patch(DPE-9750,6): allowConnectionsWithoutCertificates (#289)

Author: Gu1nness

single_kernel_mongo/events/tls.py

@@ -175,7 +175,6 @@ def _on_certificate_available(self, event: CertificateAvailableEvent) -> None:
                 event.certificate,
                 event.ca,
             )
-            self.dependent.state.update_ca_secrets(event.ca)
 
             # If we don't have both certificates, we early return, the next
             # certificate available event will enable certificates for this

single_kernel_mongo/managers/config.py

@@ -368,6 +368,7 @@ def tls_parameters(self) -> dict[str, Any]:
                         "certificateKeyFile": f"{self.workload.paths.ext_pem_file}",
                         "mode": "preferTLS",
                         "disabledProtocols": "TLS1_0,TLS1_1",
+                        "allowConnectionsWithoutCertificates": True,
                     }
                 },
             }

single_kernel_mongo/managers/tls.py

@@ -204,6 +204,7 @@ def disable_certificates_for_unit(self):
             self.state.tls.set_secret(internal, SECRET_CHAIN_LABEL, None)
 
         self.state.update_ca_secrets(new_ca=None)
+        self.state.update_client_ca_secrets(new_ca=None)
 
         self.delete_certificates_from_workload()
         self.dependent.restart_charm_services(force=True)
@@ -275,6 +276,11 @@ def set_certificates(
         if not self.certificate_and_private_key_match(certificate, internal):
             raise UnknownCertificateAvailableError
 
+        if internal:
+            self.dependent.state.update_ca_secrets(ca)
+        else:
+            self.dependent.state.update_client_ca_secrets(ca)
+
         self.state.tls.set_secret(
             internal,
             SECRET_CHAIN_LABEL,

single_kernel_mongo/state/charm_state.py

@@ -692,9 +692,8 @@ def update_ca_secrets(self, new_ca: str | None) -> None:
                 self.config_server_data_interface.update_relation_data(
                     relation.id, {AppShardingComponentKeys.INT_CA_SECRET.value: new_ca}
                 )
-        self._update_client_ca_secrets(new_ca)
 
-    def _update_client_ca_secrets(self, new_ca: str | None) -> None:
+    def update_client_ca_secrets(self, new_ca: str | None) -> None:
         """Updates the CA secret for the right values on the right fields."""
         if not self.charm.unit.is_leader():
             return

tests/integration/applications/continuous_write_charm/config.yaml

@@ -6,3 +6,11 @@ options:
     type: string
     description: |
       URI provided to connect to MongoDB cluster via mongos
+  tls-ca:
+    type: string
+    description: |
+      TLS CA certificate to use alongside mongos-uri
+  database-name:
+    type: string
+    description: |
+      Database name to request.

tests/integration/applications/continuous_write_charm/metadata.yaml

@@ -9,10 +9,14 @@ summary: |
   only for testing high availability of the MongoDB charm.
 
 requires:
-  database:
+  mongodb:
     interface: mongodb_client
     limit: 1
 
+provides:
+  mongos:
+    interface: mongos_client
+
 peers:
   application-peers:
     interface: application-peers

tests/integration/applications/continuous_write_charm/src/charm.py

@@ -13,12 +13,15 @@
 import signal
 import subprocess
 import sys
+from pathlib import Path
+from urllib.parse import quote_plus, urlencode
 
-from charms.data_platform_libs.v0.data_interfaces import DatabaseRequires
+from charms.data_platform_libs.v0.data_interfaces import DatabaseRequires, DatabaseCreatedEvent
 from ops.charm import ActionEvent, CharmBase
 from ops.main import main
 from ops.model import ActiveStatus, Relation, WaitingStatus
 from pymongo import MongoClient
+from pymongo.uri_parser import parse_uri
 from tenacity import RetryError, Retrying, stop_after_delay, wait_fixed
 
 logger = logging.getLogger(__name__)
@@ -30,6 +33,8 @@
 PROC_PID_KEY = "proc-pid"
 LAST_WRITTEN_FILE = "last_written_value"
 
+CA_PATH = Path("/tmp/ca.crt")
+
 
 class ContinuousWritesApplication(CharmBase):
     """Application charm that continuously writes to MongoDB."""
@@ -51,13 +56,35 @@ def __init__(self, *args):
         )
 
