From cc66f78d0140d64943ce7ff3a1e2ce0fa8553631 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Wed, 30 Jul 2025 14:19:55 +0100 Subject: [PATCH] update readme --- compute_tools/README.md | 3 +++ test_runner/fixtures/neon_fixtures.py | 6 +++--- test_runner/regress/test_ssl.py | 18 +++++++++--------- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/compute_tools/README.md b/compute_tools/README.md index e92e5920b9..0a5c008a92 100644 --- a/compute_tools/README.md +++ b/compute_tools/README.md @@ -57,6 +57,9 @@ stateDiagram-v2 RefreshConfigurationPending --> RefreshConfiguration: Received compute spec and started configuration RefreshConfiguration --> Running : Compute has been re-configured RefreshConfiguration --> RefreshConfigurationPending : Configuration failed and to be retried + Running --> Reloading : Local changes (TLS certificate renewal) were detected and postgres is being reloaded + Reloading --> Running : Postgres was reloaded + Reloading --> Failed : Failed to reload postgres TerminationPendingFast --> Terminated compute with 30s delay for cplane to inspect status TerminationPendingImmediate --> Terminated : Terminated compute immediately Failed --> RefreshConfigurationPending : Received a /refresh_configuration request diff --git a/test_runner/fixtures/neon_fixtures.py b/test_runner/fixtures/neon_fixtures.py index 233d6c3ab2..e4591a4dbe 100644 --- a/test_runner/fixtures/neon_fixtures.py +++ b/test_runner/fixtures/neon_fixtures.py @@ -1947,7 +1947,7 @@ class NeonStorageController(MetricsGetter, LogUtils): self.auth_enabled = auth_enabled self.allowed_errors: list[str] = DEFAULT_STORAGE_CONTROLLER_ALLOWED_ERRORS self.logfile = self.env.repo_dir / "storage_controller_1" / "storage_controller.log" - self.ssl_ca_file = env.ssl_ca_file + self.tls_ca_file = env.tls_ca_file def start( self, @@ -2020,8 +2020,8 @@ class NeonStorageController(MetricsGetter, LogUtils): return PageserverHttpClient(self.port, lambda: True, auth_token, *args, **kwargs) def request(self, method, *args, **kwargs) -> requests.Response: - if self.ssl_ca_file is not None: - kwargs["verify"] = self.ssl_ca_file + if self.tls_ca_file is not None: + kwargs["verify"] = self.tls_ca_file resp = requests.request(method, *args, **kwargs) NeonStorageController.raise_api_exception(resp) diff --git a/test_runner/regress/test_ssl.py b/test_runner/regress/test_ssl.py index cda35f45b0..ae6f79e3b5 100644 --- a/test_runner/regress/test_ssl.py +++ b/test_runner/regress/test_ssl.py @@ -19,7 +19,7 @@ def test_pageserver_https_api(neon_env_builder: NeonEnvBuilder): env = neon_env_builder.init_start() addr = f"https://localhost:{env.pageserver.service_port.https}/v1/status" - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() def test_safekeeper_https_api(neon_env_builder: NeonEnvBuilder): @@ -37,7 +37,7 @@ def test_safekeeper_https_api(neon_env_builder: NeonEnvBuilder): # 1. Make simple https request. addr = f"https://localhost:{sk.port.https}/v1/status" - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() # Note: http_port is intentionally wrong. # Storcon should not use it if use_https is on. @@ -83,7 +83,7 @@ def test_storage_controller_https_api(neon_env_builder: NeonEnvBuilder): env = neon_env_builder.init_start() addr = f"https://localhost:{env.storage_controller.port}/status" - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() def test_certificate_rotation(neon_env_builder: NeonEnvBuilder): @@ -111,7 +111,7 @@ def test_certificate_rotation(neon_env_builder: NeonEnvBuilder): # 1. Check if https works. addr = f"https://localhost:{port}/v1/status" - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() ps_cert_path = env.pageserver.workdir / "server.crt" ps_key_path = env.pageserver.workdir / "server.key" @@ -136,7 +136,7 @@ def test_certificate_rotation(neon_env_builder: NeonEnvBuilder): wait_until(error_reloading_cert) # 4. Check that it uses old cert. - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() cur_cert = ssl.get_server_certificate(("localhost", port)) assert cur_cert == ps_cert @@ -150,7 +150,7 @@ def test_certificate_rotation(neon_env_builder: NeonEnvBuilder): wait_until(cert_reloaded) # 6. Check that server returns new cert. - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() cur_cert = ssl.get_server_certificate(("localhost", port)) assert cur_cert == sk_cert @@ -174,7 +174,7 @@ def test_server_and_cert_metrics(neon_env_builder: NeonEnvBuilder): ) addr = f"https://localhost:{env.pageserver.service_port.https}/v1/status" - requests.get(addr, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(addr, verify=str(env.tls_ca_file)).raise_for_status() new_https_conn_count = ( ps_client.get_metric_value("http_server_connection_started_total", filter_https) or 0 @@ -227,7 +227,7 @@ def test_storage_broker_https_api(neon_env_builder: NeonEnvBuilder): # 1. Simple check that HTTPS is enabled and works. url = env.broker.client_url() + "/status" assert url.startswith("https://") - requests.get(url, verify=str(env.ssl_ca_file)).raise_for_status() + requests.get(url, verify=str(env.tls_ca_file)).raise_for_status() # 2. Simple workload to check that SK -> broker -> PS communication works over HTTPS. workload = Workload(env, env.initial_tenant, env.initial_timeline) @@ -248,6 +248,6 @@ def test_compute_tls( res = endpoint.safe_psql( "select ssl from pg_stat_ssl where pid = pg_backend_pid();", sslmode="verify-full", - sslrootcert=env.ssl_ca_file, + sslrootcert=env.tls_ca_file, ) assert res == [(True,)]