feat: Pebble Notices

[kayra1]

Description

This change introduces pebble notices to the GoCert's backend as included in spec TE034. It is enabled in the configuration file. Each update to a CSR's related certificate will create a new pebble notice, which will allow the charm to listen to changes in GoCert and make relevant changes to the charm relations.

The test for this feature is inside of build_rock.yaml. This is both because testing the execution of external commands is difficult without mocking, and to make sure that there is no doubt that pebble is actually receiving the request in a regular rock deployment.

$ docker exec gocert /usr/bin/pebble notices

ID   User    Type           Key  First               Repeated            Occurrences
1    public  change-update  1    today at 07:32 UTC  today at 07:32 UTC  4
2    public  change-update  2    today at 07:32 UTC  today at 07:32 UTC  3

$ <submit CSR through curl>
stdout:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0     0 --:--:-- --:--:-- --:--:--     0
100  1082  100     1  100  1081    147  155k --:--:-- --:--:-- --:--:--  176k

stderr: 1

$ <submit certificate through curl>

stdout:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1334  100     1  100  1333     99   129k --:--:-- --:--:-- --:--:--  144k

stderr: 1

$ docker exec gocert /usr/bin/pebble notices

1ID   User    Type           Key                            First               Repeated            Occurrences
1    public  change-update  1                              today at 07:32 UTC  today at 07:32 UTC  4
2    public  change-update  2                              today at 07:32 UTC  today at 07:32 UTC  3
3    0       custom         gocert.com/certificate/create  today at 07:32 UTC  today at 07:32 UTC  1

When the pebble binary is missing or any other error is produced, an error is logged, but if the change was successfully committed to the database, the GoCert application does not roll back the changes and responds to the HTTP request regularly. This is to support deployments outside of the Rock or any custom containers without pebble installed. It's also not preferable for users to go through the effort of uploading a cert, get everything right, then get rejected for something that's out of their control.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that validate the behaviour of the software
• I validated that new and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[ghislainbourgeois]

2 small nitpicks, otherwise LGTM

[saltiyazan]

When the pebble binary is missing or any other error is produced, an error is logged, but if the change was successfully committed to the database, the GoCert application does not roll back the changes and responds to the HTTP request regularly. This is to support deployments outside of the Rock or any custom containers without pebble installed. It's also not preferable for users to go through the effort of uploading a cert, get everything right, then get rejected for something that's out of their control.

What if there was an error and we couldn't send a pebble notification for this specific certificate to the charm? would the charm still be able to get it later somehow? or will the charm miss that change?

[kayra1]

When the pebble binary is missing or any other error is produced, an error is logged, but if the change was successfully committed to the database, the GoCert application does not roll back the changes and responds to the HTTP request regularly. This is to support deployments outside of the Rock or any custom containers without pebble installed. It's also not preferable for users to go through the effort of uploading a cert, get everything right, then get rejected for something that's out of their control.

What if there was an error and we couldn't send a pebble notification for this specific certificate to the charm? would the charm still be able to get it later somehow? or will the charm miss that change?

Any error that may occur with pebble is simply out of our control, we provide a rock with pebble guaranteed to be installed. So if any error were to occur, the cause would be pebble/charm specific or container image specific.

If you mean intermittent runtime errors, pebble notifications not working would mean pebble is broken. This would break a lot of things with charms, like replans and restarts or any container interactions.

In this case GoCert notices are just as reliable as the infrastructure that supports it, and there's not much we could do about that.

So yes, long story short charms will miss that event.