Skip to content

Commit

Permalink
[WIP] Switch to requireTLS
Browse files Browse the repository at this point in the history
  • Loading branch information
dmitry-ratushnyy committed Feb 29, 2024
1 parent 327458c commit 58ee3c3
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 7 deletions.
4 changes: 3 additions & 1 deletion lib/charms/mongodb/v0/mongodb.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def uri(self):
return (
f"mongodb://{quote_plus(self.username)}:"
f"{quote_plus(self.password)}@"
f"localhost:{Config.MONGODB_PORT}/?authSource=admin"
f"{hosts[0]}:{Config.MONGODB_PORT}/?authSource=admin"
)

return (
Expand Down Expand Up @@ -131,6 +131,8 @@ def __init__(self, config: MongoDBConfiguration, uri=None, direct=False):
connect=False,
serverSelectionTimeoutMS=1000,
connectTimeoutMS=2000,
tlsCAFile="/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt" if config.tls_external else None,
tlsAllowInvalidCertificates=True,
)
return

Expand Down
7 changes: 4 additions & 3 deletions lib/charms/mongodb/v1/helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -175,18 +175,19 @@ def get_mongod_args(
[
f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}",
f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}",
# allow non-TLS connections
"--tlsMode=preferTLS",
"--tlsMode=requireTLS",
"--tlsAllowConnectionsWithoutCertificates",
"--tlsDisabledProtocols=TLS1_0,TLS1_1",
]
)


# internal TLS can be enabled only in external is enabled
if config.tls_internal and config.tls_external:
cmd.extend(
[
"--clusterAuthMode=x509",
"--tlsAllowInvalidCertificates",
"--tlsAllowInvalidCertificates", #TODO remove this
f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}",
f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}",
]
Expand Down
12 changes: 9 additions & 3 deletions src/charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,12 @@ def mongodb_config(self) -> MongoDBConfiguration:
"""Generates a MongoDBConfiguration object for this deployment of MongoDB."""
return self._get_mongodb_config_for_user(OperatorUser, set(self._unit_ips))

@property
def local_mongodb_config(self) -> MongoDBConfiguration:
"""Generates a MongoDBConfiguration object for local unit"""
self_ip = self._unit_ip(self.unit)
return self._get_mongodb_config_for_user(OperatorUser, {self_ip})

@property
def monitor_config(self) -> MongoDBConfiguration:
"""Generates a MongoDBConfiguration object for monitoring."""
Expand Down Expand Up @@ -380,10 +386,10 @@ def _on_start(self, event: StartEvent) -> None:
return

# check if this unit's deployment of MongoDB is ready
with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo:
with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo:
if not direct_mongo.is_ready:
logger.debug("mongodb service is not ready yet.")
self.unit.status = WaitingStatus("waiting for MongoDB to start")
self.unit.status = WaitingStatus("Waiting for MongoDB to start")
event.defer()
return

Expand Down Expand Up @@ -543,7 +549,7 @@ def _on_update_status(self, event: UpdateStatusEvent):
return

# Cannot check more advanced MongoDB statuses if mongod hasn't started.
with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo:
with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo:
if not direct_mongo.is_ready:
self.unit.status = WaitingStatus("Waiting for MongoDB to start")
return
Expand Down

0 comments on commit 58ee3c3

Please sign in to comment.