Skip to content

feat(otlp): Sigma rules#466

Draft
MichaelThamm wants to merge 69 commits into
mainfrom
feat/sigma-rules
Draft

feat(otlp): Sigma rules#466
MichaelThamm wants to merge 69 commits into
mainfrom
feat/sigma-rules

Conversation

@MichaelThamm

@MichaelThamm MichaelThamm commented May 8, 2026

Copy link
Copy Markdown
Contributor

Issue

We need a Sigma rules feature in the OTLP lib to unblock this PR:

Solution

Builds on this PR:

What

Adds first-class support for Sigma detection rules to the OTLP interface library, alongside the existing PromQL and LogQL rules. Bumps charmlibs-interfaces-otlp to 0.6.0.

RuleStore API (_rules.py)

  • New sigma: SigmaRules field (built from cosl.rules.SigmaRules with the store's topology).
  • New methods: add_sigma(rule_dict) and add_sigma_path(dir_path, *, recursive=False), mirroring the PromQL/LogQL API.
  • combine() now also merges the other store's Sigma rules.
  • inject_extra_labels_into_rules applies user-defined extra_alert_labels to Sigma rules.

Databag (_otlp.py)

  • OtlpRequirer.publish() now writes rules.sigma under the new sigma key.
  • OtlpProvider.rules reads Sigma rules from each requirer and injects topology labels (no expression rewriting — Sigma has no expr).
  • _RulesModel gains a sigma: SigmaRuleFileFormat field (defaults to empty), so existing databags without Sigma validate unchanged.

Tests

  • Added tests/unit/test_rules.py (Sigma add / add_path / combine / topology injection / extra-label cases).
  • conftest.py fixtures publish both a single Sigma rule and a {"rules": [...]} collection through the requirer charm.

Checklist

  • I have added or updated relevant documentation.
  • PR title makes an appropriate release note and follows conventional commits syntax.
  • Merge target is the correct branch, and relevant tandem backport PRs opened.
  • This change warrants a release, so I have updated the project.version field in the pyproject.toml file.

Context

Testing Instructions

Upgrade Notes

MichaelThamm and others added 3 commits May 8, 2026 15:41
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
@MichaelThamm MichaelThamm mentioned this pull request May 8, 2026
5 tasks
dynamic = ["version"]
dependencies = [
# "ops",
"cosl>=1.6.1",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove when done testing

build-backend = "hatchling.build"

[tool.hatch.metadata]
allow-direct-references = true

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove when done testing

- Separated the package into 2 private modules: _otlp and _rules
- Enable user-defined rule labels

## [0.6.0]

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure this is the correct version before merging

# limitations under the License.

__version__ = '0.5.0'
__version__ = '0.6.0'

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure this is the correct version before merging

MichaelThamm and others added 17 commits June 26, 2026 09:55
This PR removes a broken link to a full code sample. The snippets in the
docs are sufficient as-is.
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@​kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@​christos-spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li>
<li>Removed support for end-of-life PyPy3.10. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
&lt;https://pypi.org/project/brotli/&gt;</code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j&gt;</code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc&gt;</code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](urllib3/urllib3#3763)
&lt;https://github.com/urllib3/urllib3/issues/3763&gt;</code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](urllib3/urllib3#3720)
&lt;https://github.com/urllib3/urllib3/issues/3720&gt;</code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](urllib3/urllib3#4979)
&lt;https://github.com/urllib3/urllib3/issues/4979&gt;</code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](urllib3/urllib3#3777)
&lt;https://github.com/urllib3/urllib3/issues/3777&gt;</code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](urllib3/urllib3#3636)
&lt;https://github.com/urllib3/urllib3/issues/3636&gt;</code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/urllib3/urllib3/commit/9a950b92d999f906b6020bb2d1076ee56cddd5d2"><code>9a950b9</code></a>
Release 2.7.0</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc"><code>5ec0de4</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a"><code>2bdcc44</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/f45b0df09d8620ac6ed0491eb9362c8c87b7bc2c"><code>f45b0df</code></a>
Fix a misleading example for <code>ProxyManager</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/577193ca029872384f82c133449e0935f6d8a64b"><code>577193c</code></a>
Switch to nightly PyPy3.11 in CI for now (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/e90af45bb006c3a452a3a21644a2681523f5c7fc"><code>e90af45</code></a>
Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when
<code>amt=0</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/67ed74fdaec6659a6534621ec8e3aaaa6f976210"><code>67ed74f</code></a>
Bump dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/3abd481097b54d87b574ac7ea593c3f40938a84d"><code>3abd481</code></a>
Upgrade mypy to version 1.20.2 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/2b8725dfcac4f21d4d93cc0cc3a64a33af08f890"><code>2b8725d</code></a>
Drop support for EOL PyPy3.10 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/2944b2a0a6c573f5548a39cfd17196f98ee21b33"><code>2944b2a</code></a>
Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix
warnings (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/canonical/charmlibs/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR improves the documentation for the `base_dir` parameter in the
`RollingOpsManager` constructor.

