Merge pull request #13 from canonical/DPE-2980_credentials_rotation

[DPE-2980] credentials rotation

.github/workflows/ci.yaml

@@ -67,6 +67,7 @@ jobs:
       matrix:
         path:
           - .
+          - ./tests/integration/opensearch-operator
     name: Build charm
     uses: canonical/data-platform-workflows/.github/workflows/[email protected]
     with:
@@ -76,7 +77,6 @@ jobs:
   integration-test:
     name: Integration test charm
     needs:
-      - lint
       - unit-test
       - build
     uses: canonical/data-platform-workflows/.github/workflows/[email protected]

src/charm.py

@@ -150,7 +150,7 @@ def _on_secret_changed(self, event: SecretChangedEvent):
         if event.secret.label == self.state.cluster.data_interface._generate_secret_label(
             PEER,
             self.state.cluster.relation.id,
-            None,  # type:ignore noqa
+            'extra',  # type:ignore noqa
         ):  # Changes with the soon upcoming new version of DP-libs STILL within this POC
             logger.info(f"Secret {event.secret.label} changed.")
             self.reconcile(event)

src/core/cluster.py

@@ -17,6 +17,7 @@
 from core.models import SUBSTRATES, ODCluster, ODServer, OpensearchServer
 from literals import (
     DASHBOARD_INDEX,
+    DASHBOARD_ROLE,
     OPENSEARCH_REL_NAME,
     PEER,
     PEER_APP_SECRETS,
@@ -44,7 +45,7 @@ def __init__(self, charm: Framework | Object, substrate: SUBSTRATES):
             self.model,
             relation_name=OPENSEARCH_REL_NAME,
             index=DASHBOARD_INDEX,
-            extra_user_roles="kibanaserver",
+            extra_user_roles=DASHBOARD_ROLE,
         )
 
     # --- RAW RELATION ---

src/events/requirer.py

@@ -32,6 +32,7 @@ def __init__(self, charm):
         self.framework.observe(
             self.charm.on[OPENSEARCH_REL_NAME].relation_changed, self._on_client_relation_changed
         )
+
         self.framework.observe(
             self.charm.on[OPENSEARCH_REL_NAME].relation_broken, self._on_client_relation_broken
         )

src/literals.py

@@ -12,6 +12,7 @@
 PEER = "dashboard_peers"
 OPENSEARCH_REL_NAME = "opensearch_client"
 DASHBOARD_INDEX = ".opensearch-dashboards"
+DASHBOARD_ROLE = "kibana_server"
 CONTAINER = "opensearch-dashboards"
 CHARM_USERS = ["monitor"]
 CERTS_REL_NAME = "certificates"

tests/integration/helpers.py

@@ -442,3 +442,16 @@ def set_opensearch_user_password(
     headers = {"Content-Type": "application/json"}
     response = session.put(url, json=payload, headers=headers, verify=False)
     return response.status_code == 200
+
+
+async def get_leader_name(ops_test: OpsTest, app_name: str = APP_NAME):
+    """Get the leader unit name."""
+    for unit in ops_test.model.applications[app_name].units:
+        if await unit.is_leader_from_status():
+            return unit.name
+
+
+async def get_leader_id(ops_test: OpsTest, app_name: str = APP_NAME) -> str:
+    """Get the leader unit id."""
+    leader_name = await get_leader_name(ops_test, app_name)
+    return leader_name.split("/")[-1]

tests/integration/opensearch-operator/.coveragerc

@@ -0,0 +1,23 @@
+[report]
+exclude_lines =
+    # Skip any pass lines such as may be used for @abstractmethod
+    pass
+
+    # Ignore abstract methods
+    @abstractmethod
+    @abc.abstractmethod
+
+    # Have to re-enable the standard pragma
+    pragma: no cover
+
+    # Don't complain about missing debug-only code:
+    def __repr__
+    if self\.debug
+
+    # Don't complain if tests don't hit defensive assertion code:
+    raise AssertionError
+    raise NotImplementedError
+
+    # Don't complain if non-runnable code isn't run:
+    if 0:
+    if __name__ == .__main__.:

tests/integration/opensearch-operator/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,47 @@
+---
+name: Bug report
+about: File a bug report
+labels: bug
+
+---
+
+<!-- Thank you for submitting a bug report! All fields are required unless marked optional. -->
+
+## Steps to reproduce
+<!-- Please enable debug logging by running `juju model-config logging-config="<root>=INFO;unit=DEBUG"` (if possible) -->
+1. 
+
+## Expected behavior
+
+
+## Actual behavior
+<!-- If applicable, add screenshots -->
+
+
+## Versions
+
+<!-- Run `lsb_release -sd` -->
+Operating system: 
+
+<!-- Run `juju version` -->
+Juju CLI: 
+
+<!-- Model version from `juju status` -->
+Juju agent: 
+
+<!-- App revision from `juju status` or (advanced) commit hash -->
+Charm revision: 
+
+<!-- Run `lxd version` -->
+LXD: 
+
+## Log output
+<!-- Please enable debug logging by running `juju model-config logging-config="<root>=INFO;unit=DEBUG"` (if possible) -->
+<!-- Then, run `juju debug-log --replay > log.txt` and upload "log.txt" file here -->
+Juju debug log: 
+
+<!-- (Optional) Copy the logs that are relevant to the bug & paste inside triple backticks below -->
+
+
+## Additional context
+<!-- (Optional) Add any additional information here -->

