Suppress oversee users in standby clusters

dragomirp · dragomirp · commit 8e9d9eed50fc · 2024-06-24T22:49:08.000+03:00
diff --git a/actions.yaml b/actions.yaml
@@ -62,3 +62,5 @@ set-tls-private-key:
     private-key:
       type: string
       description: The content of private key for communications with clients. Content will be auto-generated if this option is not specified.
+reenable-oversee-users:
+  description: Reenable purging of managed credentials after a standby cluster is promoted.
diff --git a/src/relations/async_replication.py b/src/relations/async_replication.py
@@ -108,6 +108,9 @@ def __init__(self, charm):
         self.framework.observe(
             self.charm.on.promote_to_primary_action, self._on_promote_to_primary
         )
+        self.framework.observe(
+            self.charm.on.reenable_oversee_users_action, self._on_reenable_oversee_users
+        )
 
         self.framework.observe(self.charm.on.secret_changed, self._on_secret_changed)
 
@@ -193,6 +196,7 @@ def _configure_standby_cluster(self, event: RelationChangedEvent) -> bool:
             filename = f"{POSTGRESQL_DATA_PATH}-{str(datetime.now()).replace(' ', '-').replace(':', '-')}.tar.gz"
             subprocess.check_call(f"tar -zcf {filename} {POSTGRESQL_DATA_PATH}".split())
             logger.warning("Please review the backup file %s and handle its removal", filename)
+        self.charm.app_peer_data["suppress-oversee-users"] = "true"
         return True
 
     def get_all_primary_cluster_endpoints(self) -> List[str]:
@@ -599,6 +603,18 @@ def _on_promote_to_primary(self, event: ActionEvent) -> None:
         # Set the status.
         self.charm.unit.status = MaintenanceStatus("Creating replication...")
 
+    def _on_reenable_oversee_users(self, event: ActionEvent) -> None:
+        """Re-enable oversee users after cluster was promoted."""
+        if not self.charm.unit.is_leader():
+            event.fail("Unit is not leader")
+            return
+
+        if "suppress-oversee-users" not in self.charm.app_peer_data:
+            event.fail("Oversee users is not suppressed")
+            return
+
+        del self.charm.app_peer_data["suppress-oversee-users"]
+
     def _on_secret_changed(self, event: SecretChangedEvent) -> None:
         """Update the internal secret when the relation secret changes."""
         relation = self._relation
diff --git a/src/relations/postgresql_provider.py b/src/relations/postgresql_provider.py
@@ -137,6 +137,10 @@ def oversee_users(self) -> None:
         if not self.charm.unit.is_leader():
             return
 
+        if "suppress-oversee-users" in self.charm.app_peer_data:
+            logger.debug("Oversee users is suppressed by peer data")
+            return
+
         # Retrieve database users.
         try:
             database_users = {
diff --git a/tests/unit/test_async_replication.py b/tests/unit/test_async_replication.py
@@ -0,0 +1,48 @@
+# Copyright 2023 Canonical Ltd.
+# See LICENSE file for licensing details.
+from unittest.mock import Mock
+
+import pytest
+from ops.testing import Harness
+
+from charm import PostgresqlOperatorCharm
+
+
+@pytest.fixture(autouse=True)
+def harness():
+    """Set up the test."""
+    harness = Harness(PostgresqlOperatorCharm)
+    harness.begin()
+    upgrade_relation_id = harness.add_relation("upgrade", "postgresql")
+    peer_relation_id = harness.add_relation("database-peers", "postgresql")
+    for rel_id in (upgrade_relation_id, peer_relation_id):
+        harness.add_relation_unit(rel_id, "postgresql/1")
+    with harness.hooks_disabled():
+        harness.update_relation_data(upgrade_relation_id, "postgresql/1", {"state": "idle"})
+    yield harness
+    harness.cleanup()
+
+
+def test_on_reenable_oversee_users(harness):
+    # Fail if unit is not leader
+    event = Mock()
+
+    harness.charm.async_replication._on_reenable_oversee_users(event)
+
+    event.fail.assert_called_once_with("Unit is not leader")
+    event.fail.reset_mock()
+
+    # Fail if peer data is not set
+    with harness.hooks_disabled():
+        harness.set_leader()
+
+    harness.charm.async_replication._on_reenable_oversee_users(event)
+
+    event.fail.assert_called_once_with("Oversee users is not suppressed")
+    event.fail.reset_mock()
+
+    with harness.hooks_disabled():
+        harness.charm._peers.data[harness.charm.app].update({"suppress-oversee-users": "true"})
+
+        harness.charm.async_replication._on_reenable_oversee_users(event)
+        assert harness.charm._peers.data[harness.charm.app] == {}
