[MISC] Don't set tls flag if relation isn't initialised #933

dragomirp · 2025-04-21T13:30:09Z

Issue

Reported on Matrix: https://matrix.to/#/!BukWfnyOTgQSKAxdtT:ubuntu.com/$h83Y4pRMpwZ06KMS0IDc4Y7KZmg85ZAfn6IcGsra3N4?via=ubuntu.com&via=matrix.org&via=laquadrature.net

Setting the TLS flag and CA can violate the data interfaces handshake, by setting them before the client relation is ready:

unit-postgresql-k8s-0: 08:51:37 ERROR unit.postgresql-k8s/0.juju-log database-peers:2: Uncaught exception while in charm code:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/src/charm.py", line 2252, in <module>
    main(PostgresqlOperatorCharm, use_juju_for_storage=True)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/__init__.py", line 343, in __call__
    return _main.main(charm_class=charm_class, use_juju_for_storage=use_juju_for_storage)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/_main.py", line 543, in main
    manager.run()
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/_main.py", line 529, in run
    self._emit()
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/_main.py", line 518, in _emit
    _emit_charm_event(self.charm, self.dispatcher.event_name, self._juju_context)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/_main.py", line 134, in _emit_charm_event
    event_to_emit.emit(*args, **kwargs)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/framework.py", line 347, in emit
    framework._emit(event)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/framework.py", line 857, in _emit
    self._reemit(event_path)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/venv/lib/python3.10/site-packages/ops/framework.py", line 947, in _reemit
    custom_handler(event)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/tempo_coordinator_k8s/v0/charm_tracing.py", line 1065, in wrapped_function
    return callable(*args, **kwargs)  # type: ignore
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/src/charm.py", line 556, in _on_peer_relation_changed
    self.update_config()
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/tempo_coordinator_k8s/v0/charm_tracing.py", line 1065, in wrapped_function
    return callable(*args, **kwargs)  # type: ignore
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/src/charm.py", line 1905, in update_config
    self._handle_postgresql_restart_need()
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/tempo_coordinator_k8s/v0/charm_tracing.py", line 1065, in wrapped_function
    return callable(*args, **kwargs)  # type: ignore
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/src/charm.py", line 1967, in _handle_postgresql_restart_need
    self.postgresql_client_relation.update_tls_flag("True" if self.is_tls_enabled else "False")
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/tempo_coordinator_k8s/v0/charm_tracing.py", line 1065, in wrapped_function
    return callable(*args, **kwargs)  # type: ignore
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/src/relations/postgresql_provider.py", line 224, in update_tls_flag
    self.database_provides.set_tls(relation.id, tls)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/data_platform_libs/v0/data_interfaces.py", line 1683, in set_tls
    self.update_relation_data(relation_id, {"tls": tls})
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/data_platform_libs/v0/data_interfaces.py", line 496, in wrapper
    return f(self, *args, **kwargs)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/data_platform_libs/v0/data_interfaces.py", line 1407, in update_relation_data
    return self._update_relation_data(relation, data)
  File "/var/lib/juju/agents/unit-postgresql-k8s-0/charm/lib/charms/data_platform_libs/v0/data_interfaces.py", line 1632, in _update_relation_data
    raise PrematureDataAccessError(
charms.data_platform_libs.v0.data_interfaces.PrematureDataAccessError: Premature access to relation data, update is forbidden before the connection is initialized.
unit-postgresql-k8s-0: 08:51:37 ERROR juju.worker.uniter.operation hook "database-peers-relation-changed" (via hook dispatching script: dispatch) failed: exit status 1

VM shouldn't be affected, since it has a separate update endpoints function setting this flag.