tests/integration/opensearch-operator/.github/pull_request_template.md

@@ -0,0 +1,4 @@
+## Issue
+
+
+## Solution

tests/integration/opensearch-operator/.github/workflows/ci.yaml

@@ -0,0 +1,88 @@
+# Copyright 2022 Canonical Ltd.
+# See LICENSE file for licensing details.
+name: Tests
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+  schedule:
+    - cron: '53 0 * * *' # Daily at 00:53 UTC
+  # Triggered on push to branch "main" by .github/workflows/release.yaml
+  workflow_call:
+
+jobs:
+  lint:
+    name: Lint
+    uses: canonical/data-platform-workflows/.github/workflows/[email protected]
+
+  unit-test:
+    name: Unit test charm
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install tox & poetry
+        run: |
+          pipx install tox
+          pipx install poetry
+      - name: Run tests
+        run: tox run -e unit
+
+
+  lib-check:
+    name: Check libraries
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - run: |
+          # Workaround for https://github.com/canonical/charmcraft/issues/1389#issuecomment-1880921728
+          touch requirements.txt
+      - name: Check libs
+        uses: canonical/charming-actions/[email protected]
+        with:
+          credentials: ${{ secrets.CHARMHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          use-labels: false
+          fail-build: ${{ github.event_name == 'pull_request' }}
+
+  build:
+    name: Build charm
+    strategy:
+      fail-fast: false
+      matrix:
+        path:
+        - .
+        - ./tests/integration/relations/opensearch_provider/application-charm/
+        - ./tests/integration/relations/opensearch_provider/opensearch-dashboards-operator/
+    uses: canonical/data-platform-workflows/.github/workflows/[email protected]
+    with:
+      path-to-charm-directory: ${{ matrix.path }}
+      cache: true
+
+  integration-test:
+    name: Integration test charm
+    needs:
+      - unit-test
+      - build
+    uses: canonical/data-platform-workflows/.github/workflows/[email protected]
+    with:
+      artifact-prefix: packed-charm-cache-true
+      cloud: lxd
+      juju-snap-channel: 3.3/stable
+    secrets:
+      integration-test: |
+        {
+          "AWS_ACCESS_KEY": "${{ secrets.AWS_ACCESS_KEY }}",
+          "AWS_SECRET_KEY": "${{ secrets.AWS_SECRET_KEY }}",
+          "GCP_ACCESS_KEY": "${{ secrets.GCP_ACCESS_KEY }}",
+          "GCP_SECRET_KEY": "${{ secrets.GCP_SECRET_KEY }}",
+          "GCP_SERVICE_ACCOUNT": "${{ secrets.GCP_SERVICE_ACCOUNT }}",
+        }

tests/integration/opensearch-operator/.github/workflows/release.yaml

@@ -0,0 +1,48 @@
+# Copyright 2023 Canonical Ltd.
+# See LICENSE file for licensing details.
+name: Release to latest/edge
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  ci-tests:
+    name: Tests
+    uses: ./.github/workflows/ci.yaml
+    secrets: inherit
+
+  # release-libraries:
+  #   name: Release libraries
+  #   needs:
+  #     - ci-tests
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 60
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v3
+  #       with:
+  #         fetch-depth: 0
+  #     - name: Release charm libraries
+  #       uses: canonical/charming-actions/[email protected]
+  #       with:
+  #         credentials: ${{ secrets.CHARMHUB_TOKEN }}
+  #         github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  build:
+    name: Build charm
+    uses: canonical/data-platform-workflows/.github/workflows/[email protected]
+
+  release:
+    name: Release charm
+    needs:
+      - build
+    uses: canonical/data-platform-workflows/.github/workflows/[email protected]
+    with:
+      channel: 2/edge
+      artifact-prefix: ${{ needs.build.outputs.artifact-prefix }}
+    secrets:
+      charmhub-token: ${{ secrets.CHARMHUB_TOKEN }}
+    permissions:
+      contents: write  # Needed to create GitHub release

tests/integration/opensearch-operator/.github/workflows/sync_issue_to_jira.yaml

@@ -0,0 +1,21 @@
+# Copyright 2023 Canonical Ltd.
+# See LICENSE file for licensing details.
+name: Sync issue to Jira
+
+on:
+  issues:
+    types: [opened, reopened, closed]
+
+jobs:
+  sync:
+    name: Sync GitHub issue to Jira
+    uses: canonical/data-platform-workflows/.github/workflows/sync_issue_to_jira.yaml@v2
+    with:
+      jira-base-url: https://warthogs.atlassian.net
+      jira-project-key: DPE
+      jira-component-names: opensearch-vm
+    secrets:
+      jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
+      jira-user-email: ${{ secrets.JIRA_USER_EMAIL }}
+    permissions:
+      issues: write  # Needed to create GitHub issue comment

tests/integration/opensearch-operator/.gitignore

@@ -0,0 +1,18 @@
+venv/
+build/
+*.charm
+.tox/
+.coverage
+__pycache__/
+*.py[cod]
+.idea
+.vscode
+
+*.tar.gz
+*.tar.xz
+cloudinit-userdata.yaml
+/.pytest_cache/
+
+# Moving to Poetry, we do not need this file to be pushed any longer
+/requirements.txt
+/requirements-last-build.txt

tests/integration/opensearch-operator/.jujuignore

@@ -0,0 +1,3 @@
+/venv
+*.py[cod]
+*.charm