mongo-charms-single-kernel 1.8.8__py3-none-any.whl → 1.8.10__py3-none-any.whl

single_kernel_mongo/managers/cluster.py

@@ -105,6 +105,9 @@ class ClusterProvider(Object):
         if int_tls_ca := self.state.tls.get_secret(label_name=SECRET_CA_LABEL, internal=True):
             relation_data[ClusterStateKeys.INT_CA_SECRET.value] = int_tls_ca
 
+        if ext_tls_ca := self.state.tls.get_secret(label_name=SECRET_CA_LABEL, internal=False):
+            relation_data[ClusterStateKeys.EXT_CA_SECRET.value] = ext_tls_ca
+
         if hashed_data := self.dependent.ldap_manager.get_hash():
             relation_data[ClusterStateKeys.LDAP_HASH.value] = hashed_data
 
@@ -253,19 +256,19 @@ class ClusterRequirer(Object):
 
     def assert_pass_hook_checks(self) -> None:
         """Runs pre-hook checks, raises if one fails."""
-        mongos_has_tls, config_server_has_tls = self.tls_status()
-        match (mongos_has_tls, config_server_has_tls):
+        mongos_peer_tls, config_server_peer_tls = self.mongos_and_config_server_peer_tls_status()
+        match (mongos_peer_tls, config_server_peer_tls):
             case False, True:
                 raise DeferrableFailedHookChecksError(
-                    "Config-Server uses TLS but mongos does not. Please synchronise encryption method."
+                    "Config-Server uses peer TLS but mongos does not. Please synchronise encryption method."
                 )
             case True, False:
                 raise DeferrableFailedHookChecksError(
-                    "Mongos uses TLS but config-server does not. Please synchronise encryption method."
+                    "Mongos uses peer TLS but config-server does not. Please synchronise encryption method."
                 )
             case _:
                 pass
-        if self.is_waiting_to_request_certs():
+        if self.dependent.tls_manager.is_waiting_for_a_cert():
             raise DeferrableFailedHookChecksError(
                 "Mongos was waiting for config-server to enable TLS. Wait for TLS to be enabled until starting mongos."
             )
@@ -431,10 +434,10 @@ class ClusterRequirer(Object):
         with MongoConnection(self.state.mongo_config) as mongo:
             mongo.drop_user(mongo.config.username)
 
-    def is_ca_compatible(self) -> bool:
-        """Returns true if both the mongos and the config-server use the same CA.
+    def is_peer_ca_compatible(self) -> bool:
+        """Returns true if both the mongos and the config-server use the same peer CA.
 
-        Using the same CA is a requirement for sharded clusters.
+        Using the same peer CA is a requirement for sharded clusters.
         """
         if not self.state.mongos_cluster_relation:
             return True
@@ -445,38 +448,77 @@ class ClusterRequirer(Object):
 
         return config_server_tls_ca == mongos_tls_ca
 
-    def is_waiting_to_request_certs(self) -> bool:
-        """Returns True if mongos has been waiting for config server in order to request certs."""
-        if not self.state.tls_relation:
-            return False
-        mongos_tls_ca = self.state.tls.get_secret(internal=True, label_name=SECRET_CA_LABEL)
+    def is_client_ca_compatible(self) -> bool:
+        """Returns true if both the mongos and the config-server use the same client CA.
 
-        # our CA is none until certs have been requested. We cannot request certs until integrated
-        # to config-server.
-        return not mongos_tls_ca
+        Using the same client CA is a requirement for sharded clusters.
+        """
+        if not self.state.mongos_cluster_relation:
+            return True
+        config_server_tls_ca = self.state.cluster.external_ca_secret
+        mongos_tls_ca = self.state.tls.get_secret(internal=False, label_name=SECRET_CA_LABEL)
+        if not config_server_tls_ca or not mongos_tls_ca:
+            return True
 
