Update mysql and s3_helpers charm lib to include secret related fixes (#403)

shayancanonical · web-flow · commit 38ceda6cdb0f · 2024-04-05T11:47:57.000-04:00
diff --git a/lib/charms/mysql/v0/mysql.py b/lib/charms/mysql/v0/mysql.py
@@ -99,6 +99,7 @@ def wait_until_mysql_connection(self) -> None:
     PEER,
     ROOT_PASSWORD_KEY,
     ROOT_USERNAME,
+    SECRET_KEY_FALLBACKS,
     SERVER_CONFIG_PASSWORD_KEY,
     SERVER_CONFIG_USERNAME,
 )
@@ -114,7 +115,7 @@ def wait_until_mysql_connection(self) -> None:
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 56
+LIBPATCH = 57
 
 UNIT_TEARDOWN_LOCKNAME = "unit-teardown"
 UNIT_ADD_LOCKNAME = "unit-add"
@@ -411,8 +412,8 @@ def __init__(self, *args):
             additional_secret_fields=[
                 "key",
                 "csr",
-                "cert",
-                "cauth",
+                "certificate",
+                "certificate-authority",
                 "chain",
             ],
             secret_field_name=SECRET_INTERNAL_LABEL,
@@ -580,6 +581,13 @@ def has_cos_relation(self) -> bool:
 
         return len(active_cos_relations) > 0
 
+    def peer_relation_data(self, scope: Scopes) -> DataPeer:
+        """Returns the peer relation data per scope."""
+        if scope == APP_SCOPE:
+            return self.peer_relation_app
+        elif scope == UNIT_SCOPE:
+            return self.peer_relation_unit
+
     def get_secret(
         self,
         scope: Scopes,
@@ -591,11 +599,15 @@ def get_secret(
         Else retrieve from peer databag. This is to account for cases where secrets are stored in
         peer databag but the charm is then refreshed to a newer revision.
         """
+        if scope not in get_args(Scopes):
+            raise ValueError("Unknown secret scope")
+
         peers = self.model.get_relation(PEER)
-        if scope == APP_SCOPE:
-            value = self.peer_relation_app.fetch_my_relation_field(peers.id, key)
-        else:
-            value = self.peer_relation_unit.fetch_my_relation_field(peers.id, key)
+        if not (value := self.peer_relation_data(scope).fetch_my_relation_field(peers.id, key)):
+            if key in SECRET_KEY_FALLBACKS:
+                value = self.peer_relation_data(scope).fetch_my_relation_field(
+                    peers.id, SECRET_KEY_FALLBACKS[key]
+                )
         return value
 
     def set_secret(self, scope: Scopes, key: str, value: Optional[str]) -> None:
@@ -607,24 +619,30 @@ def set_secret(self, scope: Scopes, key: str, value: Optional[str]) -> None:
             raise MySQLSecretError("Can only set app secrets on the leader unit")
 
         if not value:
-            return self.remove_secret(scope, key)
+            if key in SECRET_KEY_FALLBACKS:
+                self.remove_secret(scope, SECRET_KEY_FALLBACKS[key])
+            self.remove_secret(scope, key)
+            return
 
         peers = self.model.get_relation(PEER)
-        if scope == APP_SCOPE:
-            self.peer_relation_app.update_relation_data(peers.id, {key: value})
-        elif scope == UNIT_SCOPE:
-            self.peer_relation_unit.update_relation_data(peers.id, {key: value})
+
+        fallback_key_to_secret_key = {v: k for k, v in SECRET_KEY_FALLBACKS.items()}
+        if key in fallback_key_to_secret_key:
+            if self.peer_relation_data(scope).fetch_my_relation_field(peers.id, key):
+                self.remove_secret(scope, key)
+            self.peer_relation_data(scope).update_relation_data(
+                peers.id, {fallback_key_to_secret_key[key]: value}
+            )
+        else:
+            self.peer_relation_data(scope).update_relation_data(peers.id, {key: value})
 
     def remove_secret(self, scope: Scopes, key: str) -> None:
         """Removing a secret."""
         if scope not in get_args(Scopes):
             raise RuntimeError("Unknown secret scope.")
 
         peers = self.model.get_relation(PEER)
-        if scope == APP_SCOPE:
-            self.peer_relation_app.delete_relation_data(peers.id, [key])
-        else:
-            self.peer_relation_unit.delete_relation_data(peers.id, [key])
+        self.peer_relation_data(scope).delete_relation_data(peers.id, [key])
 
 
 class MySQLMemberState(str, enum.Enum):
@@ -2617,3 +2635,8 @@ def _run_mysqlcli_script(
             timeout: (optional) time before the query should timeout
         """
         raise NotImplementedError
+
+    @abstractmethod
+    def reset_data_dir(self) -> None:
+        """Reset the data directory."""
+        raise NotImplementedError
diff --git a/lib/charms/mysql/v0/s3_helpers.py b/lib/charms/mysql/v0/s3_helpers.py
@@ -31,7 +31,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 7
+LIBPATCH = 8
 
 # botocore/urllib3 clutter the logs when on debug
 logging.getLogger("botocore").setLevel(logging.WARNING)
@@ -50,17 +50,17 @@ def upload_content_to_s3(content: str, content_path: str, s3_parameters: Dict) -
 
     Returns: a boolean indicating success.
     """
+    ca_file = None
     try:
         logger.info(f"Uploading content to bucket={s3_parameters['bucket']}, path={content_path}")
-        ca_file = tempfile.NamedTemporaryFile()
         session = boto3.session.Session(
             aws_access_key_id=s3_parameters["access-key"],
             aws_secret_access_key=s3_parameters["secret-key"],
             region_name=s3_parameters["region"] or None,
         )
         verif = True
-        ca_chain = s3_parameters.get("tls-ca-chain")
-        if ca_chain:
+        if ca_chain := s3_parameters.get("tls-ca-chain"):
+            ca_file = tempfile.NamedTemporaryFile()
             ca = "\n".join([base64.b64decode(s).decode() for s in ca_chain])
             ca_file.write(ca.encode())
             ca_file.flush()
@@ -86,7 +86,8 @@ def upload_content_to_s3(content: str, content_path: str, s3_parameters: Dict) -
         )
         return False
     finally:
-        ca_file.close()
+        if ca_file:
+            ca_file.close()
 
     return True
 
diff --git a/src/constants.py b/src/constants.py
@@ -49,3 +49,12 @@
 COS_AGENT_RELATION_NAME = "metrics-endpoint"
 LOG_ROTATE_CONFIG_FILE = "/etc/logrotate.d/flush_mysql_logs"
 ROOT_SYSTEM_USER = "root"
+SECRET_KEY_FALLBACKS = {
+    "root-password": "root_password",
+    "server-config-password": "server_config_password",
+    "cluster-admin-password": "cluster_admin_password",
+    "monitoring-password": "monitoring_password",
+    "backups-password": "backups_password",
+    "certificate": "cert",
+    "certificate-authority": "ca",
+}
