feat: Implement CA certificate renewal #242

saltiyazan · 2024-09-12T07:55:52Z

Description

Fixes #238, #239 and #241

This PR implements the renewal of the CA certificate
It handles CA certificate configuration option changes
It keeps track of two CA certificates, one active and one expiring CA certificate.
Improves validity time configs to allow units, inspired by feat: use new schema to read validity values for certificates #236 @kayra1

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my own code
I have made corresponding changes to the documentation
I have added tests that validate the behaviour of the software
I validated that new and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules
I have bumped the version of the library

charmcraft.yaml

src/charm.py

gruyaume

I know this pr is still in draft, sorry if you already planned to tackle some of those.

charmcraft.yaml

src/charm.py

src/constants.py

src/charm.py

charmcraft.yaml

kayra1 · 2024-09-24T08:37:15Z

charmcraft.yaml

+      type: string
+      default: 90d
+      description: > 
+        Signed certificate validity.
+        The given value must be followed by one of: "m" for minutes, "h" for hours, "d" for days and "w" for weeks. 
+        For example, "1m" for 1 minute, "10w" for 10 weeks.
+        If no units are given, the unit will be assumed as days.
+        Defaults to 90 days.
+        This value should be equal to or shorter than half the root-ca-validity.
+        Changing this value will trigger generation of a new CA certificate,
+        revoking all previously issued certificates.


Did we ever talk with Judit Novak to make sure that a minimum value of 1 minute is OK for integration tests?

Yes, that's good enough for them.

saltiyazan added 2 commits September 11, 2024 12:58

Handle CA expiry and private key rotation

dda9286

Fixes tests

7d5b2e5

saltiyazan changed the title ~~Tlseng 343~~ feat: Implement CA certificate renewal Sep 12, 2024

saltiyazan added 2 commits September 12, 2024 09:56

Merge branch 'main' into TLSENG-343

333a3c9

Fetch latest lib

f82dc34

gruyaume requested changes Sep 12, 2024

View reviewed changes

charmcraft.yaml Outdated Show resolved Hide resolved

src/charm.py Outdated Show resolved Hide resolved

src/charm.py Outdated Show resolved Hide resolved

gruyaume mentioned this pull request Sep 12, 2024

[FEATURE] Expiry time adjustable on lower than a day granularlity canonical/tls-certificates-interface#237

Closed

saltiyazan added 2 commits September 12, 2024 14:08

Adds unit tests

cfc2730

Minor improvements

b3b93c6

saltiyazan force-pushed the TLSENG-343 branch from 439b8c3 to b3b93c6 Compare September 12, 2024 13:00

saltiyazan added 5 commits September 12, 2024 16:42

Fixes and adds integration tests

0d019cb

Fix revoke

3a8b2b3

Fixes expiry in _generate_root_certificate

a3a0b55

Use set_juju_secret

a98fad6

Track latest revision of secret

529330a

gruyaume requested changes Sep 13, 2024

View reviewed changes

saltiyazan added 2 commits September 13, 2024 16:41

Ensure expiry is set on secret

3dc62fc

Adds a workaround for the ops issue and addresses review comments

4f7e86f

saltiyazan force-pushed the TLSENG-343 branch from 4f8127d to 2891163 Compare September 14, 2024 13:06

Uses unit as part of validity string

51e0cc7

saltiyazan force-pushed the TLSENG-343 branch from 2891163 to 51e0cc7 Compare September 14, 2024 13:07

Fix itest typo

f445de0

saltiyazan force-pushed the TLSENG-343 branch from daa77a0 to f445de0 Compare September 14, 2024 15:13

saltiyazan added 2 commits September 14, 2024 17:26

Fix docs

7dcda2c

Test with latest requirer

e3aa0df

saltiyazan force-pushed the TLSENG-343 branch from 4fafed7 to e3aa0df Compare September 17, 2024 07:37

Remove private key rotation to a separate pr

4ee5f7b

saltiyazan force-pushed the TLSENG-343 branch 2 times, most recently from 35cb466 to 4ee5f7b Compare September 17, 2024 10:14

Merge branch 'main' into TLSENG-343

5adad14

Fixes config option documentation

621d8e3

saltiyazan marked this pull request as ready for review September 17, 2024 11:16

saltiyazan requested a review from a team as a code owner September 17, 2024 11:16

saltiyazan requested review from gruyaume and removed request for a team September 17, 2024 11:20

gruyaume requested changes Sep 17, 2024

View reviewed changes

src/constants.py Outdated Show resolved Hide resolved

src/charm.py Show resolved Hide resolved

src/charm.py Outdated Show resolved Hide resolved

saltiyazan mentioned this pull request Sep 17, 2024

feat: Allows promoting the charm for arm64 arch #245

Merged

7 tasks

saltiyazan added 3 commits September 17, 2024 16:30

Improves docstring of _renew_root_certificate

ff4139b

Deploy specific revision of requirer charm

a53558e

Lint fix

9fb803f

saltiyazan force-pushed the TLSENG-343 branch from da0e3ca to 9fb803f Compare September 17, 2024 15:22

Specify channel with the revision

8685b3c

saltiyazan requested a review from gruyaume September 17, 2024 16:18

gruyaume requested changes Sep 18, 2024

View reviewed changes

src/charm.py Outdated Show resolved Hide resolved

charmcraft.yaml Outdated Show resolved Hide resolved

saltiyazan added 2 commits September 19, 2024 10:40

Use minutes instead of seconds for cert validity

50102d8

Fix tests not to use seconds for validity

6d68e3c

saltiyazan force-pushed the TLSENG-343 branch 3 times, most recently from 0615c69 to d9fd25f Compare September 20, 2024 09:40

Tests CA renewal in integration test

392fda8

saltiyazan force-pushed the TLSENG-343 branch from d9fd25f to 392fda8 Compare September 20, 2024 10:11

saltiyazan requested a review from gruyaume September 20, 2024 13:30

gruyaume approved these changes Sep 23, 2024

View reviewed changes

kayra1 reviewed Sep 24, 2024

View reviewed changes

saltiyazan merged commit bc49fab into main Sep 24, 2024
12 checks passed

saltiyazan deleted the TLSENG-343 branch September 24, 2024 13:15

This was referenced Sep 24, 2024

CA Certificate is not renewed after it expired #239

Closed

Self Signed Certificates accepts certificate validity config option that is longer than CA certificate validity #241

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Implement CA certificate renewal #242

feat: Implement CA certificate renewal #242

saltiyazan commented Sep 12, 2024 •

edited

Loading

gruyaume left a comment

kayra1 Sep 24, 2024 •

edited

Loading

saltiyazan Sep 24, 2024

feat: Implement CA certificate renewal #242

feat: Implement CA certificate renewal #242

Conversation

saltiyazan commented Sep 12, 2024 • edited Loading

Description

Checklist:

gruyaume left a comment

Choose a reason for hiding this comment

kayra1 Sep 24, 2024 • edited Loading

Choose a reason for hiding this comment

saltiyazan Sep 24, 2024

Choose a reason for hiding this comment

saltiyazan commented Sep 12, 2024 •

edited

Loading

kayra1 Sep 24, 2024 •

edited

Loading