Add Support for External Certificates integration in Bootstrap

.github/workflows/auto-update-libs-k8s-worker.yaml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   auto-update-libs:
-    uses: canonical/operator-workflows/.github/workflows/auto_update_charm_libs.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/auto_update_charm_libs.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     secrets: inherit
     with:
       working-directory:  ./charms/worker/k8s

.github/workflows/charm-analysis.yaml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   unit-tests:
-    uses: canonical/operator-workflows/.github/workflows/test.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/test.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     secrets: inherit
     with:
       charm-directory: charms

.github/workflows/comment.yaml

@@ -8,5 +8,5 @@ on:
 
 jobs:
   comment-on-pr:
-    uses: canonical/operator-workflows/.github/workflows/comment.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/comment.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     secrets: inherit

.github/workflows/integration_test.yaml

@@ -36,20 +36,18 @@ jobs:
       working-directory:  ${{ matrix.path }}
 
   integration-tests:
-    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     needs: [build-all-charms, extra-args]
     strategy:
       matrix:
-        suite: ["k8s", "etcd"]
+        suite: ["k8s", "etcd", "certificates"]
     secrets: inherit
     with:
       provider: lxd
       juju-channel: 3.3/stable
       extra-arguments: ${{needs.extra-args.outputs.args}} -k test_${{ matrix.suite }}
       load-test-enabled: false
       zap-enabled: false
-      self-hosted-runner: true
-      self-hosted-runner-label: "large"
       trivy-fs-enabled: true
       trivy-image-config: "trivy.yaml"
       tmate-debug: true

.github/workflows/load_test.yaml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   load-tests:
-    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     with:
       provider: lxd
       juju-channel: 3.3/stable

.github/workflows/promote-charms.yaml

@@ -67,7 +67,7 @@ jobs:
     strategy:
       matrix:
         charm-directory: ${{ fromJson(needs.select-charms.outputs.charms) }}
-    uses: canonical/operator-workflows/.github/workflows/promote_charm.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/promote_charm.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     with:
       origin-channel: ${{needs.configure-track.outputs.track}}/${{ github.event.inputs.origin-risk }}
       destination-channel: ${{needs.configure-track.outputs.track}}/${{ github.event.inputs.destination-risk }}

.github/workflows/publish-charms.yaml

@@ -32,7 +32,7 @@ jobs:
           fi
   publish-to-edge:
     needs: [configure-channel]
-    uses: canonical/operator-workflows/.github/workflows/publish_charm.yaml@main
+    uses: canonical/operator-workflows/.github/workflows/publish_charm.yaml@08c5a65a0bc4696164b4f85a29a9ccbd830d10d8
     strategy:
       matrix:
         charm: [

charms/worker/charmcraft.yaml

@@ -74,6 +74,8 @@ provides:
   cos-agent:
     interface: cos_agent
 requires:
+  certificates:
+    interface: tls-certificates
   cluster:
     interface: k8s-cluster
     # interface to connect with the k8s charm to provide

charms/worker/k8s/charmcraft.yaml

@@ -61,6 +61,14 @@ config:
         The datastore to use in Canonical Kubernetes. This cannot be changed
         after deployment. Allowed values are "dqlite" and "etcd". If "etcd" is
         chosen, the charm should be integrated with the etcd charm.
+    certificates:
+      default: self-signed
+      type: string
+      description: |
+        The certificates generation strategy to use in Canonical Kubernetes.
+        This cannot be changed after deployment. Allowed values are "self-signed"
+        and "external". If "external" is chosen, the charm should be integrated
+        with the an external certificates authority charm.
     labels:
       default: ""
       type: string
@@ -98,7 +106,16 @@ actions:
 
 parts:
   charm:
-    build-packages: [git]
+    charm-binary-python-packages:
+      - setuptools
+      - cryptography
+    build-packages:
+      - git
+      - libffi-dev
+      - libssl-dev
+      - pkg-config
+      - rustc
+      - cargo
 
 peers:
   cluster:
@@ -115,6 +132,8 @@ provides:
     interface: cos-k8s-tokens
 
 requires:
+  certificates:
+    interface: tls-certificates
   etcd:
     interface: etcd
   external-cloud-provider:

charms/worker/k8s/lib/charms/k8s/v0/k8sd_api_manager.py

@@ -355,6 +355,19 @@ class BootstrapConfig(BaseModel):
         datastore_client_cert (str): The client certificate for accessing the datastore.
         datastore_client_key (str): The client key for accessing the datastore.
         extra_sans (List[str]): List of extra sans for the self-signed certificates
+        ca_cert (str): The CA certificate used by the cluster.
+        ca_key (str): The CA private key used by the cluster.
+        front_proxy_ca_cert (str): The CA certificate for the front proxy.
+        front_proxy_ca_key (str): The CA key for the front proxy.
+        front_proxy_client_cert (str): The client certificate for the front proxy.
+        front_proxy_client_key (str): The client key for the front proxy.
+        apiserver_kubelet_client_crt (str): The client certificate for the Kubelet.
+        apiserver_kubelet_client_key (str): The client key for the Kubelet.
+        service_account_key (str): The key used to sign service account tokens.
+        apiserver_crt (str): The certificate for the Kubernetes API server.
+        apiserver_key (str): The private key for the Kubernetes API server.
+        kubelet_crt (str): The certificate for the kubelet.
+        kubelet_key (str): The private key for the kubelet.
     """
 
     cluster_config: Optional[UserFacingClusterConfig] = Field(None, alias="cluster-config")
@@ -371,6 +384,21 @@ class BootstrapConfig(BaseModel):
     datastore_client_key: Optional[str] = Field(None, alias="datastore-client-key")
     extra_sans: Optional[List[str]] = Field(None, alias="extra-sans")
 
+    ca_cert: Optional[str] = Field(None, alias="ca-crt")
+    ca_key: Optional[str] = Field(None, alias="ca-key")
+    front_proxy_ca_cert: Optional[str] = Field(None, alias="front-proxy-ca-crt")
+    front_proxy_ca_key: Optional[str] = Field(None, alias="front-proxy-ca-key")
+    front_proxy_client_cert: Optional[str] = Field(None, alias="front-proxy-client-crt")
+    front_proxy_client_key: Optional[str] = Field(None, alias="front-proxy-client-key")
+    apiserver_kubelet_client_crt: Optional[str] = Field(None, alias="apiserver-kubelet-client-crt")
+    apiserver_kubelet_client_key: Optional[str] = Field(None, alias="apiserver-kubelet-client-key")
+
+    service_account_key: Optional[str] = Field(None, alias="service-account-key")
+    apiserver_crt: Optional[str] = Field(None, alias="apiserver-crt")
+    apiserver_key: Optional[str] = Field(None, alias="apiserver-key")
+    kubelet_crt: Optional[str] = Field(None, alias="kubelet-crt")
+    kubelet_key: Optional[str] = Field(None, alias="kubelet-key")
+
 
 class CreateClusterRequest(BaseModel):
     """Request model for creating a new Canonical Kubernetes cluster.