branch 'password-rotation' into parallelize-tests
e188259
@marceloneppel
Register pytest markers
42a5b13
@marceloneppel
Merge branch 'main' into parallelize-tests
79d885b
@marceloneppel
Import files
3b04265
@marceloneppel
Import files
1560781
@marceloneppel
Update libraries
ee43a39
@marceloneppel
Merge branch 'tls-relations' into tls-implementation
7764cb0
@marceloneppel
Add TLS implementation
7c1c74e
@marceloneppel marceloneppel mentioned this pull request Sep 9, 2022
Merged
Base automatically changed from tls-relations to main September 13, 2022 17:32
@marceloneppel marceloneppel marked this pull request as ready for review September 14, 2022 15:14
WRFitch
WRFitch approved these changes Sep 14, 2022
View reviewed changes
src/charm.py Outdated Show resolved Hide resolved
src/charm.py Outdated Show resolved Hide resolved
zmraul
zmraul approved these changes Sep 19, 2022
View reviewed changes
Copy link
Contributor

@zmraul zmraul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@marceloneppel marceloneppel merged commit b9e15fe into main Sep 19, 2022
@marceloneppel marceloneppel deleted the tls-implementation branch September 19, 2022 12:39
BON4 pushed a commit to BON4/postgresql-operator that referenced this pull request Apr 23, 2024
@marceloneppel
TLS implementation (canonical#30)
3a1dc76 
* Add TLS implementation

* Delete file

* Update library

* Fix PostgreSQL library

* Add jsonschema as a binary dependency

* Change hostname to unit ip

* Add unit test dependency

* Call certificate update on config change

* Fix docstring

* Change log call
github-actions bot added a commit to canonical/test-runners-2-github-x64-postgresql-operator that referenced this pull request May 19, 2024
@github-actions
Allure report canonical#30
937d7a7
github-actions bot added a commit to canonical/test-runners-2-is-x64-postgresql-operator that referenced this pull request May 19, 2024
@github-actions
Allure report canonical#30
83fee6d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmraul zmraul zmraul approved these changes

@WRFitch WRFitch WRFitch approved these changes

@delgod delgod Awaiting requested review from delgod

@shayancanonical shayancanonical Awaiting requested review from shayancanonical

@marcoppenheimer marcoppenheimer Awaiting requested review from marcoppenheimer

@Mehdi-Bendriss Mehdi-Bendriss Awaiting requested review from Mehdi-Bendriss

@MiaAltieri MiaAltieri Awaiting requested review from MiaAltieri

@paulomach paulomach Awaiting requested review from paulomach

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marceloneppel @codecov-commenter @WRFitch @zmraul