It adds details about how the library uses this directory and guidance
for rootless charms
…ls-certificates (#407)

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5
to 46.0.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.7 - 2026-04-07</p>
<pre><code>
* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could
be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.5.6.
<p>.. _v46-0-6:</p>
<p>46.0.6 - 2026-03-25<br />
</code></pre></p>
<ul>
<li><strong>SECURITY ISSUE</strong>: Fixed a bug where name constraints
were not applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this
bug,
including those used by the Web PKI. Credit to <strong>Oleh Konko
(1seal)</strong> for
reporting the issue. <strong>CVE-2026-34073</strong></li>
</ul>
<p>.. _v46-0-5:</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5"><code>622d672</code></a>
46.0.7 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14602">#14602</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/91d728897bdad30cd5c79a2b23e207f1f050d587"><code>91d7288</code></a>
Cherry-pick <a
href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a>
(<a
href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=cryptography&package-manager=uv&previous-version=46.0.5&new-version=46.0.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/canonical/charmlibs/network/alerts).

</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We see regular `charmcraft pack` failures in CI, which appear to be due
to `snapd` startup issues when packing from a cold start.

Here's an [example
failure](https://github.com/canonical/charmlibs/actions/runs/25139482207/job/73685763313).
Here's the `charmcraft` issue:
canonical/charmcraft#2515

---

This PR adds a follow-up step to upload the `charmcraft` logs after
running integration tests (whether we succeed or fail -- so long as
either the pack or integration step ran).

In order for the uploaded artifact to have a unique name, it is prefixed
with the name of the package under test. The package name provided as
input to the workflow may contain a slash (e.g.
`interfaces/tls-certificates`), which is invalid for an artifact name.
The cleanest way to get a valid and unique name is to get the
distribution package name via `.scripts/ls.py`.

To avoid having to perform `jq` wizardry to extract the bare name from
the JSON list that `ls.py` would output, I've updated `ls.py` with a
`--no-json` argument (which prints each entry on a separate line instead
-- so the output for a single field is just `<field value>\n`). As a
driveby improvement, I've collapsed the `--name-only` and `--path-only`
arguments into the more general `--output-only <field>`, which
simplifies the handling of the various `--output` arguments and makes
querying any single field possible without needing to add a custom
argument.

---

There's a charmcraft issue tracking what appears to be the same failure
that we see: canonical/charmcraft#2515
In #456 I accidentally used an old version of `actions/upload-artifact`.
This PR bumps it to a more recent version.
This small PR fixes some schema links in interface readmes, requiring
codeowner review to merge:
- `certificate-transfer`, `cos_agent`: links were described as JSON
schema, corrected to Pydantic
- `ldap`, `tls-certificates`: added missing links to existing schema
files
This PR builds on #489 to add a `CONTRIBUTING.md` document specifically
for Pathops, outlining the unique developer-facing concerns of this
library, namely compatibility with Python's `pathlib` across key Python
versions (3.10, 3.12, 3.14), and the functional test suite that
validates the library's behaviour quickly with a local Pebble instance.

