juju / terraform-provider-juju

A Terraform provider for Juju
Apache License 2.0
21 stars 40 forks source link

Provider doesn't respect integration limits for interfaces #608

Open dragomirp opened 3 weeks ago

dragomirp commented 3 weeks ago

Description

Interface limits set in a charm's metadata.yaml will not be respected when deploying with terraform and can cause a charm to end up with more integrations than is expected.

Urgency

Blocker for our release

Terraform Juju Provider version

0.14.0

Terraform version

1.9.7

Juju version

3.5.4

Terraform Configuration(s)

terraform {
  required_version = ">= 1.6"
  required_providers {
    juju = {
      source  = "juju/juju"
      version = "~> 0.14.0"
    }
  }
}
variable "model_name" {
  description = "Juju model name for deployment"
  type        = string
}

module "postgresql" {
  source          = "git::https://github.com/canonical/postgresql-k8s-operator//terraform?ref=main"
  juju_model_name = var.model_name
  channel         = "14/stable"
  units           = 2
}

resource "juju_application" "certificates" {
  count = 1
  name  = "certificates"
  model = var.model_name

  charm {
    name     = "self-signed-certificates"
    channel  = "latest/stable"
  }
  units  = 1
}

resource "juju_application" "certificates2" {
  count = 1
  name  = "certificates2"
  model = var.model_name

  charm {
    name     = "self-signed-certificates"
    channel  = "latest/stable"
  }
  units  = 1
}

resource "juju_integration" "postgresql_certificates" {
  model = var.model_name

  application {
    name     = module.postgresql.application_name
    endpoint = module.postgresql.requires.certificates
  }
  application {
    name = juju_application.certificates[0].name
  }
}

resource "juju_integration" "postgresql_certificates2" {
  model = var.model_name

  application {
    name     = module.postgresql.application_name
    endpoint = module.postgresql.requires.certificates
  }
  application {
    name = juju_application.certificates2[0].name
  }
}

Reproduce / Test

With a Juju k8s model:

terraform init
terraform plan
terraform apply

Both self-signed-certificates will integrate with the postgresql-k8s charm which will start failing due to the duplicate connection. The postgresql-k8s is limiting the certificates integration to 1.


### Debug/Panic Output

_No response_

### Notes & References

Status of the model after deployment:

juju status --relations
Model Controller Cloud/Region Version SLA Timestamp limits microk8s-localhost microk8s/localhost 3.5.4 unsupported 17:34:46+03:00

App Version Status Scale Charm Channel Rev Address Exposed Message certificates active 1 self-signed-certificates latest/stable 155 10.152.183.115 no
certificates2 active 1 self-signed-certificates latest/stable 155 10.152.183.250 no
postgresql-k8s 14.12 error 2 postgresql-k8s 14/stable 381 10.152.183.24 no hook failed: "certificates-relation-changed"

Unit Workload Agent Address Ports Message certificates2/0 active idle 10.1.143.92
certificates/0
active idle 10.1.143.109
postgresql-k8s/0 error idle 10.1.143.79 hook failed: "certificates-relation-changed" for certificates2:certificates postgresql-k8s/1* error idle 10.1.143.75 hook failed: "certificates-relation-joined" for certificates:certificates

Integration provider Requirer Interface Type Message certificates2:certificates postgresql-k8s:certificates tls-certificates regular
certificates:certificates postgresql-k8s:certificates tls-certificates regular
postgresql-k8s:database-peers postgresql-k8s:database-peers postgresql_peers peer
postgresql-k8s:restart postgresql-k8s:restart rolling_op peer
postgresql-k8s:upgrade postgresql-k8s:upgrade upgrade peer



A bundle with similar contents will not create the seconds `certificates` integration.
hmlanigan commented 3 weeks ago

@dragomirp please add details on how to create the model. Unfortunately the reproducer does not use a juju_model resource as expected. Without the details I'm unable to reproduce.

It'd be helpful to understand the series of steps run with the juju client as it does not appear the juju client does anything special.

dragomirp commented 3 weeks ago

@dragomirp please add details on how to create the model. Unfortunately the reproducer does not use a juju_model resource as expected. Without the details I'm unable to reproduce.

Hi, @hmlanigan, model should be a k8s model and should be a variable input.

> juju controllers
Use --refresh option with this command to see the latest information.

Controller           Model     User   Access     Cloud/Region        Models  Nodes  HA  Version
microk8s-localhost*  test-app  admin  superuser  microk8s/localhost       2      -   -  3.5.4  

You should be able to create a model and apply with:

> juju add-model test-limits
> terraform plan -var model_name=test-limits
> terraform apply -var model_name=test-limits

The postgresql-k8s charm in the applied model should eventually error out due to the double certificates integration:

> juju status --relations
Model        Controller          Cloud/Region        Version  SLA          Timestamp
test-limits  microk8s-localhost  microk8s/localhost  3.5.4    unsupported  17:31:57+03:00

App             Version  Status  Scale  Charm                     Channel        Rev  Address         Exposed  Message
certificates             active      1  self-signed-certificates  latest/stable  155  10.152.183.101  no       
certificates2            active      1  self-signed-certificates  latest/stable  155  10.152.183.108  no       
postgresql-k8s  14.12    error       2  postgresql-k8s            14/stable      381  10.152.183.63   no       hook failed: "certificates-relation-joined"

Unit               Workload  Agent      Address      Ports  Message
certificates2/0*   active    idle       10.1.143.80         
certificates/0*    active    idle       10.1.143.90         
postgresql-k8s/0   error     idle       10.1.143.72         hook failed: "certificates-relation-joined" for certificates2:certificates
postgresql-k8s/1*  active    executing  10.1.143.99         Primary

Integration provider           Requirer                       Interface         Type     Message
certificates2:certificates     postgresql-k8s:certificates    tls-certificates  regular  
certificates:certificates      postgresql-k8s:certificates    tls-certificates  regular  
postgresql-k8s:database-peers  postgresql-k8s:database-peers  postgresql_peers  peer     
postgresql-k8s:restart         postgresql-k8s:restart         rolling_op        peer     
postgresql-k8s:upgrade         postgresql-k8s:upgrade         upgrade           peer 

The issue should be reproducible with other charms that set requires limit. I don't know if provides limit is affected.