-    def tls_status(self) -> tuple[bool, bool]:
-        """Returns the TLS integration status for mongos and config-server."""
+        return config_server_tls_ca == mongos_tls_ca
+
+    def mongos_and_config_server_peer_tls_status(self) -> tuple[bool, bool]:
+        """Returns the peer TLS integration status for mongos and config-server."""
         if self.state.mongos_cluster_relation:
-            mongos_has_tls = self.state.tls_relation is not None
+            mongos_has_tls = self.state.peer_tls_relation is not None
             config_server_has_tls = self.state.cluster.internal_ca_secret is not None
             return mongos_has_tls, config_server_has_tls
 
         return False, False
 
-    def get_tls_statuses(self) -> StatusObject | None:
-        """Return statuses relevant to TLS."""
-        mongos_has_tls, config_server_has_tls = self.tls_status()
-        match (mongos_has_tls, config_server_has_tls):
+    def mongos_and_config_server_client_tls_status(self) -> tuple[bool, bool]:
+        """Returns the client TLS integration status for mongos and config-server."""
+        if self.state.mongos_cluster_relation:
+            mongos_has_tls = self.state.client_tls_relation is not None
+            config_server_has_tls = self.state.cluster.external_ca_secret is not None
+            return mongos_has_tls, config_server_has_tls
+
+        return False, False
+
+    def get_tls_status(self, internal: bool):
+        """Computes the TLS status for the scope.
+
+        Args:
+            internal: (bool) if true, represents the internal TLS, otherwise external TLS.
+        """
+        if internal:
+            shard_tls, config_server_tls = self.mongos_and_config_server_peer_tls_status()
+            is_ca_compatible = self.is_peer_ca_compatible()
+        else:
+            shard_tls, config_server_tls = self.mongos_and_config_server_client_tls_status()
+            is_ca_compatible = self.is_client_ca_compatible()
+
+        match (shard_tls, config_server_tls):
             case False, True:
-                return MongosStatuses.MISSING_TLS_REL.value
+                logger.warning(
+                    "Config-Server uses peer TLS but mongos does not. Please synchronise encryption method."
+                )
+                return MongosStatuses.missing_tls(internal=internal)
             case True, False:
-                return MongosStatuses.INVALID_TLS_REL.value
+                logger.warning(
+                    "Mongos uses peer TLS but config-server does not. Please synchronise encryption method."
+                )
+                return MongosStatuses.invalid_tls(internal=internal)
             case _:
                 pass
-        if not self.is_ca_compatible():
+
+        if not is_ca_compatible:
             logger.error(
-                "mongos is integrated to a different CA than the config server. Please use the same CA for all cluster components."
+                "Mongos is integrated to a different CA than the config server. Please use the same CA for all cluster components."
             )
-            return MongosStatuses.CA_MISMATCH.value
+            return MongosStatuses.incompatible_ca(internal=internal)
+
         return None
+
+    def tls_statuses(self) -> list[StatusObject]:
+        """Return statuses relevant to TLS."""
+        statuses = []
+        for internal in True, False:
+            if status := self.get_tls_status(internal=internal):
+                statuses.append(status)
+        return statuses

single_kernel_mongo/managers/config.py

@@ -28,7 +28,11 @@ from single_kernel_mongo.core.structured_config import MongoConfigModel, MongoDB
 from single_kernel_mongo.core.workload import WorkloadBase
 from single_kernel_mongo.exceptions import WorkloadServiceError
 from single_kernel_mongo.state.charm_state import CharmState
-from single_kernel_mongo.utils.mongodb_users import BackupUser, LogRotateUser, MonitorUser
+from single_kernel_mongo.utils.mongodb_users import (
+    CharmedBackupUser,
+    CharmedLogRotateUser,
+    CharmedStatsUser,
+)
 from single_kernel_mongo.workload import (
     get_logrotate_workload_for_substrate,
     get_mongodb_exporter_workload_for_substrate,
@@ -135,7 +139,7 @@ class BackupConfigManager(CommonConfigManager):
             logger.info("Not starting PBM yet. Shard not added to config-server")
             return
 
-        if not self.state.get_user_password(BackupUser):
+        if not self.state.get_user_password(CharmedBackupUser):
             logger.info("No password found.")
             return
 
@@ -184,7 +188,7 @@ class LogRotateConfigManager(CommonConfigManager):
             logger.info("DB is not initialised.")
             return
 
