Add external-load-balancer relation

[HomayoonAlimohammadi]

Overview

This PR adds external-load-balancer relation. This relation enables k8s-operator to utilize external LB sources like Openstack Octavia or Amazon ELB.

The external-load-balancer-port config is also added. This config should be set according to the external LB provider config. Example for Openstack integrator: https://github.com/charmed-kubernetes/charm-openstack-integrator/blob/main/reactive/openstack.py#L245-L254

Please merge me as well #235 (Happy new year!)

[bschimke95]

great work @HomayoonAlimohammadi
Did a first pass with a general question.

[addyess]

Good work down this road... there's still a bit to clean up here

[addyess]

OH dude, i have bad news. You can't use this library b/c that library requires our charm not be able to support multiple series.

cryptography compiles C code specific for the ubuntu base's python. Building on focal, yields code that doesn't run on jammy or noble. The same is true if you build on jammy -- it doesn't run on focal/noble.

my best advice. subprocess out to openssl on the device

[addyess]

Dude, hue this is looking so good. Feel free to be angry with me.
Thanks for your defensive coding practices

[addyess]

so, the CLUSTER_RELATION should ALWAYS be available b/c it's a peer relation. it's required to be there

Would this work?

Suggested change

	binding = self.model.get_binding(CLUSTER_RELATION)
	try:
	addresses = binding and binding.network.ingress_addresses
	if addresses:
	for addr in addresses:
	extra_sans.add(str(addr))
	except ops.RelationNotFoundError as e:
	log.error(f"Failed to get ingress addresses for extra SANs: {e}")
	binding = self.model.get_binding(CLUSTER_RELATION)
	extra_sans |= {str(addr) for addr in binding and binding.network.ingress_addresses or [])

[HomayoonAlimohammadi]

This was because of some unit tests that were expecting this relation but it was not there.

[mateoflorido]

I support Adam's suggestion. You can resolve the unit testing issue by using the Harness and creating the required relations, right?

[addyess]

it doesn't make sense for the worker to need this list -- basically ever. If you wanna protect against it occuring, just do a this near the beginning of the func

if not self.is_control_plane:
    raise ReconcilerError("Intended only for the Control Plane Charm")

[HomayoonAlimohammadi]

Tried removing this but we're calling _assemble_bootstrap_config from a unit test with both a control plane and a worker charm.

[mateoflorido]

We should update the version of this library whenever we introduce new changes. In this case, could you please bump the patch version of the library?

[mateoflorido]

I support Adam's suggestion. You can resolve the unit testing issue by using the Harness and creating the required relations, right?

[mateoflorido]

This calls refresh_certs in a loop, once for each missing SAN. Therefore, the certificates will be refreshed multiple times unnecessarily:

Suggested change

	for san in extra_sans:
	if san not in all_cert_sans:
	log.info(f"{san} not in cert SANs, refreshing certs with new SANs: {extra_sans}")
	status.add(ops.MaintenanceStatus("Refreshing Certificates"))
	self.api_manager.refresh_certs(extra_sans)
	log.info("Certificates have been refreshed")
	missing_sans = [san for san in extra_sans if san not in all_cert_sans]
	if missing_sans:
	log.info("Missing SANs found, refreshing certificates.")
	status.add(ops.MaintenanceStatus("Refreshing Certificates"))
	self.api_manager.refresh_certs(extra_sans)
	log.info("Certificates have been refreshed")

[HomayoonAlimohammadi]

That's a really good catch. Thanks!

[mateoflorido]

F-strings are evaluated even if the log message is not displayed (e.g., log level): https://docs.python.org/3/howto/logging.html#optimization

[HomayoonAlimohammadi]

Nice, TIL! Changing to %s, but TBH I'm not fully convinced that this optimization is actually worth the readability hit.

[addyess]

Looking really really good. Thanks for the switch to openssl.

I'm going to build this charm today and try it out

[addyess]

Finally, it all looks so good. We know it's not 100% tested yet but the impl looks right. Nice job @HomayoonAlimohammadi

[HomayoonAlimohammadi]

Thanks @addyess! I need to add multiple unit and integration tests. Didn't test the Openstack LB integration since you mentioned the issue with the openstack integrator charm (incompatible ops versions), but manually tried changing the extra SANs through charm config and seems like the certs refresh alright.

[github-actions]

Test coverage for 8a4ebbe

coverage-report: install_deps /home/runner/work/k8s-operator/k8s-operator/charms/worker/k8s> /home/runner/.local/share/uv/tools/tox/bin/uv pip install 'coverage[toml]'
coverage-report: commands[0] /home/runner/work/k8s-operator/k8s-operator/charms/worker/k8s> coverage report
Name                                    Stmts   Miss  Cover
-----------------------------------------------------------
lib/charms/k8s/v0/k8sd_api_manager.py     311     29    91%
src/charm.py                              580    307    47%
src/cloud_integration.py                   80      3    96%
src/config/extra_args.py                   31      2    94%
src/containerd.py                         140     22    84%
src/cos_integration.py                     33     12    64%
src/endpoints.py                           40      1    98%
src/events/update_status.py                68     24    65%
src/inspector.py                           41      4    90%
src/kube_control.py                        44     32    27%
src/literals.py                            34      0   100%
src/pki.py                                 33      7    79%
src/protocols.py                           28      5    82%
src/reschedule.py                          77      4    95%
src/snap.py                               193     29    85%
src/token_distributor.py                  181    109    40%
src/upgrade.py                            108     48    56%
-----------------------------------------------------------
TOTAL                                    2022    638    68%
coverage-report: OK (0.31=setup[0.03]+cmd[0.29] seconds)
congratulations :) (0.36 seconds)

Static code analysis report

Run started:2025-01-29 07:56:52.825314

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 4213
  Total lines skipped (#nosec): 3
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):