---------

Co-authored-by: Dave Wilding <tech@dpw.me>
This PR improves the experience for new users of the repository by
updating the top-level developer-facing documentation.

The repository level `README.md` has been expanded to clearly introduce
the repository concepts (Juju, charms, charm libraries), and provide
entrypoints for contributing to the monorepo, writing libraries more
generally, and for using libraries in charms.

The `CONTRIBUTING.md` includes a clearer introduction and documents
missing parts of the contribution workflow.

Additionally, an `AGENTS.md` file is added to explain the key concepts,
monorepo organisation, developer tooling, commands to run whenever
making changes, and so on.

Resolves #486.

---------

Co-authored-by: Tony Meyer <tony.meyer@gmail.com>
This PR adds a docs page about the upcoming deprecation of the
Charmhub-hosted library machinery. This page will be pointed to from all
`charmcraft` library operations in an upcoming Charmcraft release
(canonical/charmcraft#2691).

Due to the upcoming docs migration, I suggest we stick with the
`ubu.link` approach suggested by Alex. So Charmcraft will show
`https://ubu.link/charmhub-libraries-deprecation`, linking to
`https://documentation.ubuntu.com/charmlibs/explanation/charmhub-libraries-deprecation/`.
When we migrate the docs, we can delete the `ubu.link` and recreate it
pointing to the new location.

---------

Co-authored-by: Dave Wilding <tech@dpw.me>
This PR fixes the custom extension that we use to combine the
individually built package reference docs into the full docs site. It
now correctly includes the right hand side table of contents in the
rendered pages, thanks to our good friend Claude.

Resolves #496
The `charmlibs.pathops` functional tests are failing locally on my
system due to users / groups being managed by NSS. This won't be an
issue in production, as `pathops` is only used to access file info via
Pebble for charms managing K8s workload containers (where Pebble runs as
root rather than as an NSS-managed user), so this PR updates the tests
to pass locally.

Resolves #487.
adhityaravi and others added 21 commits June 26, 2026 10:47
…#533)

A minor update that updates the library path names of all libraries
owned by the service mesh team to match the interface name in
charmcraft.yaml
#538)

In HA deployments, `_upstreams` iterated over a `set[str]` of pod
addresses whose iteration order is non-deterministic. This produced
spurious nginx config diffs on every hook run, triggering unnecessary
nginx reloads even when the actual upstream topology hadn't changed.

## Changes

- **`_config.py`:** Replace `for addr in addresses` with `for addr in
sorted(addresses)` so server entries within each upstream block are
always emitted in stable lexicographic order.
- **`test_config.py`:** Add `test_upstreams_servers_are_sorted` —
directly exercises `_upstreams` with an unordered set of addresses and
asserts the resulting server directives are sorted.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Pietro Pasotti <pietro.pasotti@canonical.com>
This PR updates the project URLs for the `certificate_transfer` and
`tls-certificates` interface libraries to reflect our current practices:
- Documentation link to the package reference docs.
- Deep repository link to the appropriate directory.
- Changelog link to file in repository.
This PR migrates the Charmhub-hosted TLS Certificates interface docs to
this repo.

Some of the docs have been combined into single docs, and some docs
diataxis categories were changed (details below).

I've also excluded docs covering information about specific
Charmhub-hosted library versions (like the v3 -> v4 migration), and
content targeted at charm users rather than charm authors, which doesn't
really fit for library docs.

---

The tutorial was adapted as-is ([preview
build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/tutorials/charmlibs/interfaces/tls-certificates/tutorial/)).
- Tutorials: [Getting Started
(v4)](https://charmhub.io/tls-certificates-interface/docs/h-getting-started)

The "Configure certificate requests" how-to adapts content from two docs
([preview
build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/how-to/charmlibs/interfaces/tls-certificates/configure-certificate-requests/)):
- Explanation: [Common Name and SANs
Attributes](https://charmhub.io/tls-certificates-interface/docs/h-common-name-and-sans-attributes)
- (For Charm Developers) Reference: [Recommended Configuration
Options](https://charmhub.io/tls-certificates-interface/docs/h-recommended-config-options)

