Fixes publishing HTTP and gRPC endpoints

Gmerold · Gmerold · commit 6bdad37ddc11 · 2025-09-11T10:19:58.000+02:00
Signed-off-by: Bartlomiej Gmerek &lt;bartlomiej.gmerek@canonical.com&gt;
diff --git a/backend/src/charm.py b/backend/src/charm.py
@@ -168,8 +168,7 @@ def _tls_config(self) -> Optional[TLSConfig]:
     @property
     def _http_api_endpoint(self):
         """Internal (i.e. not ingressed) url."""
-        # TODO: add support for HTTPS once https://github.com/canonical/litmus-operators/issues/23 is fixed
-        return f"http://{get_app_hostname(self.app.name, self.model.name)}:{self.litmus_backend.http_port}"
+        return f"{self._http_api_protocol}://{get_app_hostname(self.app.name, self.model.name)}:{self._http_api_port}"
 
     @property
     def _certificate_request_attributes(self) -> CertificateRequestAttributes:
@@ -193,13 +192,32 @@ def _reconcile(self):
             self._auth.publish_endpoint(
                 Endpoint(
                     grpc_server_host=get_app_hostname(self.app.name, self.model.name),
-                    grpc_server_port=LitmusBackend.grpc_port,
-                    # TODO: check if TLS is enabled once https://github.com/canonical/litmus-operators/issues/23 is fixed
-                    insecure=True,
+                    grpc_server_port=self._grpc_port,
+                    insecure=False if self._tls_config else True,
                 )
             )
             self._send_http_api.publish_endpoint(self._http_api_endpoint)
 
+    @property
+    def _http_api_protocol(self):
+        return "https" if self._tls_config else "http"
+
+    @property
+    def _http_api_port(self):
+        return (
+            self.litmus_backend.https_port
+            if self._tls_config
+            else self.litmus_backend.http_port
+        )
+
+    @property
+    def _grpc_port(self):
+        return (
+            self.litmus_backend.grpc_tls_port
+            if self._tls_config
+            else self.litmus_backend.grpc_port
+        )
+
 
 if __name__ == "__main__":  # pragma: nocover
     from ops import main
diff --git a/backend/tests/unit/test_litmus_auth_integration.py b/backend/tests/unit/test_litmus_auth_integration.py
@@ -66,7 +66,9 @@ def test_get_auth_grpc_endpoint(
         ),
     ),
 )
-def test_publish_endpoint(ctx, auth_relation, backend_container, leader, expected):
+def test_publish_endpoint_without_tls(
+    ctx, auth_relation, backend_container, leader, expected
+):
     # GIVEN an auth integration
     auth_relation = dataclasses.replace(auth_relation)
 
@@ -84,3 +86,49 @@ def test_publish_endpoint(ctx, auth_relation, backend_container, leader, expecte
     # THEN the leader unit will publish it's grpc server endpoint
     relation_out = state_out.get_relation(auth_relation.id)
     assert relation_out.local_app_data == expected
+
+
+@pytest.mark.parametrize(
+    "leader, expected",
+    (
+        (False, {}),
+        (
+            True,
+            {
+                "grpc_server_host": json.dumps(
+                    "litmus-backend-k8s.test.svc.cluster.local"
+                ),
+                "grpc_server_port": json.dumps(8001),
+                "insecure": json.dumps(False),
+                "version": json.dumps(0),
+            },
+        ),
+    ),
+)
+def test_publish_endpoint_with_tls(
+    ctx,
+    auth_relation,
+    tls_certificates_relation,
+    patch_cert_and_key,
+    backend_container,
+    leader,
+    expected,
+):
+    # GIVEN an auth integration
+    auth_relation = dataclasses.replace(auth_relation)
+    tls_certificates_relation = dataclasses.replace(tls_certificates_relation)
+
+    # WHEN a relation_changed event fires
+    state_out = ctx.run(
+        state=State(
+            relations={auth_relation, tls_certificates_relation},
+            containers={backend_container},
+            leader=leader,
+            model=Model(name="test"),
+        ),
+        event=ctx.on.relation_changed(auth_relation),
+    )
+
+    # THEN the leader unit will publish it's grpc server endpoint
+    relation_out = state_out.get_relation(auth_relation.id)
+    assert relation_out.local_app_data == expected
diff --git a/backend/tests/unit/test_tls_certificates_integration.py b/backend/tests/unit/test_tls_certificates_integration.py
@@ -62,7 +62,9 @@ def test_tls_certs_removed_from_disk_when_tls_certificates_relation_is_broken(
             f.write("CA certificate")
 
         # WHEN a relation broken event is fired
-        state_out = ctx.run(ctx.on.relation_broken(tls_certificates_relation), state=state)
+        state_out = ctx.run(
+            ctx.on.relation_broken(tls_certificates_relation), state=state
+        )
 
         # THEN TLS certs are removed from the workload container
         backend_container_out = state_out.get_container(backend_container.name)
