mongo-charms-single-kernel 1.8.7__tar.gz → 1.8.9__tar.gz

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mongo-charms-single-kernel
-Version: 1.8.7
+Version: 1.8.9
 Summary: Shared and reusable code for Mongo-related charms
 License-Expression: Apache-2.0
 License-File: LICENSE

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/pyproject.toml

@@ -38,9 +38,9 @@ dependencies = [
     "boto3 (~=1.37.12)",
     "mypy-boto3-s3 (~=1.37.0)",
     "python-ldap",
-    "charm-refresh (>=3.1.0.2,<4.0.0.0)",
+    "charm-refresh (>=3.1.0.2,<4.0.0.0)"
 ]
-version = "1.8.7"
+version = "1.8.9"
 
 [project.urls]
 homepage = "https://github.com/canonical/mongo-single-kernel-library"
@@ -137,12 +137,6 @@ httpx = "*"
 boto3 = "^1.37.12"
 mypy-boto3-s3 = "^1.37.0"
 
-[tool.poetry.group.build-refresh-version]
-optional = true
-
-[tool.poetry.group.build-refresh-version.dependencies]
-charm-refresh-build-version = "^0.4.0"
-
 [tool.ruff]
 target-version = "py310"
 line-length = 100

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/literals.py

@@ -34,6 +34,13 @@ class Scope(str, Enum):
     UNIT = "unit"
 
 
+class TLSType(str, Enum):
+    """TLS types."""
+
+    PEER = "peer"
+    CLIENT = "client"
+
+
 class MongoPorts(IntEnum):
     """The default Mongo ports."""
 
@@ -93,9 +100,7 @@ PBM_RESTART_DELAY = 5
 FEATURE_VERSION = "8.0"
 
 
-OS_REQUIREMENTS = {
-    "vm.max_map_count": "262144",
-}
+OS_REQUIREMENTS = {"vm.max_map_count": "262144", "vm.overcommit_memory": "1"}
 
 TRUST_STORE_PATH = Path("/usr/local/share/ca-certificates")
 

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/models.py

@@ -62,6 +62,18 @@ class LdapConfig:
 LDAP_CONFIG = LdapConfig()
 
 
+@dataclass(frozen=True)
+class THPConfig:
+    """Configuration for transparent huge tables."""
+
+    service_template: Traversable = TEMPLATE_DIRECTORY / "enable-transparent-huge-pages.service.j2"
+    service_file_path: Path = Path("/etc/systemd/system/enable-transparent-huge-pages.service")
+    service_name = "enable-transparent-huge-pages"
+
+
+THP_CONFIG = THPConfig()
+
+
 @dataclass(frozen=True)
 class AuditLogConfig:
     """Audit log related configuration."""

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/relations.py

@@ -35,7 +35,8 @@ class Scopes(str, Enum):
 class ExternalRequirerRelations(str, Enum):
     """The relations we require externally."""
 
-    TLS = "certificates"
+    CLIENT_TLS = "client-certificates"
+    PEER_TLS = "peer-certificates"
     S3_CREDENTIALS = "s3-credentials"
     LDAP = "ldap"
     LDAP_CERT = "ldap-certificate-transfer"

