feat(otlp): Sigma rules#466
Draft
MichaelThamm wants to merge 69 commits into
Draft
Conversation
MichaelThamm
commented
May 8, 2026
| dynamic = ["version"] | ||
| dependencies = [ | ||
| # "ops", | ||
| "cosl>=1.6.1", |
Contributor
Author
There was a problem hiding this comment.
remove when done testing
MichaelThamm
commented
May 8, 2026
| build-backend = "hatchling.build" | ||
|
|
||
| [tool.hatch.metadata] | ||
| allow-direct-references = true |
Contributor
Author
There was a problem hiding this comment.
remove when done testing
MichaelThamm
commented
Jun 25, 2026
| - Separated the package into 2 private modules: _otlp and _rules | ||
| - Enable user-defined rule labels | ||
|
|
||
| ## [0.6.0] |
Contributor
Author
There was a problem hiding this comment.
Make sure this is the correct version before merging
MichaelThamm
commented
Jun 25, 2026
| # limitations under the License. | ||
|
|
||
| __version__ = '0.5.0' | ||
| __version__ = '0.6.0' |
Contributor
Author
There was a problem hiding this comment.
Make sure this is the correct version before merging
This PR replaces the PGP key in `SECURITY.md` to the upstream link https://ubuntu.com/security/disclosure-policy#contact-us. It is a part of canonical/operator#2287.
This PR removes a broken link to a full code sample. The snippets in the docs are sufficient as-is.
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](urllib3/urllib3#3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](urllib3/urllib3#3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](urllib3/urllib3#4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](urllib3/urllib3#3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](urllib3/urllib3#3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/9a950b92d999f906b6020bb2d1076ee56cddd5d2"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/f45b0df09d8620ac6ed0491eb9362c8c87b7bc2c"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/577193ca029872384f82c133449e0935f6d8a64b"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/e90af45bb006c3a452a3a21644a2681523f5c7fc"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/67ed74fdaec6659a6534621ec8e3aaaa6f976210"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/3abd481097b54d87b574ac7ea593c3f40938a84d"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/2b8725dfcac4f21d4d93cc0cc3a64a33af08f890"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/2944b2a0a6c573f5548a39cfd17196f98ee21b33"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/canonical/charmlibs/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR improves the documentation for the `base_dir` parameter in the `RollingOpsManager` constructor. It adds details about how the library uses this directory and guidance for rootless charms
…ls-certificates (#407) [//]: # (dependabot-start)⚠️ **Dependabot is rebasing this PR**⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.7. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.7 - 2026-04-07</p> <pre><code> * **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be passed to APIs that accept Python buffers, which could lead to buffer overflow. **CVE-2026-39892** * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6. <p>.. _v46-0-6:</p> <p>46.0.6 - 2026-03-25<br /> </code></pre></p> <ul> <li><strong>SECURITY ISSUE</strong>: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to <strong>Oleh Konko (1seal)</strong> for reporting the issue. <strong>CVE-2026-34073</strong></li> </ul> <p>.. _v46-0-5:</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5"><code>622d672</code></a> 46.0.7 release (<a href="https://redirect.github.com/pyca/cryptography/issues/14602">#14602</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/91d728897bdad30cd5c79a2b23e207f1f050d587"><code>91d7288</code></a> Cherry-pick <a href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a> (<a href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/canonical/charmlibs/network/alerts). </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We see regular `charmcraft pack` failures in CI, which appear to be due to `snapd` startup issues when packing from a cold start. Here's an [example failure](https://github.com/canonical/charmlibs/actions/runs/25139482207/job/73685763313). Here's the `charmcraft` issue: canonical/charmcraft#2515 --- This PR adds a follow-up step to upload the `charmcraft` logs after running integration tests (whether we succeed or fail -- so long as either the pack or integration step ran). In order for the uploaded artifact to have a unique name, it is prefixed with the name of the package under test. The package name provided as input to the workflow may contain a slash (e.g. `interfaces/tls-certificates`), which is invalid for an artifact name. The cleanest way to get a valid and unique name is to get the distribution package name via `.scripts/ls.py`. To avoid having to perform `jq` wizardry to extract the bare name from the JSON list that `ls.py` would output, I've updated `ls.py` with a `--no-json` argument (which prints each entry on a separate line instead -- so the output for a single field is just `<field value>\n`). As a driveby improvement, I've collapsed the `--name-only` and `--path-only` arguments into the more general `--output-only <field>`, which simplifies the handling of the various `--output` arguments and makes querying any single field possible without needing to add a custom argument. --- There's a charmcraft issue tracking what appears to be the same failure that we see: canonical/charmcraft#2515
In #456 I accidentally used an old version of `actions/upload-artifact`. This PR bumps it to a more recent version.
