Fix handling of tls config

[sed-i]

Issue

TLS config is written and workload restarted, before the cert is written to disk.

Solution

• Use rock from Add ca-certificates prometheus-rock#30
  • Use the update-ca-certificates machinery
• Instead of stop(), have _scheme return http and _is_tls_enabled return False until the cert is in place.

Depends on:

• Add ca-certificates prometheus-rock#30 (chore: Add new prometheus releases oci-factory#58)

Fixes #521

Testing Instructions

• Run itests in Add tls overlay cos-lite-bundle#80
• Manually test with the following bundles

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  prom:
    charm: ./prometheus-k8s_ubuntu-20.04-amd64.charm
    series: focal
    scale: 1
    trust: true
    resources:
        prometheus-image: ghcr.io/canonical/prometheus:dev
relations:
- - ca:certificates
  - prom:certificates

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  cat:
    charm: catalogue-k8s
    channel: edge
    series: focal
    scale: 1
  prom:
    charm: ./prometheus-k8s_ubuntu-20.04-amd64.charm
    series: focal
    scale: 1
    trust: true
    resources:
        prometheus-image: ghcr.io/canonical/prometheus:dev
  trfk:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
relations:
- - cat:catalogue
  - prom:catalogue
- - ca:certificates
  - prom:certificates
- - prom:ingress
  - trfk:ingress-per-unit
- - trfk:certificates
  - ca:certificates

Release Notes

Fix handling of tls config.

[sed-i]

@PietroPasotti, check-libs complains:

Library charms.tempo_k8s.v0.charm_tracing has local changes, cannot be updated.

Haven't checked but might be a LIBPATCH bump issue.

[PietroPasotti]

@PietroPasotti, check-libs complains:

Library charms.tempo_k8s.v0.charm_tracing has local changes, cannot be updated.

Haven't checked but might be a LIBPATCH bump issue.

given #523 , the lib should be up to date? If the issue persists we could try deleting it manually and re-fetching it? Maybe the linter did some minor change to it?

[PietroPasotti]

I think it would be more clear if we abstracted this to a self._is_tls_ready() method.
Enabled but not ready -> push cert to container, then restart. Regardless of how we got there, this should be the reasonable course of action. Or what am I missing?

[sed-i]

I'm thinking of writing the cert only on cert-changed event, and:

	Relation present	Cert file on disk	Hypothetical is_tls_ready() -> bool
Isolated charm	No	No	No
tls-cert rel just joined	Yes	No	No
on-cert-changed (after rel join)	Yes	Yes	Yes
cert revoked/expired	Yes	Yes (keep on disk even if expired)	Yes
relation departed / broken	Yes	?	No (how? code ordering...)
any event after rel-broken	No	No	No

Wdyt?

[PietroPasotti]

seems reasonable. I think departed/broken should immediately remove the cert from disk and from that moment onwards is_tls_ready should return false (assuming it checks the file presence synchronously).
Or we refactor to use manifests, but I'm not convinced that will make code ordering less of a headache

[sed-i]

This is needed until canonical/oci-factory#58 is applied.

[sed-i]

This was a local change that I reverted:

Library charms.tempo_k8s.v0.charm_tracing has local changes, cannot be updated.