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/statuses.py

@@ -118,24 +118,45 @@ class MongosStatuses(Enum):
         check="Config validation failed.",
         action="Set the expose-external config to a valid value: `nodeport` or `none`.",
     )
-    MISSING_TLS_REL = StatusObject(
+    MISSING_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
-        short_message="Missing certificates relation.",
+        message="Peer TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing peer-certificates relation.",
         check="Relation validation failed.",
-        action="Add the certificates relation (tls-certificates interface) to mongos.",
+        action="Add the peer-certificates relation to mongos.",
     )
-    INVALID_TLS_REL = StatusObject(
+    INVALID_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
-        short_message="Invalid certificates relation.",
+        message="Peer TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid peer-certificates relation.",
         check="Relation validation failed.",
-        action="Remove the certificates relation (tls-certificates interface) from this application.",
+        action="Remove the peer-certificates relation from this application.",
     )
-    CA_MISMATCH = StatusObject(
+    MISSING_CLIENT_TLS_REL = StatusObject(
         status="blocked",
-        message="The mongos CA and Config-Server CA don't match.",
-        short_message="CA mismatch.",
+        message="Client TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing client-certificates relation.",
+        check="Relation validation failed.",
+        action="Add the client-certificates relation to mongos.",
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Client TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Remove the client-certificates relation from this application.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos peer CA and Config-Server peer CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
         check="Relation validation failed.",
         action="Verify the certificates relations. Use the same CA for all cluster components.",
     )
@@ -153,6 +174,27 @@ class MongosStatuses(Enum):
         status="maintenance", message="Starting mongos.", running="blocking"
     )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class CharmStatuses(Enum):
     """Charm Statuses."""
@@ -182,11 +224,28 @@ class CharmStatuses(Enum):
 class TLSStatuses(Enum):
     """TLS statuses."""
 
-    # RUNNING statuses:
-    DISABLING_TLS = StatusObject(
+    INVALID_PEER_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid peer private key",
+        check="Peer private key format validation failed",
+        action="Update the peer private key secret.",
+    )
+    INVALID_CLIENT_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid client private key",
+        check="Client private key format validation failed.",
+        action="Update the client privatekey secret.",
+    )
+    DISABLING_PEER_TLS = StatusObject(
         status="maintenance",
-        message="Disabling TLS...",
-        check="Certificates relation (tls-certificates interface) removed.",
+        message="Disabling peer TLS...",
+        check="Peer certificates relation (tls-certificates interface) removed.",
+        running="blocking",
+    )
+    DISABLING_CLIENT_TLS = StatusObject(
+        status="maintenance",
+        message="Disabling client TLS...",
+        check="Client certificates relation (tls-certificates interface) removed.",
         running="blocking",
     )
     # Enabling TLS takes a while because we wait for multiple certs so it's
@@ -343,12 +402,39 @@ class ConfigServerStatuses(Enum):
 class ShardStatuses(Enum):
     """Shard statuses."""
 
-    REQUIRES_TLS = StatusObject(status="blocked", message="Shard requires TLS to be enabled.")
-    REQUIRES_NO_TLS = StatusObject(
-        status="blocked", message="Shard has TLS enabled, but config-server does not."
+    MISSING_PEER_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires peer TLS to be enabled."
     )
-    CA_MISMATCH = StatusObject(
-        status="blocked", message="Shard CA and Config-Server CA don't match."
+    INVALID_PEER_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid peer-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the peer-certificates relation from the shard.",
+    )
+    MISSING_CLIENT_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires client TLS to be enabled."
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the client-certificates relation from the shard.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard internal CA and Config-Server internal CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the peer-certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the client-certificates relations. Use the same CA for all cluster components.",
     )
 
     MISSING_CONF_SERVER_REL = StatusObject(
@@ -399,6 +485,27 @@ class ShardStatuses(Enum):
             message=f"Charm revision ({current_charms_version}{local_identifier}) is not up-to date with config-server.",
         )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class MongodStatuses(Enum):
     """MongoD statuses."""

