Comments (3)
gruyaume
commented on August 15, 2024
I like the idea, however with the current implementation it wouldn't be that easy to implement. Renewing certificates involves creating a new CSR which are created by providing the private key and various key/values.
That said, I think this feature would be great but would require a bit of a redesign of the lib.
from tls-certificates-interface.
sed-i
commented on August 15, 2024
I wonder if, from a user perspective, it could be as simple as the following.
cc @sanchezfdezjavier
diff --git a/src/charm.py b/src/charm.py
index eb2d0ec..bb10ecd 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -157,9 +157,13 @@ class TraefikIngressCharm(CharmBase):
],
)
- self.certificates = TLSCertificatesRequiresV2(self, "certificates")
- # TODO update init params once auto-renew is implemented
- # https://github.com/canonical/tls-certificates-interface/issues/24
+ self.certificates = TLSCertificatesRequiresV2(
+ self,
+ "certificates",
+ auto_renew=True,
+ cert_subject_callable=lambda: TraefikIngressCharm.cert_subject.fget(self),
+ )
+
self.framework.observe(self.on.install, self._on_install)
self.framework.observe(
self.on.certificates_relation_joined, self._on_certificates_relation_joined
@@ -167,9 +171,6 @@ class TraefikIngressCharm(CharmBase):
self.framework.observe(
self.certificates.on.certificate_available, self._on_certificate_available
)
- self.framework.observe(
- self.certificates.on.certificate_expiring, self._on_certificate_expiring
- )
self.framework.observe(
self.certificates.on.certificate_invalidated, self._on_certificate_invalidated
)
@@ -254,35 +255,13 @@ class TraefikIngressCharm(CharmBase):
self._stored.certificate = event.certificate
self._stored.ca = event.ca
self._stored.chain = event.chain
+ self._stored.csr = event.csr
# TODO: Store files in container and modify config file
self.container.push(_CERTIFICATE_PATH, self._stored.certificate, make_dirs=True)
self.container.push(_CERTIFICATE_KEY_PATH, self._stored.private_key, make_dirs=True)
self._push_config()
self._process_status_and_configurations()
- def _on_certificate_expiring(self, event: CertificateExpiringEvent) -> None:
- old_csr = self._stored.csr
- private_key = self._stored.private_key
-
- if not (subject := self.cert_subject):
- # TODO: use compound status
- logging.error(
- "Cannot generate CSR: invalid cert subject '%s' (is external hostname defined?)",
- subject,
- )
- event.defer()
- return
-
- new_csr = generate_csr(
- private_key=private_key.encode(),
- subject=subject,
- )
- self.certificates.request_certificate_renewal(
- old_certificate_signing_request=old_csr,
- new_certificate_signing_request=new_csr,
- )
- self._stored.csr = new_csr.decode()
-
def _on_show_proxied_endpoints(self, event: ActionEvent):
if not self.ready:
returnfrom tls-certificates-interface.
ghislainbourgeois
commented on August 15, 2024
I like the idea, but the callable passed to the library would need to be for generating the CSR, and not only getting the subject. Until we can target exclusively Juju>=3 and use secrets, we cannot directly create the CSR as this requires the private key. There is not easy and safe way to store this sensitive piece of information from inside the library as far as I am aware.
Would that solution of a callable generating the CSR simplify your code enough?
from tls-certificates-interface.
Related Issues (20)
- Feature request: Requirers support for requesting all CSR revocation
- Dependency Dashboard
- Drop the `cryptography` dep for the requirer side HOT 6
- [v2.1] Need to guard against a relation broken event
- Use SANs instead of CN by default HOT 2
- [v2.6] `certificates-relation-changed` fails for non-leader requirer units HOT 3
- [v2.6] `permission denied` error when relation joins before leader-elected HOT 4
- Advertize the ca cert over relation data unconditionally HOT 2
- Add `x509.KeyUsage` to `generate_ca`?
- Add missing x509 extensions to `generate_certificate` HOT 2
- Libjuju version which is used for integration tests does not appropriate for Juju 3.1/stable
- Add a `get_certificates()` method in `TLSCertificatesRequiresV2`
- Add a `get_certificate_requests()` method in `TLSCertificatesRequiresV2`
- Schema IDs are set incorrectly HOT 1
- Regular expression is invalid error when certificates-relation-changed HOT 1
- Documentation recommends `relation-joined` instead of `relation-created` HOT 2
- [3.5] AttributeError: 'builtins.Certificate' object has no attribute 'not_valid_after_utc' HOT 1
- SSL routines::wrong version number HOT 5
- Accept IPv6 address as sans_ip for generate_csr HOT 2
- ops.model.ModelError: ERROR permission denied HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tls-certificates-interface.