[DPE-7899] 8.4 - Migrate to TLS v4 (I)

[sinclert-canonical]

This PR migrates the handling of TLS certificates to use version 4 of the tls-certificates interface.

The library used to deal with version 4 of such interface was initially published as a charmlib, but then ported to a pure Python package within the charmlibs repository, to be published and consumed via PyPi. Despite the package current version (1.X.Y), it is shipping version 4 of the interface.

Approach:

The new interface version allow us to simplify the current logic by skipping any certificate expiration event handling. This is now managed by the provider automatically, so the only event we need to handle is CertificateAvailable.

Future work:

1. Enable peer-to-peer encryption by enabling the group replication SSL.
2. Define the necessary logic to parse a manually configured private key for TLS certificates generation.

[sinclert-canonical]

This is required so that the TLS class initialization does not crash when the charm does not has any of the expected relations (database, database-peers, replication, replication-offer). This usually happens at the very early stages of a charm deployment, or during unit tests.

[paulomach]

Should we defer instead. I not sure how cert request behave with a "" SAN

[sinclert-canonical]

I am not entirely sure how to do so: the function does not received any event to defer upon 🤔

Regardless, these host-names will only be used when the group-replication encryption mode is set to VERIFY_IDENTITY (see docs), which we are far from using. The code is here to mimic PostgreSQL way of dealing with certificate generation.

[paulomach]

Good point. I'd say then to not include the empty str in the SAN set.

[sinclert-canonical]

Avoiding the empty string is already managed here, similarly to PostgreSQL implementation (see code).

[astrojuanlu]

What about moving this try...except one level up then? Not a fan of that return ""

[paulomach]

Nice. Couple open questions, minor catches

[paulomach]

Should we defer instead. I not sure how cert request behave with a "" SAN

[sinclert-canonical]

🗞️ PR branch rebased from 8.4/edge. This is ready for review again.

[paulomach]

No blocker from my side! Nice work

[astrojuanlu]

Left a few nits, leaving those to your discretion. Otherwise LGTM!

[astrojuanlu]

Suggested change

	— CA file should have a full chain.
	— Key file should have private key.
	— Certificate file should have certificate without certificate chain.
	- CA file should have a full chain.
	- Key file should have private key.
	- Certificate file should have certificate without certificate chain.

?

[astrojuanlu]

Any problem with retaining the original context for debugging?

Suggested change

	except MySQLTLSSetupError:
	logger.error("Failed to enable TLS configuration.")
	except MySQLTLSSetupError as exc:
	logger.error(f"Failed to enable TLS configuration: {exc}")

[astrojuanlu]

Or even logger.exception to show the full traceback

[astrojuanlu]

Same as above:

Suggested change

	except MySQLTLSSetupError:
	logger.error("Failed to disable TLS configuration.")
	except MySQLTLSSetupError as exc:
	logger.error(f"Failed to disable TLS configuration: {exc}")