This small PR fixes some schema links in interface readmes, requiring codeowner review to merge: - `certificate-transfer`, `cos_agent`: links were described as JSON schema, corrected to Pydantic - `ldap`, `tls-certificates`: added missing links to existing schema files
This PR builds on #489 to add a `CONTRIBUTING.md` document specifically for Pathops, outlining the unique developer-facing concerns of this library, namely compatibility with Python's `pathlib` across key Python versions (3.10, 3.12, 3.14), and the functional test suite that validates the library's behaviour quickly with a local Pebble instance. --------- Co-authored-by: Dave Wilding <tech@dpw.me>
This PR improves the experience for new users of the repository by updating the top-level developer-facing documentation. The repository level `README.md` has been expanded to clearly introduce the repository concepts (Juju, charms, charm libraries), and provide entrypoints for contributing to the monorepo, writing libraries more generally, and for using libraries in charms. The `CONTRIBUTING.md` includes a clearer introduction and documents missing parts of the contribution workflow. Additionally, an `AGENTS.md` file is added to explain the key concepts, monorepo organisation, developer tooling, commands to run whenever making changes, and so on. Resolves #486. --------- Co-authored-by: Tony Meyer <tony.meyer@gmail.com>
This PR adds a docs page about the upcoming deprecation of the Charmhub-hosted library machinery. This page will be pointed to from all `charmcraft` library operations in an upcoming Charmcraft release (canonical/charmcraft#2691). Due to the upcoming docs migration, I suggest we stick with the `ubu.link` approach suggested by Alex. So Charmcraft will show `https://ubu.link/charmhub-libraries-deprecation`, linking to `https://documentation.ubuntu.com/charmlibs/explanation/charmhub-libraries-deprecation/`. When we migrate the docs, we can delete the `ubu.link` and recreate it pointing to the new location. --------- Co-authored-by: Dave Wilding <tech@dpw.me>
This PR fixes the custom extension that we use to combine the individually built package reference docs into the full docs site. It now correctly includes the right hand side table of contents in the rendered pages, thanks to our good friend Claude. Resolves #496
The `charmlibs.pathops` functional tests are failing locally on my system due to users / groups being managed by NSS. This won't be an issue in production, as `pathops` is only used to access file info via Pebble for charms managing K8s workload containers (where Pebble runs as root rather than as an NSS-managed user), so this PR updates the tests to pass locally. Resolves #487.
…#533) A minor update that updates the library path names of all libraries owned by the service mesh team to match the interface name in charmcraft.yaml
#538) In HA deployments, `_upstreams` iterated over a `set[str]` of pod addresses whose iteration order is non-deterministic. This produced spurious nginx config diffs on every hook run, triggering unnecessary nginx reloads even when the actual upstream topology hadn't changed. ## Changes - **`_config.py`:** Replace `for addr in addresses` with `for addr in sorted(addresses)` so server entries within each upstream block are always emitted in stable lexicographic order. - **`test_config.py`:** Add `test_upstreams_servers_are_sorted` — directly exercises `_upstreams` with an unordered set of addresses and asserts the resulting server directives are sorted. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Pietro Pasotti <pietro.pasotti@canonical.com>
This PR updates the project URLs for the `certificate_transfer` and `tls-certificates` interface libraries to reflect our current practices: - Documentation link to the package reference docs. - Deep repository link to the appropriate directory. - Changelog link to file in repository.
