diff --git a/lib/charms/mongodb/v0/mongodb.py b/lib/charms/mongodb/v0/mongodb.py index f482f7eec..9b74ca392 100644 --- a/lib/charms/mongodb/v0/mongodb.py +++ b/lib/charms/mongodb/v0/mongodb.py @@ -32,7 +32,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 8 +LIBPATCH = 9 # path to store mongodb ketFile logger = logging.getLogger(__name__) @@ -74,7 +74,7 @@ def uri(self): return ( f"mongodb://{quote_plus(self.username)}:" f"{quote_plus(self.password)}@" - f"localhost:{Config.MONGODB_PORT}/?authSource=admin" + f"{hosts[0]}:{Config.MONGODB_PORT}/?authSource=admin" ) return ( @@ -131,6 +131,10 @@ def __init__(self, config: MongoDBConfiguration, uri=None, direct=False): connect=False, serverSelectionTimeoutMS=1000, connectTimeoutMS=2000, + tlsCAFile="/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt" if config.tls_external else None, + tlsDisableOCSPEndpointCheck=config.tls_external, + tlsAllowInvalidHostnames=config.tls_external, + tls=config.tls_external, ) return diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py index 9038198d1..6a2f8ea1e 100644 --- a/lib/charms/mongodb/v1/helpers.py +++ b/lib/charms/mongodb/v1/helpers.py @@ -175,18 +175,18 @@ def get_mongod_args( [ f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}", f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}", - # allow non-TLS connections - "--tlsMode=preferTLS", + "--tlsMode=requireTLS", + "--tlsAllowConnectionsWithoutCertificates", "--tlsDisabledProtocols=TLS1_0,TLS1_1", ] ) + # internal TLS can be enabled only in external is enabled if config.tls_internal and config.tls_external: cmd.extend( [ "--clusterAuthMode=x509", - "--tlsAllowInvalidCertificates", f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}", f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}", ] diff --git a/src/charm.py b/src/charm.py index ba86bae5a..a0e96be35 100755 --- a/src/charm.py +++ b/src/charm.py @@ -216,6 +216,12 @@ def mongodb_config(self) -> MongoDBConfiguration: """Generates a MongoDBConfiguration object for this deployment of MongoDB.""" return self._get_mongodb_config_for_user(OperatorUser, set(self._unit_ips)) + @property + def local_mongodb_config(self) -> MongoDBConfiguration: + """Generates a MongoDBConfiguration object for local unit""" + self_ip = self._unit_ip(self.unit) + return self._get_mongodb_config_for_user(OperatorUser, {self_ip}) + @property def monitor_config(self) -> MongoDBConfiguration: """Generates a MongoDBConfiguration object for monitoring.""" @@ -380,10 +386,10 @@ def _on_start(self, event: StartEvent) -> None: return # check if this unit's deployment of MongoDB is ready - with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo: + with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo: if not direct_mongo.is_ready: logger.debug("mongodb service is not ready yet.") - self.unit.status = WaitingStatus("waiting for MongoDB to start") + self.unit.status = WaitingStatus("Waiting for MongoDB to start") event.defer() return @@ -543,7 +549,7 @@ def _on_update_status(self, event: UpdateStatusEvent): return # Cannot check more advanced MongoDB statuses if mongod hasn't started. - with MongoDBConnection(self.mongodb_config, "localhost", direct=True) as direct_mongo: + with MongoDBConnection(self.local_mongodb_config, self._unit_ip(self.unit), direct=True) as direct_mongo: if not direct_mongo.is_ready: self.unit.status = WaitingStatus("Waiting for MongoDB to start") return