From 58ee3c3a9c0ab41fc1592f74e13031fb8169ba19 Mon Sep 17 00:00:00 2001 From: Dmitry Ratushnyy Date: Thu, 29 Feb 2024 15:02:46 +0000 Subject: [PATCH] [WIP] Switch to requireTLS --- lib/charms/mongodb/v0/mongodb.py | 4 +++- lib/charms/mongodb/v1/helpers.py | 7 ++++--- src/charm.py | 12 +++++++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/lib/charms/mongodb/v0/mongodb.py b/lib/charms/mongodb/v0/mongodb.py index f482f7eec..5c62de9e8 100644 --- a/lib/charms/mongodb/v0/mongodb.py +++ b/lib/charms/mongodb/v0/mongodb.py @@ -74,7 +74,7 @@ def uri(self): return ( f"mongodb://{quote_plus(self.username)}:" f"{quote_plus(self.password)}@" - f"localhost:{Config.MONGODB_PORT}/?authSource=admin" + f"{hosts[0]}:{Config.MONGODB_PORT}/?authSource=admin" ) return ( @@ -131,6 +131,8 @@ def __init__(self, config: MongoDBConfiguration, uri=None, direct=False): connect=False, serverSelectionTimeoutMS=1000, connectTimeoutMS=2000, + tlsCAFile="/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt" if config.tls_external else None, + tlsAllowInvalidCertificates=True, ) return diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py index 9038198d1..576ef2d48 100644 --- a/lib/charms/mongodb/v1/helpers.py +++ b/lib/charms/mongodb/v1/helpers.py @@ -175,18 +175,19 @@ def get_mongod_args( [ f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}", f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}", - # allow non-TLS connections - "--tlsMode=preferTLS", + "--tlsMode=requireTLS", + "--tlsAllowConnectionsWithoutCertificates", "--tlsDisabledProtocols=TLS1_0,TLS1_1", ] ) + # internal TLS can be enabled only in external is enabled if config.tls_internal and config.tls_external: cmd.extend( [ "--clusterAuthMode=x509", - "--tlsAllowInvalidCertificates", + "--tlsAllowInvalidCertificates", #TODO remove this f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}", f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}", ] diff --git a/src/charm.py b/src/charm.py index ba86bae5a..a0e96be35 100755 --- a/src/charm.py +++ b/src/charm.py @@ -216,6 +216,12 @@ def mongodb_config(self) -> MongoDBConfiguration: """Generates a MongoDBConfiguration object for this deployment of MongoDB.""" return self._get_mongodb_config_for_user(OperatorUser, set(self._unit_ips)) + @property + def local_mongodb_config(self) -> MongoDBConfiguration: + """Generates a MongoDBConfiguration object for local unit""" + self_ip = self._unit_ip(self.unit) + return self._get_mongodb_config_for_user(OperatorUser, {self_ip}) + @property def monitor_config(self) -> MongoDBConfiguration: """Generates a MongoDBConfiguration object for monitoring.""" @@ -380,10 +386,10 @@ def _on_start(self, event: StartEvent) -> None: return # check if this unit's deployment of MongoDB is ready - with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo: + with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo: if not direct_mongo.is_ready: logger.debug("mongodb service is not ready yet.") - self.unit.status = WaitingStatus("waiting for MongoDB to start") + self.unit.status = WaitingStatus("Waiting for MongoDB to start") event.defer() return @@ -543,7 +549,7 @@ def _on_update_status(self, event: UpdateStatusEvent): return # Cannot check more advanced MongoDB statuses if mongod hasn't started. - with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo: + with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo: if not direct_mongo.is_ready: self.unit.status = WaitingStatus("Waiting for MongoDB to start") return