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/operator.py

@@ -22,6 +22,7 @@ from pathlib import Path
 from typing import TYPE_CHECKING, ClassVar, TypeAlias
 
 import charm_refresh
+import jinja2
 from data_platform_helpers.advanced_statuses.models import StatusObject
 from data_platform_helpers.advanced_statuses.protocol import ManagerStatusProtocol
 from ops.charm import RelationDepartedEvent
@@ -29,17 +30,27 @@ from ops.framework import Object
 from ops.model import Relation, Unit
 
 from single_kernel_mongo.config.literals import (
+    OS_REQUIREMENTS,
     TRUST_STORE_PATH,
     Scope,
     Substrates,
     TrustStoreFiles,
 )
-from single_kernel_mongo.config.models import CharmSpec, LogRotateConfig
+from single_kernel_mongo.config.models import SNAP_NAME, THP_CONFIG, CharmSpec, LogRotateConfig
+from single_kernel_mongo.core.structured_config import MongoConfigModel
 from single_kernel_mongo.events.ldap import LDAPEventHandler
 from single_kernel_mongo.exceptions import (
     DeferrableFailedHookChecksError,
     NonDeferrableFailedHookChecksError,
 )
+from single_kernel_mongo.lib.charms.operator_libs_linux.v0 import sysctl
+from single_kernel_mongo.lib.charms.operator_libs_linux.v1.systemd import (
+    SystemdError,
+    daemon_reload,
+    service_disable,
+    service_enable,
+    service_start,
+)
 from single_kernel_mongo.managers.config import FileBasedConfigManager
 from single_kernel_mongo.managers.mongo import MongoManager
 from single_kernel_mongo.state.charm_state import CharmState
@@ -50,6 +61,7 @@ if TYPE_CHECKING:
     from single_kernel_mongo.abstract_charm import AbstractMongoCharm
     from single_kernel_mongo.events.database import DatabaseEventsHandler
     from single_kernel_mongo.events.tls import TLSEventsHandler
+    from single_kernel_mongo.lib.charms.operator_libs_linux.v0.sysctl import Config
     from single_kernel_mongo.managers.ldap import LDAPManager
     from single_kernel_mongo.managers.tls import TLSManager
     from single_kernel_mongo.managers.upgrade_v3 import MongoDBUpgradesManager
@@ -89,11 +101,18 @@ class OperatorProtocol(ABC, Object, ManagerStatusProtocol):
     client_events: DatabaseEventsHandler
     tls_events: TLSEventsHandler
     ldap_events: LDAPEventHandler
+    sysctl_config: Config
 
     if TYPE_CHECKING:
 
         def __init__(self, dependent: AbstractMongoCharm): ...
 
+    @property
+    @abstractmethod
+    def config(self) -> MongoConfigModel:
+        """The pydantic model of the config."""
+        ...
+
     @property
     @abstractmethod
     def components(self) -> tuple[ManagerStatusProtocol, ...]:
@@ -280,6 +299,17 @@ class OperatorProtocol(ABC, Object, ManagerStatusProtocol):
                     f"{path}",
                 ]
             )
+
+        if self.substrate == Substrates.VM:
+            self.workload.exec(
+                [
+                    "chown",
+                    "-R",
+                    f"{self.workload.users.user}:{self.workload.users.group}",
+                    f"{self.workload.paths.common_path}",
+                ]
+            )
+
         for path in (
             self.workload.paths.config_file,
             self.workload.paths.mongos_config_file,
@@ -315,6 +345,43 @@ class OperatorProtocol(ABC, Object, ManagerStatusProtocol):
         # Restart the service
         self.restart_charm_services(force=True)
 
