[WIP] Migrate from TLS V3 to TLS V4

CONTRIBUTING.md

@@ -5,10 +5,8 @@
 This document explains the processes and practices recommended for contributing enhancements to
 this operator.
 
-<!-- TEMPLATE-TODO: Update the URL for issue creation -->
-
 - Generally, before developing enhancements to this charm, you should consider [opening an issue
-  ](https://github.com/canonical/operator-opensearch/issues) explaining your use case.
+  ](https://github.com/canonical/opensearch-operator/issues) explaining your use case.
 - If you would like to chat with us about your use-cases or proposed implementation, you can reach
   us at [Canonical Mattermost public channel](https://chat.charmhub.io/charmhub/channels/charm-dev)
   or [Discourse](https://discourse.charmhub.io/).
@@ -21,7 +19,6 @@ this operator.
 - Please help us out in ensuring easy to review branches by rebasing your pull request branch onto
   the `main` branch. This also avoids merge commits and creates a linear Git commit history.
 
-
 ## Build charm
 
 Build the charm in this git repository using tox.
@@ -30,8 +27,9 @@ There are two alternatives to build the charm: using the charm cache or not.
 Cache will speed the build by downloading all dependencies from charmcraftcache-hub.
 
 First, ensure you have the right dependencies:
-* charmcraft v2.5.4+
-* charmcraftcache
+
+- charmcraft v2.5.4+
+- charmcraftcache
 
 By running the following commands:
 
@@ -113,6 +111,7 @@ SECRETS_FROM_GITHUB=$(cat <path-to>/credentials.json) tox -e integration -- test
 ```
 
 Where, for AWS only, `credentials.json` should look like:
+
 ```shell
 $ cat credentials.json
 { "AWS_ACCESS_KEY": ..., "AWS_SECRET_KEY": ...}
@@ -122,6 +121,7 @@ $ cat credentials.json
 
 OpenSearch has a set of system requirements to correctly function, you can find the list [here](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/index/).
 Some of those settings must be set using cloudinit-userdata on the model, while others must be set on the host machine:
+
 ```bash
 cat <<EOF > cloudinit-userdata.yaml
 cloudinit-userdata: |
@@ -139,6 +139,7 @@ sudo sysctl -p
 ```
 
 Then create a new model and set the previously generated file in it.
+
 ```bash
 # Create a model
 juju add-model dev
@@ -154,6 +155,7 @@ juju model-config update-status-hook-interval=1m
 ```
 
