[DPE-5307][DPE-5236] update tls certs on node port change + fix flakey TLS tests #35
Conversation
prevent unnessary hooks from firing + request only certificates that are needed
MiaAltieri
changed the title
MiaAltieri
changed the title
MiaAltieri
changed the title
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
25f4489
to
86b7310
Compare
MiaAltieri
changed the title
src/node_port.py
Outdated
| @@ -4,13 +4,14 @@ | |||
|
|
|||
| """Manager for handling mongos Kubernetes resources for a single mongos pod.""" | |||
|
|
|||
| from typing import Optional | |||
There was a problem hiding this comment.
if you have reviewed node port for external clients then these changes are the same
| @@ -97,45 +99,55 @@ async def toggle_tls_mongos( | |||
| f"{certs_app_name}:{CERT_REL_NAME}", | |||
| ) | |||
|
|
|||
| await ops_test.model.wait_for_idle(apps=[MONGOS_APP_NAME], idle_period=30) | |||
There was a problem hiding this comment.
necessary to fix flakey TLS tests
|
|
||
| return ( | ||
| f"{MONGO_SHELL} '{client_uri}' --eval 'sh.status()'" | ||
| f"{MONGO_SHELL} '{client_uri}' --eval 'db.getUsers()'" |
There was a problem hiding this comment.
necessary to fix flakey TLS tests. sh.status is a privileged command
| @@ -58,9 +62,62 @@ async def test_mongos_tls_enabled(ops_test: OpsTest) -> None: | |||
| ) | |||
|
|
|||
| await integrate_cluster_with_tls(ops_test) | |||
| await ops_test.model.wait_for_idle( | |||
There was a problem hiding this comment.
necessary to fix flakey TLS tests
| @@ -81,12 +137,15 @@ async def test_mongos_tls_disabled(ops_test: OpsTest) -> None: | |||
| timeout=300, | |||
| ) | |||
|
|
|||
| await check_mongos_tls_disabled(ops_test) | |||
There was a problem hiding this comment.
necessary to fix flakey TLS tests - shouldn't check if disabled until model is stable
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
55d3fdd
to
f3a0228
Compare
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
722bf01
to
8938c34
Compare
src/charm.py
Outdated
| def get_k8s_mongos_hosts(self) -> Set: | ||
| """Returns the K8s hosts for mongos""" | ||
| hosts = set() | ||
| for unit in self.get_units(): | ||
| hosts.add(self.get_k8s_mongos_host(unit)) | ||
|
|
||
| return hosts | ||
|
|
||
| def get_ext_mongos_host(self, unit: Unit, incl_port=True) -> str | None: | ||
| """Returns the ext hosts for mongos on the provided unit.""" | ||
| if not self.is_external_client: | ||
| return None | ||
|
|
||
| try: | ||
| unit_ip = self.node_port_manager.get_node_ip(unit.name) | ||
| if not incl_port: | ||
| return unit_ip | ||
|
|
||
| unit_port = self.node_port_manager.get_node_port( | ||
| port_to_match=Config.MONGOS_PORT, unit_name=unit.name | ||
| ) | ||
| if unit_ip and unit_port: | ||
| return "{unit_ip}:{unit_port}" | ||
| else: | ||
| raise NoExternalHostError(f"No external host for unit {unit.name}") | ||
| except ( | ||
| NoExternalHostError, | ||
| FailedToFindNodePortError, | ||
| FailedToFindServiceError, | ||
| ) as e: | ||
| raise FailedToGetHostsError( | ||
| "Failed to retrieve external hosts due to %s", e | ||
| ) |
There was a problem hiding this comment.
todo: I strongly recommend you sort() your hosts.
Off the top of my head, I see that you use these hosts in the mongos_config. Not sure what you do with this, but let's assume you use them in some env-var during service runtime:
HOSTS=host1,host2,host3 start-mongos.shPebble replan looks for new runtime args, so if you now get:
HOSTS=host3,host1,host2 start-mongos.shyou're going to restart without needing to.
There was a problem hiding this comment.
fortunately we do not provide hosts to pebble plan! But I suppose we do supply them to clients, I suppose we could lead to unnecessary relation-changed events. However, we use Sets for hosts since we do many set operations on our hosts in different handlers and python sets make no gaurentee on ordering so I am not sure this suggestion is feasible?
There was a problem hiding this comment.
I didn't look deeply, but if you do:
hosts = set(["1", "2", "3"])
relation.data[some.app].update({"hosts": ",".join(hosts)})You'll get a random order, and have extraneous relation-changed events.
Well, strictly speaking you won't have random ordering WITHIN an event, but you will for a different event:
hosts = set(["1", "2", "3"])
print(",".join(hosts))
hosts = set(["3", "1", "2"])
print(",".join(hosts))Because the sets in the above example are assigned to the same memory address, they 'coincidentally' end up evaluating the same due to a quirk of python's collision resolution (essentially it's the same stuff in the set, so just returns the original set).
But if you re-run it in a different Python execution (aka charm event), the order will now be different.
There was a problem hiding this comment.
I see , thank you very much @marcoppenheimer ! I think we ought to handle this in where we update hosts (the provider lib) which is on the mongodb-vm operator GitHub, I added an issue for it
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
86d8690
to
4d31669
Compare
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
4727f5c
to
4d31669
Compare
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
3 times, most recently
from
e4975cd
to
938704c
Compare
MiaAltieri
force-pushed
the
DPE-5236-update-tls-certs-on-node-port-change
branch
from
938704c
to
1f63b30
Compare
| container.replan() | ||
| container.restart(Config.SERVICE_NAME) |
There was a problem hiding this comment.
note: This will cause a double restart, is that what you want?
If the new layer is not the same as the original, pebble replan --> pebble stop; pebble start. Then you do pebble restart again. It's probably not the end of the world, but you might want to just have container.restart here.
Issue(s)
DPE-5236 update tls certs on node port change
DPE-5307 fix flakey TLS tests
Solution
update tls certs on node port change
Generate new CSRs when 1/2/3 happens
fix flakey TLS tests