This PR migrates the Charmhub-hosted TLS Certificates interface docs to this repo. Some of the docs have been combined into single docs, and some docs diataxis categories were changed (details below). I've also excluded docs covering information about specific Charmhub-hosted library versions (like the v3 -> v4 migration), and content targeted at charm users rather than charm authors, which doesn't really fit for library docs. --- The tutorial was adapted as-is ([preview build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/tutorials/charmlibs/interfaces/tls-certificates/tutorial/)). - Tutorials: [Getting Started (v4)](https://charmhub.io/tls-certificates-interface/docs/h-getting-started) The "Configure certificate requests" how-to adapts content from two docs ([preview build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/how-to/charmlibs/interfaces/tls-certificates/configure-certificate-requests/)): - Explanation: [Common Name and SANs Attributes](https://charmhub.io/tls-certificates-interface/docs/h-common-name-and-sans-attributes) - (For Charm Developers) Reference: [Recommended Configuration Options](https://charmhub.io/tls-certificates-interface/docs/h-recommended-config-options) The "Library design" explanation adapts content three docs ([preview build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/explanation/charmlibs/interfaces/tls-certificates/design/)): - Explanation: [The TLS Certificates Interface](https://charmhub.io/tls-certificates-interface/docs/h-tls-certificates-interface) - Explanation: [Automatic Certificate Renewals](https://charmhub.io/tls-certificates-interface/docs/h-certificate-renewal) - Explanation: [Security](https://charmhub.io/tls-certificates-interface/docs/h-security) The package docstring has an update to point to the new docs, which renders in the library reference docs ([preview build](https://canonical-ubuntu-documentation-library--516.com.readthedocs.build/charmlibs/reference/charmlibs/interfaces/tls-certificates/)). The package readme was also updated to point to the new docs (and the reference docs). --- Excluded historical library version info -- but maybe a table or something would be worth including in the design page in future, updated for the current versions? Let me know if you'd like to see any of that in this PR. Otherwise this content can just remain on Charmhub for historical reference. - (For Charm Developers) Reference: [Library versions](https://charmhub.io/tls-certificates-interface/docs/h-library-versions) - (For Charm Developers) Reference: [Important Change in TLS Certificates Interface V4.8](https://charmhub.io/tls-certificates-interface/docs/h-private-key-label-change) - Explanation: [Technical Differences between v3 and v4](https://charmhub.io/tls-certificates-interface/docs/h-library-differences-v3-to-v4) Excluded charm user stuff -- this should probably be hosted somewhere else though, like the TLS Certificates charm docs perhaps? Or [solution level docs](https://discourse.charmhub.io/t/creating-solutions-on-charmhub-io/20503) for TLS? - (For Charm Users) Reference: [Secure Internal Communication of a Charm](https://charmhub.io/tls-certificates-interface/docs/h-securing-internal-communication) - (For Charm Users) Reference: [Secure Client <-> App Communication](https://charmhub.io/tls-certificates-interface/docs/h-securing-api-communication) - (For Charm Users) Reference: [Trust CA certificates of TLS Providers](https://charmhub.io/tls-certificates-interface/docs/h-ca-trust-best-practices)
## Description This PR updates the README.md We no longer need to specify the python version when using just.
Related to: canonical/opentelemetry-collector-k8s-operator#278. This PR is based on work by @MichaelThamm in canonical/cos-coordinated-workers#124. The referenced PR above was features in https://github.com/canonical/cos-coordinated-workers **after** `Nginx_k8s` was featured here in Charmlibs. As a result, this critical fix was never applied in the Charmlibs distribution of Nginx_k8s. This PR brings those changes to Charmlibs and makes a moderate change in logic compared to what was in canonical/cos-coordinated-workers#124. Once this PR goes in, we will need to merge this tandem PR: canonical/cos-coordinated-workers#163. Afterwards, Mimir, Tempo, and Loki coordinators will need to bump their CW deps.
Fixes #544 by correcting the CA cert path that TLSConfig checks. You can test this behaviour by first deploying the same bundle as you see in the issue. Then: 1. Shelling into Mimir's charm container: `juju ssh mimir/0 bash` 2. Navigate to the corresponding code in `/var/lib/juju/agents/unit-mimir-0/charm/venv/lib/python3.14/site-packages/charmlibs/nginx_k8s/_tls_config.py`. 3. Make the change this PR makes on line 34 of the file. 4. Trigger the `nginx` config to be written again: `jhack fire mimir/0 update-status` 5. Now, the Pebble log error in Otelcol (see issue) should go away. 6. Manual testing from Otelcol's workload container should succeed in hitting Mimir's remote write endpoint: `curl https://mimir-0.mimir-endpoints.test.svc.cluster.local:443/api/v1/push`
…545) This PR adds the ability to exclude certain files from triggering all package tests. For instance, currently anything changed under `.github/` triggers all tests to run. This makes perfect sense when workflows are changed, but doesn't really provide any value if PR templates are what's changing. The exclusions are a static list of full file paths (from the repository root) to avoid unintended matches. This doesn't change `CODEOWNERS`, so the maintainers are still requested for review as appropriate.
This PR adds PR templates to Charmlibs, using a thin default template which presents options for more specific types of PRs: migrating an existing library, adding a new library, and a blank template for everything else. This can be extended in future if needed, for example specific teams or libraries might need their own selectable templates. Resolves #404. --------- Co-authored-by: Tony Meyer <tony.meyer@gmail.com>
Per the zizmor docs, the `.yaml` file extensions is perfectly acceptable. Per discussion elsewhere, it's nice to keep these normalized across the repo and our wider ecosystem, and the `.yaml` file extension is far more common (`charmcraft.yaml`, `interface.yaml`, `.github/workflows/*.yaml`, etc).