 You can then deploy the charm with a TLS relation.
+
 ```bash
 # Deploy the self-signed-certificates operator
 juju deploy self-signed-certificates --channel=latest/stable --show-log --verbose
@@ -164,7 +166,7 @@ juju config \
     ca-common-name="CN_CA" \
     certificate-validity=365 \
     root-ca-validity=365
-    
+
 # Deploy the opensearch charm
 juju deploy -n 1 ./opensearch_ubuntu-22.04-amd64.charm --series jammy --show-log --verbose
 
@@ -174,6 +176,6 @@ juju integrate self-signed-certificates opensearch
 
 **Note:** The TLS settings shown here are for self-signed-certificates, which are not recommended for production clusters. The TLS Certificates Operator offers a variety of configurations. Read more on the self-signed-certificates Operator [here](https://charmhub.io/self-signed-certificates).
 
-
 ## Canonical Contributor Agreement
+
 Canonical welcomes contributions to the Charmed Template Operator. Please check out our [contributor agreement](https://ubuntu.com/legal/contributors) if you're interested in contributing to the solution.

actions.yaml

@@ -1,22 +1,15 @@
 # Copyright 2023 Canonical Ltd.
 # See LICENSE file for licensing details.
 
-set-tls-private-key:
-  description: Set the private keys, which will be used for certificate signing requests (CSR). Run for each unit separately or on-leader only depending on the type.
+regenerate-tls-private-key:
+  description: Regenerate the private key, which will be used for certificate signing requests (CSR). Run for each unit separately or on-leader only depending on the type.
   params:
     category:
       type: string
       enum:
         - "app-admin"
         - "unit-transport"
         - "unit-http"
-      description: (Required) Type of private key to be set. "app-admin" must only be set on the leader.
-    key:
-      type: string
-      description: (Optional) The content of the private key. The content will be auto-generated if not set.
-    password:
-      type: string
-      description: (Optional) The passphrase of the private key. Will NOT be set if omitted.
   required:
     - category
 

lib/charms/opensearch/v0/constants_tls.py

@@ -15,7 +15,9 @@
 LIBPATCH = 1
 
 
-TLS_RELATION = "certificates"
+TLS_RELATION_PEER = "peer-certificates"
+TLS_RELATION_CLIENT = "client-certificates"
+TLS_RELATION_ADMIN = "admin-certificates"
 
 
 class CertType(BaseStrEnum):

lib/charms/opensearch/v0/opensearch_base_charm.py

@@ -34,7 +34,6 @@
     ServiceIsStopping,
     ServiceStartError,
     ServiceStopped,
-    TLSCaRotation,
     TLSNewCertsRequested,
     TLSNotFullyConfigured,
     TLSRelationBrokenError,
@@ -93,7 +92,7 @@
     OpenSearchUserManager,
     OpenSearchUserMgmtError,
 )
-from charms.tls_certificates_interface.v3.tls_certificates import (
+from charms.tls_certificates_interface.v4.tls_certificates import (
     CertificateAvailableEvent,
 )
 from ops.charm import (
@@ -819,20 +818,20 @@ def _on_get_password_action(self, event: ActionEvent):
             }
         )
 
-    def on_tls_ca_rotation(self):
-        """Called when adding new CA to the trust store."""
-        self.status.set(MaintenanceStatus(TLSCaRotation))
-        self._restart_opensearch_event.emit()
+    def on_new_ca_added(self):
+        """Called when a new CA is added to the truststore."""
+        try:
+            self.tls.reload_tls_certificates()
+        except OpenSearchHttpError:
+            logger.error(
+                "Could not reload certificates via API after adding new CA, will restart."
+            )
+            self._restart_opensearch_event.emit()
 
     def on_tls_conf_set(
         self, event: CertificateAvailableEvent, scope: Scope, cert_type: CertType, renewal: bool
     ):
-        """Called after certificate ready and stored on the corresponding scope databag.
-
-        - Store the cert on the file system, on all nodes for APP certificates
-        - Update the corresponding yaml conf files
-        - Run the security admin script
-        """
+        """Called after certificate ready and stored on the corresponding scope databag."""
         if scope == Scope.UNIT:
             admin_secrets = self.secrets.get_object(Scope.APP, CertType.APP_ADMIN.val) or {}
             if not (truststore_pwd := admin_secrets.get("truststore-password")):
@@ -865,16 +864,6 @@ def on_tls_conf_set(
                     self._restart_opensearch_event.emit()
                 else:
                     self.status.clear(TLSNotFullyConfigured)
-                    self.tls.reset_ca_rotation_state()
-                    # if all certs are stored and CA rotation is complete in the cluster
-                    # we delete the old ca and update the chain to only include the new one
-                    if (
-                        self.tls.read_stored_ca("old-ca")
-                        and self.tls.ca_and_certs_rotation_complete_in_cluster()
-                    ):
-                        logger.info("on_tls_conf_set: Detected CA rotation complete in cluster")
-                        self.tls.on_ca_certs_rotation_complete()
-
             else:
                 event.defer()
                 return
@@ -1203,7 +1192,6 @@ def _post_start_init(self, event: _StartOpenSearch):  # noqa: C901
         # update the peer relation data for TLS CA rotation routine
         self.tls.reset_ca_rotation_state()
         if self.is_tls_full_configured_in_cluster():
-            self.status.clear(TLSCaRotation)
             self.status.clear(TLSNotFullyConfigured)
 
         # request new certificates after rotating the CA