The "Library design" explanation adapts content three docs ([preview
build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/explanation/charmlibs/interfaces/tls-certificates/design/)):
- Explanation: [The TLS Certificates
Interface](https://charmhub.io/tls-certificates-interface/docs/h-tls-certificates-interface)
- Explanation: [Automatic Certificate
Renewals](https://charmhub.io/tls-certificates-interface/docs/h-certificate-renewal)
- Explanation:
[Security](https://charmhub.io/tls-certificates-interface/docs/h-security)

The package docstring has an update to point to the new docs, which
renders in the library reference docs ([preview
build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/reference/charmlibs/interfaces/tls-certificates/)).
The package readme was also updated to point to the new docs (and the
reference docs).

---

Excluded historical library version info -- but maybe a table or
something would be worth including in the design page in future, updated
for the current versions? Let me know if you'd like to see any of that
in this PR. Otherwise this content can just remain on Charmhub for
historical reference.
- (For Charm Developers) Reference: [Library
versions](https://charmhub.io/tls-certificates-interface/docs/h-library-versions)
- (For Charm Developers) Reference: [Important Change in TLS
Certificates Interface
V4.8](https://charmhub.io/tls-certificates-interface/docs/h-private-key-label-change)
- Explanation: [Technical Differences between v3 and
v4](https://charmhub.io/tls-certificates-interface/docs/h-library-differences-v3-to-v4)

Excluded charm user stuff -- this should probably be hosted somewhere
else though, like the TLS Certificates charm docs perhaps? Or [solution
level
docs](https://discourse.charmhub.io/t/creating-solutions-on-charmhub-io/20503)
for TLS?
- (For Charm Users) Reference: [Secure Internal Communication of a
Charm](https://charmhub.io/tls-certificates-interface/docs/h-securing-internal-communication)
- (For Charm Users) Reference: [Secure Client <-> App
Communication](https://charmhub.io/tls-certificates-interface/docs/h-securing-api-communication)
- (For Charm Users) Reference: [Trust CA certificates of TLS
Providers](https://charmhub.io/tls-certificates-interface/docs/h-ca-trust-best-practices)
## Description

This PR updates the README.md

We no longer need to specify the python version when using just.
Related to:
canonical/opentelemetry-collector-k8s-operator#278.

This PR is based on work by @MichaelThamm in
canonical/cos-coordinated-workers#124.
The referenced PR above was features in
https://github.com/canonical/cos-coordinated-workers **after**
`Nginx_k8s` was featured here in Charmlibs. As a result, this critical
fix was never applied in the Charmlibs distribution of Nginx_k8s. This
PR brings those changes to Charmlibs and makes a moderate change in
logic compared to what was in
canonical/cos-coordinated-workers#124.


Once this PR goes in, we will need to merge this tandem PR:
canonical/cos-coordinated-workers#163.
Afterwards, Mimir, Tempo, and Loki coordinators will need to bump their
CW deps.
Fixes #544 by correcting the CA cert path that TLSConfig checks.

You can test this behaviour by first deploying the same bundle as you
see in the issue. Then:
1. Shelling into Mimir's charm container: `juju ssh mimir/0 bash` 
2. Navigate to the corresponding code in
`/var/lib/juju/agents/unit-mimir-0/charm/venv/lib/python3.14/site-packages/charmlibs/nginx_k8s/_tls_config.py`.
3. Make the change this PR makes on line 34 of the file.
4. Trigger the `nginx` config to be written again: `jhack fire mimir/0
update-status`
5. Now, the Pebble log error in Otelcol (see issue) should go away.
6. Manual testing from Otelcol's workload container should succeed in
hitting Mimir's remote write endpoint: `curl
https://mimir-0.mimir-endpoints.test.svc.cluster.local:443/api/v1/push`
…545)

This PR adds the ability to exclude certain files from triggering all
package tests. For instance, currently anything changed under `.github/`
triggers all tests to run. This makes perfect sense when workflows are
changed, but doesn't really provide any value if PR templates are what's
changing.