This PR updates our doc config so that all URLs use `canonical.com/juju/docs/charmlibs` instead of the backend URL from Read the Docs. Our docs are still hosted on Read the Docs, but we'll be proxying them under canonical.com/juju/docs. **Main changes** - Updated Charmlibs doc URLs in `.docs/conf.py`. - Updated hardcoded URLs for Charmlibs, excluding libs that aren't maintained by Charm Tech. - Added a script `.docs/.sphinx/_static/overwrite_links.js`, which is not strictly needed at the moment. This script makes sure that the version switcher from Read the Docs has correct URLs - but we don't use the version switcher. I'm including the script because it's a standard part of the new docs setup at Canonical. **Extra changes** - Updated the intersphinx URL and hardcoded URLs for Ops. To account for [operator#2545](#515) - Updated the hardcoded URLs for Jubilant. To account for [jubilant#337](canonical/jubilant#337). - Updated the hardcoded URLs for Pebble. To account for [pebble#882](canonical/pebble#882).
Just updating the owners of `nginx_k8s` to the broad O11y team.
We recently moved Charmlibs docs to https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect through, but it's best if we use the new destination URLs. I haven't bumped the package versions - I'll leave that up to the Service Mesh team.
We recently moved Charmlibs docs to https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect through, but it's best if we use the new destination URLs.
I initially defined `functional` actions for all the workshops defined in this repository. This seemed like a convenient way to wrap up the need for `sudo` and also the `just python=... functional` justfile variable syntax for use. With the switch to using a regular option for the Python version, like `just functional --python=...` I'm not convinced that the actions provide value. This PR drops the action definitions and updates the docs accordingly.
We recently moved Charmlibs docs to https://canonical.com/juju/docs/charmlibs/. The previous URLs redirect through, but it's best if we use the new destination URLs. I haven't bumped the package version - I'll leave that up to the Analytics team.
This PR adds `lib` entries to the interface metadata for some `mlops` owned interfaces that were missing them.
This PR updates the project URLs for the OTLP library to reflect our current practices: - Documentation link to the package reference docs. - Deep repository link to the appropriate directory. - Changelog link to file in repository.
This PR updates the project URLs for the `k8s_backup_target` library to reflect our current practices: - Documentation link to the package reference docs. - Deep repository link to the appropriate directory. - Changelog link to file in repository. Since a release is required to have these changes show up on PyPI, and the release cadence for this library is low, I've bumped the version and added a changelog entry. The release only affects metadata, so it's a 'post' release.
This PR adds `lib` entries to the interface metadata for some `data` owned interfaces that were missing them.
MichaelThamm
commented
Jun 26, 2026
| labels = rule.get('labels', {}) | ||
| assert labels.get('juju_model') == MODEL_NAME | ||
| assert labels.get('juju_model_uuid') == MODEL_UUID | ||
| assert labels.get('juju_application') == 'otlp-provider' |
Contributor
Author
There was a problem hiding this comment.
should this be 'otlp-requirer`
MichaelThamm
commented
Jun 26, 2026
| dependencies = [ | ||
| # "ops", | ||
| "cosl>=1.6.1", | ||
| "cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-3", |
Contributor
Author
There was a problem hiding this comment.
Suggested change
| "cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-3", | |
| "cosl @ git+https://github.com/canonical/cos-lib@feat/sigma-rules-2", |
MichaelThamm
commented
Jun 26, 2026
Contributor
Author
There was a problem hiding this comment.
Make sure that the docs render well once built, before merging
This was referenced Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
We need a Sigma rules feature in the OTLP lib to unblock this PR:
Solution
Builds on this PR:
What
Adds first-class support for Sigma detection rules to the OTLP interface library, alongside the existing PromQL and LogQL rules. Bumps
charmlibs-interfaces-otlpto 0.6.0.RuleStoreAPI (_rules.py)sigma: SigmaRulesfield (built fromcosl.rules.SigmaRuleswith the store's topology).add_sigma(rule_dict)andadd_sigma_path(dir_path, *, recursive=False), mirroring the PromQL/LogQL API.combine()now also merges the other store's Sigma rules.inject_extra_labels_into_rulesapplies user-definedextra_alert_labelsto Sigma rules.Databag (_otlp.py)
OtlpRequirer.publish()now writesrules.sigmaunder the newsigmakey.OtlpProvider.rulesreads Sigma rules from each requirer and injects topology labels (no expression rewriting — Sigma has noexpr)._RulesModelgains asigma: SigmaRuleFileFormatfield (defaults to empty), so existing databags without Sigma validate unchanged.Tests
tests/unit/test_rules.py(Sigmaadd/add_path/combine/ topology injection / extra-label cases).{"rules": [...]}collection through the requirer charm.Checklist
project.versionfield in thepyproject.tomlfile.Context
Testing Instructions
Upgrade Notes