-        if not self.state.get_user_password(LogRotateUser):
+        if not self.state.get_user_password(CharmedLogRotateUser):
             logger.info("No password found.")
             return
 
@@ -224,17 +228,17 @@ class MongoDBExporterConfigManager(CommonConfigManager):
 
     @override
     def build_parameters(self) -> list[list[str]]:
-        return [[self.state.monitor_config.uri]]
+        return [[self.state.stats_config.uri]]
 
     def configure_and_restart(self):
         """Exposes the endpoint to mongodb_exporter."""
         if not self.state.db_initialised:
             return
 
-        if not self.state.get_user_password(MonitorUser):
+        if not self.state.get_user_password(CharmedStatsUser):
             return
 
-        if not self.workload.active() or self.get_environment() != self.state.monitor_config.uri:
+        if not self.workload.active() or self.get_environment() != self.state.stats_config.uri:
             try:
                 # Always enable the service
                 self.workload.stop()
@@ -269,7 +273,7 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
                 self.binding_ips,
                 self.port_parameter,
                 self.auth_parameter,
-                self.tls_parameters,
+                self.client_tls_parameters,
                 self.log_options,
                 self.audit_options,
                 self.ldap_parameters,
@@ -332,16 +336,20 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
     def auth_parameter(self) -> dict[str, Any]:
         """The auth mode."""
         cmd = {"security": {"authorization": "enabled"}} if self.auth else {}
-        if self.state.tls.internal_enabled and self.state.tls.external_enabled:
+        if self.state.tls.peer_enabled:
             return always_merger.merge(
                 cmd,
                 {
                     "security": {"clusterAuthMode": "x509"},
                     "net": {
                         "tls": {
+                            "mode": "preferTLS",
                             "allowInvalidCertificates": True,
-                            "clusterCAFile": f"{self.workload.paths.int_ca_file}",
+                            "certificateKeyFile": f"{self.workload.paths.int_pem_file}",
+                            "CAFile": f"{self.workload.paths.int_ca_file}",
+                            "disabledProtocols": "TLS1_0,TLS1_1",
                             "clusterFile": f"{self.workload.paths.int_pem_file}",
+                            "clusterCAFile": f"{self.workload.paths.int_ca_file}",
                             "clusterAuthX509": {
                                 "attributes": f"O={self.state.get_subject_name()}",
                             },
@@ -360,10 +368,11 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
         )
 
     @property
-    def tls_parameters(self) -> dict[str, Any]:
-        """The TLS external parameters."""
-        if self.state.tls.external_enabled:
-            return {
+    def client_tls_parameters(self) -> dict[str, Any]:
+        """The client TLS parameters."""
+        params = {}
+        if self.state.tls.client_enabled:
+            params = {
                 "net": {
                     "tls": {
                         "CAFile": f"{self.workload.paths.ext_ca_file}",
@@ -373,7 +382,8 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
                     }
                 },
             }
-        return {}
+
+        return params
 
     @property
     @abstractmethod

single_kernel_mongo/managers/mongo.py

@@ -52,11 +52,11 @@ from single_kernel_mongo.utils.mongo_config import (
 from single_kernel_mongo.utils.mongo_connection import MongoConnection, NotReadyError
 from single_kernel_mongo.utils.mongodb_users import (
     OPERATOR_ROLE,
-    BackupUser,
-    LogRotateUser,
+    CharmedBackupUser,
+    CharmedLogRotateUser,
+    CharmedOperatorUser,
+    CharmedStatsUser,
     MongoDBUser,
-    MonitorUser,
-    OperatorUser,
 )
 
 if TYPE_CHECKING:
@@ -138,12 +138,12 @@ class MongoManager(Object, ManagerStatusProtocol):
 
     def initialise_charm_admin_users(self) -> None:
         """First initialisation of each user."""
-        self.initialise_operator_user()
-        self.initialise_user(MonitorUser)
-        self.initialise_user(BackupUser)
-        self.initialise_user(LogRotateUser)
+        self.initialise_charmed_operator_user()
+        self.initialise_user(CharmedStatsUser)
+        self.initialise_user(CharmedBackupUser)
+        self.initialise_user(CharmedLogRotateUser)
 
-    def initialise_operator_user(self):
+    def initialise_charmed_operator_user(self):
         """Creates initial admin user for MongoDB.
 