Solution

Check if database is set in the relation data before setting the tls flag and CA
Disable ignore of errors during early deploy

Checklist

I have added or updated any relevant documentation.
I have cleaned any remaining cloud resources from my accounts.

codecov · 2025-04-21T13:31:22Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.79%. Comparing base (94c25c3) to head (c6adfba).
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #933      +/-   ##
==========================================
+ Coverage   74.63%   74.79%   +0.16%     
==========================================
  Files          13       13              
  Lines        3737     3738       +1     
  Branches      550      551       +1     
==========================================
+ Hits         2789     2796       +7     
+ Misses        743      737       -6     
  Partials      205      205

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dragomirp · 2025-04-22T09:44:55Z

src/relations/postgresql_provider.py

+            if self.database_provides.fetch_relation_field(relation.id, "database"):
+                self.database_provides.set_tls(relation.id, tls)
+                self.database_provides.set_tls_ca(relation.id, ca)


Check if the relation is already properly intialised. If not the values should be set by the database_requested hook.

dragomirp · 2025-04-22T09:46:52Z

tests/integration/helpers.py

@@ -108,7 +108,6 @@ async def build_and_deploy(
            apps=[database_app_name],
            status=status,
            raise_on_blocked=True,
-            raise_on_error=False,


We ignored this due to early volume mount errors, but it will also hide other errors during start up.

marceloneppel

Thanks!

* Update charmcraft.yaml build tools (#903) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update canonical/data-platform-workflows action to v31.0.1 (#902) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6344] LDAP IV: Define pebble service (#897) * Update ghcr.io/canonical/charmed-postgresql:14.17-22.04_edge Docker digest to 5f8d51a (#908) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6344] LDAP V: Define mapping option (#900) * Update charmcraft.yaml build tools (#912) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6910] Remove duplicate parameters specification (#896) * Remove duplicate parameters specification Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Enable config test Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Fix linting Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * [MISC] Conditional checksum calculation (#901) * Conditional checksum calculation * Converge s3 resource creation * Tactically deployed sleep * Early fail * Update charmcraft.yaml build tools (#916) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Create SECURITY.md (#914) * Update pull_request_template.md (#918) * [MISC] Add missing connection vars (#920) * Update README file's security section (#921) * Add empty lines after headings * Update security section * Update link to make it clear that's not GitHub issues * [DPE-6218] Static code analysis (#915) * Create actionlint.yaml * Create tiobe_scan.yaml * Add push event to trigger the workflow once * Install libpq-dev * Remove push event * Test adding unit venv to PATH * Test sourcing unit venv * Fix sourcing * Test installing dependencies * Activate virtual environment * Add poetry dependency * Fix TICS auth token variable * Move results to the right folder * Delete .github/actionlint.yaml * Install ops * Install dependencies through poetry * Install extra dependencies * Install dependencies from all groups * Remove unnecessary step * Remove permission * Remove push trigger * Add double quotes to environment variables Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Add push trigger * Remove push trigger Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Update dependency uv to v0.6.14 (#924) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Disable pgaudit (#931) * Lock file maintenance Python dependencies (main) (#904) * Lock file maintenance Python dependencies * Add a separate pyproj for libs --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Dragomir Penev <dragomir.penev@canonical.com> * [DPE-6344] Remove CA transferred check (#932) * [MISC] Don't set tls flag if relation isn't initialised (#933) * Don't set tls flag if relation isn't initialised * Unit test * Update dependency uv to v0.6.16 (#936) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Lock file maintenance Python dependencies (#937) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update ghcr.io/canonical/charmed-postgresql:14.17-22.04_edge Docker digest to 1d771d2 (#935) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sinclert Pérez <sinclert.perez@canonical.com> Co-authored-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> Co-authored-by: Andreia <andreia.velasco@canonical.com> Co-authored-by: Vladimir Izmalkov <48120135+izmalk@users.noreply.github.com>

