[DPE-2830] Update TLS lib and PostgreSQL TLS lib (#321)

* Update TLS lib and PostgreSQL TLS lib Signed-off-by: Marcelo Henrique Neppel <[email protected]> * Update poetry.lock Signed-off-by: Marcelo Henrique Neppel <[email protected]> * Update TLS lib and test Signed-off-by: Marcelo Henrique Neppel <[email protected]> --------- Signed-off-by: Marcelo Henrique Neppel <[email protected]>
canonical · Jan 27, 2024 · cc14fb8 · cc14fb8
1 parent bf91e13
commit cc14fb8
Show file tree

Hide file tree

Showing 5 changed files with 798 additions and 181 deletions.
diff --git a/lib/charms/postgresql_k8s/v0/postgresql_tls.py b/lib/charms/postgresql_k8s/v0/postgresql_tls.py
@@ -24,15 +24,13 @@
 import socket
 from typing import List, Optional
 
-from charms.tls_certificates_interface.v1.tls_certificates import (
+from charms.tls_certificates_interface.v2.tls_certificates import (
     CertificateAvailableEvent,
     CertificateExpiringEvent,
-    TLSCertificatesRequiresV1,
+    TLSCertificatesRequiresV2,
     generate_csr,
     generate_private_key,
 )
-from cryptography import x509
-from cryptography.x509.extensions import ExtensionType
 from ops.charm import ActionEvent, RelationBrokenEvent
 from ops.framework import Object
 from ops.pebble import ConnectionError, PathError, ProtocolError
@@ -45,7 +43,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version.
-LIBPATCH = 7
+LIBPATCH = 8
 
 logger = logging.getLogger(__name__)
 SCOPE = "unit"
@@ -63,7 +61,7 @@ def __init__(
         self.charm = charm
         self.peer_relation = peer_relation
         self.additional_dns_names = additional_dns_names or []
-        self.certs = TLSCertificatesRequiresV1(self.charm, TLS_RELATION)
+        self.certs = TLSCertificatesRequiresV2(self.charm, TLS_RELATION)
         self.framework.observe(
             self.charm.on.set_tls_private_key_action, self._on_set_tls_private_key
         )
@@ -90,7 +88,6 @@ def _request_certificate(self, param: Optional[str]):
         csr = generate_csr(
             private_key=key,
             subject=self.charm.get_hostname_by_unit(self.charm.unit.name),
-            additional_critical_extensions=self._get_tls_extensions(),
             **self._get_sans(),
         )
 
@@ -161,7 +158,6 @@ def _on_certificate_expiring(self, event: CertificateExpiringEvent) -> None:
         new_csr = generate_csr(
             private_key=key,
             subject=self.charm.get_hostname_by_unit(self.charm.unit.name),
-            additional_critical_extensions=self._get_tls_extensions(),
             **self._get_sans(),
         )
         self.certs.request_certificate_renewal(
@@ -207,12 +203,6 @@ def is_ip_address(address: str) -> bool:
             "sans_dns": sans_dns,
         }
 
-    @staticmethod
-    def _get_tls_extensions() -> Optional[List[ExtensionType]]:
-        """Return a list of TLS extensions for which certificate key can be used."""
-        basic_constraints = x509.BasicConstraints(ca=True, path_length=None)
-        return [basic_constraints]
-
     def get_tls_files(self) -> (Optional[str], Optional[str], Optional[str]):
         """Prepare TLS files in special PostgreSQL way.