         # Database related events
-        self.database = DatabaseRequires(self, "database", DATABASE_NAME)
+        self.database = DatabaseRequires(self, "mongodb", self.database_name)
+        # Database related events
+        self.mongos_database = DatabaseRequires(self, "mongos", self.database_name, external_node_connectivity=True)
+
         self.framework.observe(self.database.on.database_created, self._on_database_created)
+        self.framework.observe(self.mongos_database.on.database_created, self._on_database_created)
+
+        if (data:= list(self.database.fetch_relation_data().values())):
+            if (tls_ca := data[0].get("tls-ca")):
+                CA_PATH.write_text(tls_ca)
+                return
+
+        if (data:= list(self.mongos_database.fetch_relation_data().values())):
+            if (tls_ca := data[0].get("tls-ca")):
+                CA_PATH.write_text(tls_ca)
+                return
+
+        if tls_ca := self.model.config.get("tls-ca", None):
+            CA_PATH.write_text(tls_ca)
+            return
 
     # ==============
     # Properties
     # ==============
 
+    @property
+    def database_name(self) -> str:
+        return self.model.config.get("database-name", DATABASE_NAME)
+
     @property
     def _peers(self) -> Relation | None:
         """Retrieve the peer relation (`ops.model.Relation`)."""
@@ -76,33 +103,60 @@ def _database_config(self) -> dict[str, str]:
         """Returns the database config to use to connect to the MongoDB cluster."""
         # In some tests we want to write directly to mongos, but the config-server does not
         # support integrations to client applications, so the data to connect is set via config.
-        if not (data := list(self.database.fetch_relation_data().values())):
-            return {"uris": self.model.config.get("mongos-uri", None)}
+        if not self.database.relations and not self.mongos_database.relations:
+            uri = self.model.config.get("mongos-uri", "")
+            if self.model.config.get("tls-ca"):
+                uri = self._build_tls_uri(uri)
+
+            return {"uris": uri}
+
+        if self.database.relations:
+            data =list(self.database.fetch_relation_data().values())[0]
+        elif self.mongos_database.relations:
+            data =list(self.mongos_database.fetch_relation_data().values())[0]
+        else:
+            return {}
 
-        data = data[0]
-        username, password, endpoints, replset, uris = (
+        username, password, endpoints, replset, uris, tls = (
             data.get("username"),
             data.get("password"),
             data.get("endpoints"),
             data.get("replset"),
             data.get("uris"),
+            data.get("tls")
         )
 
-        if None in [username, password, endpoints, replset, uris]:
+        if None in [username, password, endpoints, uris]:
             return {}
 
+        if tls:
+            uris = self._build_tls_uri(uris)
+
         return {
             "user": username,
             "password": password,
             "endpoints": endpoints,
-            "replset": replset,
+            "replset": replset or "",
             "uris": uris,
         }
 
     # ==============
     # Helpers
     # ==============
 
+    def _build_tls_uri(self, uris: str) -> str:
+            parsed_uri = parse_uri(uris)
+            params = parsed_uri["options"]
+            params["tls"] = "true"
+            params["tlsCaFile"] = f"{CA_PATH}"
+            hosts = ",".join(f"{host}:{port}" for host, port in parsed_uri["nodelist"])
+            return (
+                    f"mongodb://{quote_plus(parsed_uri['username'])}:"
+                        f"{quote_plus(parsed_uri['password'])}@"
+                        f"{hosts}/{quote_plus(parsed_uri['database'])}?"
+                        f"{urlencode(params)}"
+                )
+
     def _start_continuous_writes(
         self, starting_number: int, db_name: str, collection_name: str
     ) -> None:
@@ -148,8 +202,9 @@ def _stop_continuous_writes(self, db_name: str, collection_name: str) -> int | N
             logger.info(
                 f"Process {self.proc_id_key(db_name, collection_name)} was killed already (or never existed)"
             )
-
-        del self.app_peer_data[self.proc_id_key(db_name, collection_name)]
+            return -1
+        finally:
+            del self.app_peer_data[self.proc_id_key(db_name, collection_name)]
 
         # read the last written_value
         try:
@@ -170,7 +225,7 @@ def proc_id_key(self, db_name: str, collection_name: str) -> str:
         return f"{PROC_PID_KEY}-{db_name}-{collection_name}"
 
     def last_written_filename(self, db_name: str, collection_name: str) -> str:
-        """Returns a process id key for the continuous writes process to a given db and coll."""
+        """Returns the filename for the written data for a given db and coll."""
         return f"{LAST_WRITTEN_FILE}-{db_name}-{collection_name}"
 
     # ==============
@@ -210,7 +265,7 @@ def _on_start_continuous_writes_action(self, event) -> None:
         if not self._database_config:
             return
 