The exclusions are a static list of full file paths (from the repository
root) to avoid unintended matches.

This doesn't change `CODEOWNERS`, so the maintainers are still requested
for review as appropriate.
This PR adds PR templates to Charmlibs, using a thin default template
which presents options for more specific types of PRs: migrating an
existing library, adding a new library, and a blank template for
everything else. This can be extended in future if needed, for example
specific teams or libraries might need their own selectable templates.

Resolves #404.

---------

Co-authored-by: Tony Meyer <tony.meyer@gmail.com>
Per the zizmor docs, the `.yaml` file extensions is perfectly acceptable.
Per discussion elsewhere, it's nice to keep these normalized across the
repo and our wider ecosystem, and the `.yaml` file extension is far more
common (`charmcraft.yaml`, `interface.yaml`, `.github/workflows/*.yaml`,
etc).
This PR updates our doc config so that all URLs use
`canonical.com/juju/docs/charmlibs` instead of the backend URL from Read
the Docs. Our docs are still hosted on Read the Docs, but we'll be
proxying them under canonical.com/juju/docs.

**Main changes**

- Updated Charmlibs doc URLs in `.docs/conf.py`.
- Updated hardcoded URLs for Charmlibs, excluding libs that aren't
maintained by Charm Tech.
- Added a script `.docs/.sphinx/_static/overwrite_links.js`, which is
not strictly needed at the moment. This script makes sure that the
version switcher from Read the Docs has correct URLs - but we don't use
the version switcher. I'm including the script because it's a standard
part of the new docs setup at Canonical.

**Extra changes**

- Updated the intersphinx URL and hardcoded URLs for Ops. To account for
[operator#2545](#515)
- Updated the hardcoded URLs for Jubilant. To account for
[jubilant#337](canonical/jubilant#337).
- Updated the hardcoded URLs for Pebble. To account for
[pebble#882](canonical/pebble#882).
Just updating the owners of `nginx_k8s` to the broad O11y team.
We recently moved Charmlibs docs to
https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect
through, but it's best if we use the new destination URLs.

I haven't bumped the package versions - I'll leave that up to the
Service Mesh team.
We recently moved Charmlibs docs to
https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect
through, but it's best if we use the new destination URLs.
I initially defined `functional` actions for all the workshops defined
in this repository. This seemed like a convenient way to wrap up the
need for `sudo` and also the `just python=... functional` justfile
variable syntax for use. With the switch to using a regular option for
the Python version, like `just functional --python=...` I'm not
convinced that the actions provide value. This PR drops the action
definitions and updates the docs accordingly.
We recently moved Charmlibs docs to
https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect
through, but it's best if we use the new destination URLs.

I haven't bumped the package version - I'll leave that up to the
Analytics team.
This PR adds `lib` entries to the interface metadata for some `mlops`
owned interfaces that were missing them.
This PR updates the project URLs for the OTLP library to reflect our
current practices:
- Documentation link to the package reference docs.
- Deep repository link to the appropriate directory.
- Changelog link to file in repository.
This PR updates the project URLs for the `k8s_backup_target` library to
reflect our current practices:
- Documentation link to the package reference docs.
- Deep repository link to the appropriate directory.
- Changelog link to file in repository.
 
Since a release is required to have these changes show up on PyPI, and
the release cadence for this library is low, I've bumped the version and
added a changelog entry. The release only affects metadata, so it's a
'post' release.
This PR adds `lib` entries to the interface metadata for some `data`
owned interfaces that were missing them.
Comment thread .github/workflows/ci.yaml Fixed
labels = rule.get('labels', {})
assert labels.get('juju_model') == MODEL_NAME
assert labels.get('juju_model_uuid') == MODEL_UUID
assert labels.get('juju_application') == 'otlp-provider'

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be 'otlp-requirer`

Comment thread interfaces/otlp/pyproject.toml Outdated
dependencies = [
# "ops",
"cosl>=1.6.1",
"cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-3",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-3",
"cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-2",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure that the docs render well once built, before merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.