Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reworked restart/update-cert path to always trigger update before restart #270

Merged
merged 7 commits into from
Jan 8, 2024
Merged

reworked restart/update-cert path to always trigger update before restart #270

merged 7 commits into from
Jan 8, 2024

Conversation

PietroPasotti
Copy link
Contributor

Issue

Fixes #265

Solution

Reworked the restart_grafana method to always call _update_cert if CertHandler.enabled.
Together with a unified _cert_ready method that verifies that the cert and key files are on the container filesystem, this should ensure a (more) robust flow:

  1. if certhandler is enabled:
  2. push cert and key files
  3. build the grafana layer
  4. If cert and key files are present on the workload filesystem, configure grafana accordingly

To test:
charmcraft pack

deploy this bundle

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    revision: 40
    scale: 1
    constraints: arch=amd64
  external-ca:
    charm: self-signed-certificates
    channel: edge
    revision: 40
    scale: 1
    constraints: arch=amd64
  prom:
    charm: prometheus-k8s
    channel: edge
    revision: 152
    series: focal
    resources:
      prometheus-image: 130
    scale: 1
    constraints: arch=amd64
    storage:
      database: kubernetes,1,1024M
    trust: true
  trfk:
    charm: traefik-k8s
    series: focal
    scale: 1
    constraints: arch=amd64
    storage:
      configurations: kubernetes,1,1024M
    trust: true
relations:
- - prom:ingress
  - trfk:ingress-per-unit
- - trfk:certificates
  - external-ca:certificates
- - prom:certificates
  - ca:certificates
- - trfk:receive-ca-cert
  - ca:send-ca-cert

Then deploy grafana:

juju deploy ./grafana-k8s.charm --resource grafana-image=docker.io/ubuntu/grafana:9.2-22.04_beta --resource litestream-image=docker.io/litestream/litestream:0.4.0-beta.2

Once all is active/idle, do a jhack imatrix fill to cross-relate

@PietroPasotti
Copy link
Contributor Author

depends on canonical/grafana-rock#19

@PietroPasotti PietroPasotti force-pushed the fix-cert-not-present-on-restart branch from fa02143 to aa967a0 Compare October 24, 2023 15:00
sed-i
sed-i approved these changes Dec 5, 2023
View reviewed changes
src/charm.py Outdated Show resolved Hide resolved
src/charm.py Show resolved Hide resolved
@PietroPasotti PietroPasotti merged commit 3c76c26 into main Jan 8, 2024
13 checks passed
@PietroPasotti PietroPasotti deleted the fix-cert-not-present-on-restart branch January 8, 2024 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sed-i sed-i sed-i approved these changes

@lucabello lucabello lucabello approved these changes

@Abuelodelanada Abuelodelanada Abuelodelanada approved these changes

@dstathis dstathis Awaiting requested review from dstathis

@simskij simskij Awaiting requested review from simskij

@IbraAoad IbraAoad Awaiting requested review from IbraAoad

@mmkay mmkay Awaiting requested review from mmkay

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cert_file cannot be empty when using HTTPS
4 participants
@PietroPasotti @Abuelodelanada @lucabello @sed-i