search

canonical / observability-libs

A collection of charm libraries curated by the Observability team.
https://charmhub.io/observability-libs
Apache License 2.0
3 stars 8 forks source link

CertHandler v1: Reuse (or remove and create) secrets when re-establishing relationships #102

Open Abuelodelanada opened 2 months ago

Abuelodelanada commented 2 months ago

Bug Description

When removing and adding back a relationship between charms that uses CertHandler, the amount of secrets grows.

We should reuse or remove-and-create secrets

To Reproduce

  1. Deploy COS lite with tls overlay: juju deploy cos-lite --channel=edge --trust --overlay ./offers-overlay.yaml --overlay ./tls-overlay.yaml
  2. See how many secrets do we have (in this case 12) 
    $ juju secrets                                              
ID                    Name  Owner           Rotation  Revision  Last updated
cpvctjvmp25c77qemuf0  -     alertmanager/0  never            1  47 minutes ago  
cpvctmvmp25c77qemufg  -     alertmanager/0  never            1  47 minutes ago  
cpvct67mp25c77qemud0  -     ca              never            1  48 minutes ago  
cpvct9nmp25c77qemueg  -     catalogue/0     never            1  48 minutes ago  
cpvct7nmp25c77qemudg  -     catalogue/0     never            1  48 minutes ago  
cpvcu2fmp25c77qemuh0  -     grafana/0       never            1  45 minutes ago  
cpvcv1fmp25c77qemujg  -     loki/0          never            1  44 minutes ago  
cpvcuo7mp25c77qemuj0  -     loki/0          never            1  45 minutes ago  
cpvculfmp25c77qemuig  -     prometheus/0    never            1  45 minutes ago  
cpvcvbvmp25c77qemuk0  -     prometheus/0    never            1  43 minutes ago  
cpvctpfmp25c77qemug0  -     traefik/0       never            1  47 minutes ago  
cpvctqnmp25c77qemugg  -     traefik/0       never            1  46 minutes ago
  3. Remove one relation between traefik and ca: juju remove-relation traefik certificates
  4. Restore the relationship: juju relate traefik:certificates ca:certificates
  5. See how many secrets do we have now (in this case 13) 
    $ juju secrets
ID                    Name  Owner           Rotation  Revision  Last updated
cpvctmvmp25c77qemufg  -     alertmanager/0  never            1  50 minutes ago  
cpvctjvmp25c77qemuf0  -     alertmanager/0  never            1  51 minutes ago  
cpvct67mp25c77qemud0  -     ca              never            1  52 minutes ago  
cpvct7nmp25c77qemudg  -     catalogue/0     never            1  52 minutes ago  
cpvct9nmp25c77qemueg  -     catalogue/0     never            1  51 minutes ago  
cpvcu2fmp25c77qemuh0  -     grafana/0       never            1  48 minutes ago  
cpvcv1fmp25c77qemujg  -     loki/0          never            1  47 minutes ago  
cpvcuo7mp25c77qemuj0  -     loki/0          never            1  48 minutes ago  
cpvculfmp25c77qemuig  -     prometheus/0    never            1  48 minutes ago  
cpvcvbvmp25c77qemuk0  -     prometheus/0    never            1  46 minutes ago  
cpvdl9vmp25c77qemul0  -     traefik/0       never            1  35 seconds ago  
cpvctqnmp25c77qemugg  -     traefik/0       never            1  50 minutes ago  
cpvdl9fmp25c77qemukg  -     traefik/0       never            1  43 seconds ago
  6. Remove and restore the relationship again, and see how many secrets do we have now (14): 
    $ juju secrets                                    
ID                    Name  Owner           Rotation  Revision  Last updated
cpvctjvmp25c77qemuf0  -     alertmanager/0  never            1  1 hour ago      
cpvctmvmp25c77qemufg  -     alertmanager/0  never            1  1 hour ago      
cpvct67mp25c77qemud0  -     ca              never            1  1 hour ago      
cpvct9nmp25c77qemueg  -     catalogue/0     never            1  1 hour ago      
cpvct7nmp25c77qemudg  -     catalogue/0     never            1  1 hour ago      
cpvcu2fmp25c77qemuh0  -     grafana/0       never            1  1 hour ago      
cpvcv1fmp25c77qemujg  -     loki/0          never            1  1 hour ago      
cpvcuo7mp25c77qemuj0  -     loki/0          never            1  1 hour ago      
cpvcvbvmp25c77qemuk0  -     prometheus/0    never            1  1 hour ago      
cpvculfmp25c77qemuig  -     prometheus/0    never            1  1 hour ago      
cpvctqnmp25c77qemugg  -     traefik/0       never            1  1 hour ago      
cpvdl9vmp25c77qemul0  -     traefik/0       never            1  15 minutes ago  
cpvdsa7mp25c77qemum0  -     traefik/0       never            1  37 seconds ago  
cpvds9nmp25c77qemulg  -     traefik/0       never            1  43 seconds ago

Environment

Relevant log output

.

Additional context

No response

IbraAoad commented 1 month ago

Instead of creating new secrets on removal/recreation, we should create new revs of the same secret.

lucabello commented 1 month ago

This is not caused by us; it's a bug in the tls_certificates library: https://github.com/canonical/manual-tls-certificates-operator/issues/264