+    def write_thp_config_file(self):
+        """Writes the unit file to enable Transparent Huge Pages."""
+        data = THP_CONFIG.service_template.read_text()
+        template = jinja2.Template(data)
+
+        rendered_template = template.render(
+            service_file=f"snap.{SNAP_NAME}.{self.workload.service}.service"
+        )
+        self.workload.write(path=THP_CONFIG.service_file_path, content=rendered_template)
+        daemon_reload()
+        service_enable(THP_CONFIG.service_name)
+        service_start(THP_CONFIG.service_name)
+
+    def _set_os_config(self) -> None:
+        """Sets sysctl config for mongodb."""
+        try:
+            self.sysctl_config.configure(OS_REQUIREMENTS)
+        except (sysctl.ApplyError, sysctl.ValidationError, sysctl.CommandError) as e:
+            # we allow events to continue in the case that we are not able to correctly configure
+            # sysctl config, since we can  still run the workload with wrong sysctl parameters
+            # even if it is not optimal.
+            logger.error(f"Error setting values on sysctl parameters: {e.message}")
+            # containers share the kernel with the host system, and some sysctl parameters are
+            # set at kernel level.
+            logger.warning("sysctl params cannot be set. Is the machine running on a container?")
+        try:
+            self.write_thp_config_file()
+        except SystemdError as e:
+            # we allow events to continue in the case that we are not able to correctly configure
+            # sysctl config, since we can  still run the workload with wrong kernel parameters
+            # even if it is not optimal.
+            logger.error(f"Error setting values on kernel parameters: {e.args}")
+            # containers share the kernel with the host system, and some sysctl parameters are
+            # set at kernel level.
+            logger.warning("kernel params cannot be set. Is the machine running on a container?")
+            service_disable(THP_CONFIG.service_name)
+
     def build_local_tls_directory(self) -> None:
         """On Kubernetes, we need the local configuration directory.
 

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/structured_config.py

@@ -100,6 +100,8 @@ class MongoConfigModel(BaseConfigModel):
     role: SerializeLiteralAsStr[MongoDBRoles]
     ldap_user_to_dn_mapping: str | None = Field(default=None, alias="ldap-user-to-dn-mapping")
     ldap_query_template: str | None = Field(default=None, alias="ldap-query-template")
+    tls_peer_private_key_id: str | None = Field(default=None, alias="tls-peer-private-key")
+    tls_client_private_key_id: str | None = Field(default=None, alias="tls-client-private-key")
 
     @field_validator("expose_external", mode="before")
     @classmethod

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/workload.py

@@ -93,15 +93,21 @@ class MongoPaths:
         return Path(f"{self.conf_path}/internal-ca.crt")
 
     @property
-    def tls_files(self) -> set[Path]:
-        """Set of all TLS files."""
+    def tls_peer_files(self) -> set[Path]:
+        """Set of peer TLS files."""
         return {
-            self.ext_pem_file,
-            self.ext_ca_file,
             self.int_pem_file,
             self.int_ca_file,
         }
 
+    @property
+    def tls_client_files(self) -> set[Path]:
+        """Set of client TLS files."""
+        return {
+            self.ext_pem_file,
+            self.ext_ca_file,
+        }
+
     @property
     def ldap_path(self) -> Path:
         """The LDAP conf path."""

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/events/cluster.py

@@ -136,6 +136,11 @@ class ClusterMongosEventHandler(Object):
     def _on_relation_created(self, event: RelationCreatedEvent) -> None:
         """Relation created event handler."""
         self.manager.set_relation_created_status()
+        # Edge condition: mongos was integrated with the certificates provider
+        # before being integrated with the config-server. We trigger the refresh
+        # of the certificates to use the config-server as CSR subject.
+        if self.manager.state.peer_tls_relation or self.manager.state.client_tls_relation:
+            self.dependent.tls_events.refresh_certificates()
 
     def _on_database_created(self, event: DatabaseCreatedEvent) -> None:
         """Database Created event handler.

{mongo_charms_single_kernel-1.8.7 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/events/sharding.py

@@ -162,8 +162,10 @@ class ShardEventHandler(Object):
         """SecretChanged event handler, which is used to propagate the updated passwords."""
         try:
             self.manager.handle_secret_changed(event.secret.label or "")
-        except (NotReadyError, FailedToUpdateCredentialsError):
+        except (NotReadyError, FailedToUpdateCredentialsError, DeferrableFailedHookChecksError):
             event.defer()
+        except NonDeferrableFailedHookChecksError as e:
+            logger.info(f"Skipping {str(type(event))}: {str(e)}")
         except WaitingForSecretsError:
             logger.info("Missing secrets, ignoring")