From b3e44e9e5e23ebb196935fe331b323436017c288 Mon Sep 17 00:00:00 2001 From: Neha Oudin Date: Fri, 8 Nov 2024 16:32:34 +0100 Subject: [PATCH 1/5] fix: update lib --- lib/charms/mongos/v0/upgrade_helpers.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/charms/mongos/v0/upgrade_helpers.py b/lib/charms/mongos/v0/upgrade_helpers.py index e0422656..8bb1c9a6 100644 --- a/lib/charms/mongos/v0/upgrade_helpers.py +++ b/lib/charms/mongos/v0/upgrade_helpers.py @@ -32,7 +32,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 3 +LIBPATCH = 5 logger = logging.getLogger(__name__) @@ -229,7 +229,7 @@ def app_status(self) -> Optional[StatusBase]: return return MaintenanceStatus( - "Refreshing. To rollback, `juju refresh` to the previous revision" + "Refresing. To rollback, `juju refresh` to the previous revision" ) @property @@ -319,10 +319,10 @@ def pre_upgrade_check(self) -> None: See https://chat.canonical.com/canonical/pl/cmf6uhm1rp8b7k8gkjkdsj4mya """ # Until the mongos charm has a config-server there is nothing to check. Allow an upgrade. - if not self.charm.mongos_initialised: + if not self._charm.mongos_initialised: return - if not self.is_mongos_able_to_read_write(): + if not self._charm.upgrade.is_mongos_able_to_read_write(): raise PrecheckFailed("mongos is not able to read/write.") From 1873093b728103309a392ba094f7ad772a81b9c7 Mon Sep 17 00:00:00 2001 From: Neha Oudin Date: Fri, 8 Nov 2024 16:34:28 +0100 Subject: [PATCH 2/5] chore: bump ci codecov --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9a359b02..d2e72f48 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -52,7 +52,7 @@ jobs: - name: Run tests run: tox run -e unit - name: Upload Coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v4 build: name: Build charm | ${{ matrix.path }} From 92351bfcccf5f6ca05adb142635a055cbabd8333 Mon Sep 17 00:00:00 2001 From: Neha Oudin Date: Fri, 8 Nov 2024 17:01:29 +0100 Subject: [PATCH 3/5] fix: typo --- lib/charms/mongos/v0/upgrade_helpers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/charms/mongos/v0/upgrade_helpers.py b/lib/charms/mongos/v0/upgrade_helpers.py index 8bb1c9a6..25ad2fdd 100644 --- a/lib/charms/mongos/v0/upgrade_helpers.py +++ b/lib/charms/mongos/v0/upgrade_helpers.py @@ -32,7 +32,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 5 +LIBPATCH = 6 logger = logging.getLogger(__name__) @@ -229,7 +229,7 @@ def app_status(self) -> Optional[StatusBase]: return return MaintenanceStatus( - "Refresing. To rollback, `juju refresh` to the previous revision" + "Refreshing. To rollback, `juju refresh` to the previous revision" ) @property From 537ab974d0e6c7b7d98200e812fe841689fc684e Mon Sep 17 00:00:00 2001 From: Mia Altieri Date: Tue, 12 Nov 2024 16:10:56 +0000 Subject: [PATCH 4/5] update libs --- .../mongodb/v0/config_server_interface.py | 2 +- lib/charms/mongodb/v1/mongodb_provider.py | 2 +- lib/charms/mongos/v0/upgrade_helpers.py | 2 +- .../v3/tls_certificates.py | 30 ++++++++++++++++--- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/lib/charms/mongodb/v0/config_server_interface.py b/lib/charms/mongodb/v0/config_server_interface.py index 44e485bb..b005b80e 100644 --- a/lib/charms/mongodb/v0/config_server_interface.py +++ b/lib/charms/mongodb/v0/config_server_interface.py @@ -51,7 +51,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 14 +LIBPATCH = 15 class ClusterProvider(Object): diff --git a/lib/charms/mongodb/v1/mongodb_provider.py b/lib/charms/mongodb/v1/mongodb_provider.py index ab21e75c..0e150b25 100644 --- a/lib/charms/mongodb/v1/mongodb_provider.py +++ b/lib/charms/mongodb/v1/mongodb_provider.py @@ -37,7 +37,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 15 +LIBPATCH = 16 logger = logging.getLogger(__name__) REL_NAME = "database" diff --git a/lib/charms/mongos/v0/upgrade_helpers.py b/lib/charms/mongos/v0/upgrade_helpers.py index 25ad2fdd..c9111457 100644 --- a/lib/charms/mongos/v0/upgrade_helpers.py +++ b/lib/charms/mongos/v0/upgrade_helpers.py @@ -32,7 +32,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 6 +LIBPATCH = 4 logger = logging.getLogger(__name__) diff --git a/lib/charms/tls_certificates_interface/v3/tls_certificates.py b/lib/charms/tls_certificates_interface/v3/tls_certificates.py index da7fa95e..141412b0 100644 --- a/lib/charms/tls_certificates_interface/v3/tls_certificates.py +++ b/lib/charms/tls_certificates_interface/v3/tls_certificates.py @@ -318,7 +318,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 20 +LIBPATCH = 23 PYDEPS = ["cryptography", "jsonschema"] @@ -1902,10 +1902,20 @@ def _on_relation_changed(self, event: RelationChangedEvent) -> None: ) else: try: + secret = self.model.get_secret(label=f"{LIBID}-{csr_in_sha256_hex}") logger.debug( "Setting secret with label %s", f"{LIBID}-{csr_in_sha256_hex}" ) - secret = self.model.get_secret(label=f"{LIBID}-{csr_in_sha256_hex}") + # Juju < 3.6 will create a new revision even if the content is the same + if ( + secret.get_content(refresh=True).get("certificate", "") + == certificate.certificate + ): + logger.debug( + "Secret %s with correct certificate already exists", + f"{LIBID}-{csr_in_sha256_hex}", + ) + continue secret.set_content( {"certificate": certificate.certificate, "csr": certificate.csr} ) @@ -1986,11 +1996,19 @@ def _on_secret_expired(self, event: SecretExpiredEvent) -> None: provider_certificate = self._find_certificate_in_relation_data(csr) if not provider_certificate: # A secret expired but we did not find matching certificate. Cleaning up + logger.warning( + "Failed to find matching certificate for csr, cleaning up secret %s", + event.secret.label, + ) event.secret.remove_all_revisions() return if not provider_certificate.expiry_time: # A secret expired but matching certificate is invalid. Cleaning up + logger.warning( + "Certificate matching csr is invalid, cleaning up secret %s", + event.secret.label, + ) event.secret.remove_all_revisions() return @@ -2023,14 +2041,18 @@ def _find_certificate_in_relation_data(self, csr: str) -> Optional[ProviderCerti return provider_certificate return None - def _get_csr_from_secret(self, secret: Secret) -> str: + def _get_csr_from_secret(self, secret: Secret) -> Union[str, None]: """Extract the CSR from the secret label or content. This function is a workaround to maintain backwards compatibility and fix the issue reported in https://github.com/canonical/tls-certificates-interface/issues/228 """ - if not (csr := secret.get_content().get("csr", "")): + try: + content = secret.get_content(refresh=True) + except SecretNotFoundError: + return None + if not (csr := content.get("csr", None)): # In versions <14 of the Lib we were storing the CSR in the label of the secret # The CSR now is stored int the content of the secret, which was a breaking change # Here we get the CSR if the secret was created by an app using libpatch 14 or lower From 39bac69a1c07f4a40e9967106e30b0cb7722456e Mon Sep 17 00:00:00 2001 From: Mehdi-Bendriss Date: Tue, 12 Nov 2024 22:05:41 +0100 Subject: [PATCH 5/5] update libs --- .../mongodb/v0/config_server_interface.py | 2 +- lib/charms/mongodb/v1/mongodb_provider.py | 2 +- lib/charms/mongos/v0/upgrade_helpers.py | 2 +- .../v3/tls_certificates.py | 30 ++++++++++++++++--- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/lib/charms/mongodb/v0/config_server_interface.py b/lib/charms/mongodb/v0/config_server_interface.py index 44e485bb..b005b80e 100644 --- a/lib/charms/mongodb/v0/config_server_interface.py +++ b/lib/charms/mongodb/v0/config_server_interface.py @@ -51,7 +51,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 14 +LIBPATCH = 15 class ClusterProvider(Object): diff --git a/lib/charms/mongodb/v1/mongodb_provider.py b/lib/charms/mongodb/v1/mongodb_provider.py index ab21e75c..0e150b25 100644 --- a/lib/charms/mongodb/v1/mongodb_provider.py +++ b/lib/charms/mongodb/v1/mongodb_provider.py @@ -37,7 +37,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 15 +LIBPATCH = 16 logger = logging.getLogger(__name__) REL_NAME = "database" diff --git a/lib/charms/mongos/v0/upgrade_helpers.py b/lib/charms/mongos/v0/upgrade_helpers.py index 25ad2fdd..c9111457 100644 --- a/lib/charms/mongos/v0/upgrade_helpers.py +++ b/lib/charms/mongos/v0/upgrade_helpers.py @@ -32,7 +32,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 6 +LIBPATCH = 4 logger = logging.getLogger(__name__) diff --git a/lib/charms/tls_certificates_interface/v3/tls_certificates.py b/lib/charms/tls_certificates_interface/v3/tls_certificates.py index da7fa95e..141412b0 100644 --- a/lib/charms/tls_certificates_interface/v3/tls_certificates.py +++ b/lib/charms/tls_certificates_interface/v3/tls_certificates.py @@ -318,7 +318,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 20 +LIBPATCH = 23 PYDEPS = ["cryptography", "jsonschema"] @@ -1902,10 +1902,20 @@ def _on_relation_changed(self, event: RelationChangedEvent) -> None: ) else: try: + secret = self.model.get_secret(label=f"{LIBID}-{csr_in_sha256_hex}") logger.debug( "Setting secret with label %s", f"{LIBID}-{csr_in_sha256_hex}" ) - secret = self.model.get_secret(label=f"{LIBID}-{csr_in_sha256_hex}") + # Juju < 3.6 will create a new revision even if the content is the same + if ( + secret.get_content(refresh=True).get("certificate", "") + == certificate.certificate + ): + logger.debug( + "Secret %s with correct certificate already exists", + f"{LIBID}-{csr_in_sha256_hex}", + ) + continue secret.set_content( {"certificate": certificate.certificate, "csr": certificate.csr} ) @@ -1986,11 +1996,19 @@ def _on_secret_expired(self, event: SecretExpiredEvent) -> None: provider_certificate = self._find_certificate_in_relation_data(csr) if not provider_certificate: # A secret expired but we did not find matching certificate. Cleaning up + logger.warning( + "Failed to find matching certificate for csr, cleaning up secret %s", + event.secret.label, + ) event.secret.remove_all_revisions() return if not provider_certificate.expiry_time: # A secret expired but matching certificate is invalid. Cleaning up + logger.warning( + "Certificate matching csr is invalid, cleaning up secret %s", + event.secret.label, + ) event.secret.remove_all_revisions() return @@ -2023,14 +2041,18 @@ def _find_certificate_in_relation_data(self, csr: str) -> Optional[ProviderCerti return provider_certificate return None - def _get_csr_from_secret(self, secret: Secret) -> str: + def _get_csr_from_secret(self, secret: Secret) -> Union[str, None]: """Extract the CSR from the secret label or content. This function is a workaround to maintain backwards compatibility and fix the issue reported in https://github.com/canonical/tls-certificates-interface/issues/228 """ - if not (csr := secret.get_content().get("csr", "")): + try: + content = secret.get_content(refresh=True) + except SecretNotFoundError: + return None + if not (csr := content.get("csr", None)): # In versions <14 of the Lib we were storing the CSR in the label of the secret # The CSR now is stored int the content of the secret, which was a breaking change # Here we get the CSR if the secret was created by an app using libpatch 14 or lower