* Update charmcraft.yaml build tools (#903) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update canonical/data-platform-workflows action to v31.0.1 (#902) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6344] LDAP IV: Define pebble service (#897) * Update ghcr.io/canonical/charmed-postgresql:14.17-22.04_edge Docker digest to 5f8d51a (#908) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6344] LDAP V: Define mapping option (#900) * Update charmcraft.yaml build tools (#912) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6910] Remove duplicate parameters specification (#896) * Remove duplicate parameters specification Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Enable config test Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Fix linting Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * [MISC] Conditional checksum calculation (#901) * Conditional checksum calculation * Converge s3 resource creation * Tactically deployed sleep * Early fail * Update charmcraft.yaml build tools (#916) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Create SECURITY.md (#914) * Update pull_request_template.md (#918) * [MISC] Add missing connection vars (#920) * Update README file's security section (#921) * Add empty lines after headings * Update security section * Update link to make it clear that's not GitHub issues * [DPE-6218] Static code analysis (#915) * Create actionlint.yaml * Create tiobe_scan.yaml * Add push event to trigger the workflow once * Install libpq-dev * Remove push event * Test adding unit venv to PATH * Test sourcing unit venv * Fix sourcing * Test installing dependencies * Activate virtual environment * Add poetry dependency * Fix TICS auth token variable * Move results to the right folder * Delete .github/actionlint.yaml * Install ops * Install dependencies through poetry * Install extra dependencies * Install dependencies from all groups * Remove unnecessary step * Remove permission * Remove push trigger * Add double quotes to environment variables Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Add push trigger * Remove push trigger Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> * Update dependency uv to v0.6.14 (#924) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Disable pgaudit (#931) * Lock file maintenance Python dependencies (main) (#904) * Lock file maintenance Python dependencies * Add a separate pyproj for libs --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Dragomir Penev <dragomir.penev@canonical.com> * [DPE-6344] Remove CA transferred check (#932) * [MISC] Don't set tls flag if relation isn't initialised (#933) * Don't set tls flag if relation isn't initialised * Unit test * Update dependency uv to v0.6.16 (#936) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Lock file maintenance Python dependencies (#937) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update ghcr.io/canonical/charmed-postgresql:14.17-22.04_edge Docker digest to 1d771d2 (#935) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6664] Make username mandatory in set-password (#934) * Make username mandatory * Default in get_password * Lock file maintenance Python dependencies (#944) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Mandatory scope (#947) * Lock file maintenance Python dependencies (#949) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update charmcraft.yaml build tools (#948) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * [DPE-6344] Persist transferred certificates upon start (#953) * [MISC] Extend relation-user listing syntax (#957) --------- Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sinclert Pérez <sinclert.perez@canonical.com> Co-authored-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com> Co-authored-by: Andreia <andreia.velasco@canonical.com> Co-authored-by: Vladimir Izmalkov <48120135+izmalk@users.noreply.github.com>

Don't set tls flag if relation isn't initialised

155d886

dragomirp added the bug Something isn't working as expected label Apr 21, 2025

github-actions bot added the Libraries: OK label Apr 21, 2025

Unit test

c6adfba

dragomirp commented Apr 22, 2025

View reviewed changes

dragomirp marked this pull request as ready for review April 22, 2025 09:47

dragomirp requested review from a team, taurus-forever and marceloneppel and removed request for a team April 22, 2025 09:47

marceloneppel approved these changes Apr 22, 2025

View reviewed changes

taurus-forever approved these changes Apr 22, 2025

View reviewed changes

dragomirp merged commit bebd8b9 into main Apr 22, 2025
103 checks passed

dragomirp deleted the early-set-tls branch April 22, 2025 12:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[MISC] Don't set tls flag if relation isn't initialised #933

[MISC] Don't set tls flag if relation isn't initialised #933

Uh oh!

dragomirp commented Apr 21, 2025 •

edited

Loading

Uh oh!

codecov bot commented Apr 21, 2025 •

edited

Loading

Uh oh!

dragomirp Apr 22, 2025

Uh oh!

dragomirp Apr 22, 2025

Uh oh!

marceloneppel left a comment

Uh oh!

Uh oh!

Uh oh!

[MISC] Don't set tls flag if relation isn't initialised #933

[MISC] Don't set tls flag if relation isn't initialised #933

Uh oh!

Conversation

dragomirp commented Apr 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Issue

Solution

Checklist

Uh oh!

codecov bot commented Apr 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

dragomirp Apr 22, 2025

Choose a reason for hiding this comment

Uh oh!

dragomirp Apr 22, 2025

Choose a reason for hiding this comment

Uh oh!

marceloneppel left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

dragomirp commented Apr 21, 2025 •

edited

Loading

codecov bot commented Apr 21, 2025 •

edited

Loading