fix: restart charm and correct secrets

canonical · Dec 6, 2024 · 572648f · 572648f
1 parent 3166acf
commit 572648f
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 16 deletions.
diff --git a/single_kernel_mongo/events/sharding.py b/single_kernel_mongo/events/sharding.py
@@ -41,8 +41,6 @@
 
 logger = logging.getLogger(__name__)
 
-logger = logging.getLogger(__name__)
-
 
 class ConfigServerEventHandler(Object):
     """Event Handler for managing config server side events."""
@@ -110,10 +108,7 @@ def __init__(self, dependent: MongoDBOperator):
             self.charm.on[self.relation_name].relation_created, self._on_relation_created
         )
         self.framework.observe(
-            self.database_require_events.on.database_created, self._on_relation_changed
-        )
-        self.framework.observe(
-            self.charm.on[self.relation_name].relation_changed, self._on_relation_changed
+            self.database_require_events.on.database_created, self._on_database_created
         )
 
         self.framework.observe(
@@ -132,9 +127,9 @@ def __init__(self, dependent: MongoDBOperator):
     def _on_relation_created(self, event: RelationCreatedEvent):
         self.manager.relation_created()
 
-    def _on_relation_changed(self, event: RelationChangedEvent | DatabaseCreatedEvent):
+    def _on_database_created(self, event: DatabaseCreatedEvent):
         try:
-            self.manager.relation_changed(event.relation)
+            self.manager.on_database_created(event.relation)
         except (
             DeferrableFailedHookChecksError,
             WaitingForSecretsError,

diff --git a/single_kernel_mongo/managers/config.py b/single_kernel_mongo/managers/config.py
@@ -100,7 +100,7 @@ def connect(self):
                 self.workload.stop()
                 self.set_environment()
                 # Avoid restart errors on PBM.
-                time.sleep(2)
+                time.sleep(5)
                 self.workload.start()
             except WorkloadServiceError as e:
                 logger.error(f"Failed to restart {self.workload.service}: {e}")

diff --git a/single_kernel_mongo/managers/sharding.py b/single_kernel_mongo/managers/sharding.py
@@ -467,7 +467,7 @@ def relation_created(self):
         self.state.unit_peer_data.drained = False
         self.charm.status_manager.to_maintenance("Adding shard to config-server")
 
-    def relation_changed(self, relation: Relation, leaving: bool = False):
+    def on_database_created(self, relation: Relation, leaving: bool = False):
         """Retrieves secrets from config-server and updates them within the shard."""
         try:
             self.assert_pass_hook_checks(relation=relation, is_leaving=leaving)
@@ -478,7 +478,7 @@ def relation_changed(self, relation: Relation, leaving: bool = False):
         keyfile = self.state.shard_state.keyfile
         tls_ca = self.state.shard_state.internal_ca_secret
 
-        if keyfile is None and tls_ca is None:
+        if keyfile is None:
             logger.info("Waiting for secrets from config-server")
             raise WaitingForSecretsError
 
@@ -517,6 +517,8 @@ def handle_secret_changed(self, secret_label: str | None):
             return
         if not (relation := self.state.shard_relation):
             return
+        if self.data_requirer.fetch_my_relation_field(relation.id, "auth-updated") != "true":
+            return
 
         # many secret changed events occur, only listen to those related to our interface with the
         # config-server
@@ -546,10 +548,9 @@ def relation_broken(self, relation: Relation) -> None:
 
         self.charm.status_manager.to_active("Shard drained from cluster, ready for removal")
 
-    def update_member_auth(self, keyfile: str | None, tls_ca: str | None):
+    def update_member_auth(self, keyfile: str, tls_ca: str | None):
         """Updates the shard to have the same membership auth as the config-server."""
         cluster_auth_tls = tls_ca is not None
-        cluster_auth_keyfile = keyfile is not None
         tls_integrated = self.state.tls_relation is not None
 
         # Edge case: shard has TLS enabled before having connected to the config-server. For TLS in
@@ -560,14 +561,16 @@ def update_member_auth(self, keyfile: str | None, tls_ca: str | None):
             logger.info("Cluster implements internal membership auth via certificates")
             self.dependent.tls_manager.generate_certificate_request(param=None, internal=True)
             self.dependent.tls_manager.generate_certificate_request(param=None, internal=False)
-        elif cluster_auth_keyfile and not cluster_auth_tls and not tls_integrated:
+        else:
             logger.info("Cluster implements internal membership auth via keyFile")
 
         # Copy over keyfile regardless of whether the cluster uses TLS or or KeyFile for internal
         # membership authentication. If TLS is disabled on the cluster this enables the cluster to
         # have the correct cluster KeyFile readily available.
-        if keyfile:
-            self.workload.write(path=self.workload.paths.keyfile, content=keyfile)
+        self.workload.write(path=self.workload.paths.keyfile, content=keyfile)
+        self.dependent.restart_charm_services()
+        if self.charm.unit.is_leader():
+            self.state.app_peer_data.keyfile = keyfile
 
     def sync_cluster_passwords(self, operator_password: str, backup_password: str) -> None:
         """Update shared cluster passwords."""