-        db_name = event.params.get("db-name") or DATABASE_NAME
+        db_name = event.params.get("db-name") or self.database_name
         collection_name = event.params.get("collection-name") or COLLECTION_NAME
         self._start_continuous_writes(1, db_name, collection_name)
 
@@ -225,10 +280,12 @@ def _on_stop_continuous_writes_action(self, event: ActionEvent) -> None:
         event.set_results({"writes": writes or -1})
         return None
 
-    def _on_database_created(self, _) -> None:
+    def _on_database_created(self, event: DatabaseCreatedEvent) -> None:
         """Handle the database created event."""
-        self.unit.status = ActiveStatus()
+        if event.tls == "True":
+            CA_PATH.write_text(event.tls_ca)
 
+        self.unit.status = ActiveStatus()
 
 if __name__ == "__main__":
     main(ContinuousWritesApplication)

tests/integration/helpers/common.py

@@ -88,6 +88,10 @@ class ProcessError(Exception):
     """Raised when a process fails."""
 
 
+class SecretNotFoundError(Exception):
+    """Raised when a secret is not found."""
+
+
 async def deploy_charm(
     ops_test: OpsTest,
     charm: str,
@@ -127,6 +131,7 @@ async def deploy_application(
     ops_test: OpsTest,
     application_path: str,
     app_name: str,
+    database_name: str = DEFAULT_DATABASE_NAME,
 ):
     """Deploys the helpers applications with one unit and waits for idle."""
     application_name = await get_app_name(ops_test, app_name)
@@ -137,6 +142,7 @@ async def deploy_application(
         application_name=app_name,
         num_units=1,
         series="jammy",
+        config={"database-name": database_name},
     )
     # TODO: remove raise_on_error when we move to juju 3.5 (DPE-4996)
     await ops_test.model.wait_for_idle(
@@ -157,13 +163,13 @@ async def relate_mongodb_and_application(
         mongodb_application_name: The mongodb charm application name
         application_name: The continuous writes test charm application name
     """
-    if is_relation_joined(ops_test, "database", "database"):
+    if is_relation_joined(ops_test, "mongodb", "database"):
         return
 
     await ops_test.model.integrate(
-        f"{application_name}:database", f"{mongodb_application_name}:database"
+        f"{application_name}:mongodb", f"{mongodb_application_name}:database"
     )
-    await ops_test.model.block_until(lambda: is_relation_joined(ops_test, "database", "database"))
+    await ops_test.model.block_until(lambda: is_relation_joined(ops_test, "mongodb", "database"))
 
     await ops_test.model.wait_for_idle(
         apps=[mongodb_application_name, application_name],
@@ -365,6 +371,24 @@ async def get_password(
         return None
 
 
+async def get_secret_by_label(ops_test: OpsTest, label: str) -> dict[str, str]:
+    secrets_raw = await ops_test.juju("list-secrets")
+    secret_ids = [
+        secret_line.split()[0] for secret_line in secrets_raw[1].split("\n")[1:] if secret_line
+    ]
+
+    for secret_id in secret_ids:
+        secret_data_raw = await ops_test.juju(
+            "show-secret", "--format", "json", "--reveal", secret_id
+        )
+        secret_data = json.loads(secret_data_raw[1])
+
+        if label == secret_data[secret_id].get("label"):
+            return secret_data[secret_id]["content"]["Data"]
+
+    raise SecretNotFoundError(f"Secret with label {label} not found.")
+
+
 @retry(
     retry=retry_if_result(lambda x: x == 0),
     stop=stop_after_attempt(5),
@@ -982,7 +1006,12 @@ async def clear_continous_writes(
 
 
 async def count_writes(
-    ops_test: OpsTest, substrate: Substrate, app_name: str, unit: JujuUnit
+    ops_test: OpsTest,
+    substrate: Substrate,
+    app_name: str,
+    unit: JujuUnit,
+    db_name: str = DEFAULT_DATABASE_NAME,
+    coll_name: str = DEFAULT_COLLECTION_NAME,
 ) -> int:
     """New versions of pymongo no longer support the count operation, instead find is used."""
     host = await get_address_of_unit(ops_test, substrate, get_unit_id(unit.name), app_name=app_name)
@@ -991,8 +1020,8 @@ async def count_writes(
     )
 
     client = MongoClient(uri, directConnection=True)
-    db = client[DEFAULT_DATABASE_NAME]
-    test_collection = db[DEFAULT_COLLECTION_NAME]
+    db = client[db_name]
+    test_collection = db[coll_name]
     count = test_collection.count_documents({})
     client.close()
     return count