         Initial admin user can be created only through localhost connection.
@@ -154,7 +154,7 @@ class MongoManager(Object, ManagerStatusProtocol):
         It is needed to install mongodb-clients inside charm container to make
         this function work correctly.
         """
-        if self.state.app_peer_data.is_user_created(OperatorUser.username):
+        if self.state.app_peer_data.is_user_created(CharmedOperatorUser.username):
             return
         config = self.state.mongo_config
         cmd = [
@@ -169,7 +169,7 @@ class MongoManager(Object, ManagerStatusProtocol):
             '})"',
         ]
         self.workload.run_bin_command("mongodb://localhost/admin", cmd, input=config.password)
-        self.state.app_peer_data.set_user_created(OperatorUser.username)
+        self.state.app_peer_data.set_user_created(CharmedOperatorUser.username)
 
     def initialise_user(self, user: MongoDBUser):
         """Creates a user and sets its role on the MongoDB database."""
@@ -530,7 +530,7 @@ class MongoManager(Object, ManagerStatusProtocol):
             return charm_statuses
 
         except ServerSelectionTimeoutError as e:
-            # Usually it is du to ReplicaSetNoPrimary
+            # Usually it is due to ReplicaSetNoPrimary
             logger.debug(f"Got error {e} while checking replica set status")
             return [MongodStatuses.WAITING_ELECTION.value]
         except AutoReconnect as e:

single_kernel_mongo/managers/mongodb_operator.py

@@ -33,7 +33,10 @@ from single_kernel_mongo.config.models import (
     PasswordManagementContext,
     PasswordManagementState,
 )
-from single_kernel_mongo.config.relations import ExternalRequirerRelations, RelationNames
+from single_kernel_mongo.config.relations import (
+    ExternalRequirerRelations,
+    RelationNames,
+)
 from single_kernel_mongo.config.statuses import (
     BackupStatuses,
     CharmStatuses,
@@ -47,7 +50,7 @@ from single_kernel_mongo.core.kubernetes_upgrades_v3 import KubernetesMongoDBRef
 from single_kernel_mongo.core.machine_upgrades_v3 import MachineMongoDBRefresh
 from single_kernel_mongo.core.operator import OperatorProtocol
 from single_kernel_mongo.core.secrets import generate_secret_label
-from single_kernel_mongo.core.structured_config import MongoDBRoles
+from single_kernel_mongo.core.structured_config import MongoDBCharmConfig, MongoDBRoles
 from single_kernel_mongo.core.version_checker import VersionChecker
 from single_kernel_mongo.events.backups import BackupEventsHandler
 from single_kernel_mongo.events.cluster import ClusterConfigServerEventHandler
@@ -97,12 +100,12 @@ from single_kernel_mongo.state.charm_state import CharmState
 from single_kernel_mongo.utils.helpers import is_valid_ldap_options, is_valid_ldapusertodnmapping
 from single_kernel_mongo.utils.mongo_connection import MongoConnection, NotReadyError
 from single_kernel_mongo.utils.mongodb_users import (
-    BackupUser,
+    CharmedBackupUser,
+    CharmedLogRotateUser,
+    CharmedOperatorUser,
+    CharmedStatsUser,
     InternalUsers,
-    LogRotateUser,
     MongoDBUser,
-    MonitorUser,
-    OperatorUser,
     get_user_from_username,
     validate_charm_user_password_config,
 )
@@ -167,12 +170,7 @@ class MongoDBOperator(OperatorProtocol, Object):
             self.state,
             container,
         )
-        self.tls_manager = TLSManager(
-            self,
-            self.workload,
-            self.state,
-            self.substrate,
-        )
+        self.tls_manager = TLSManager(self, self.workload, self.state)
         self.mongo_manager = MongoManager(
             self,
             self.workload,
@@ -345,7 +343,8 @@ class MongoDBOperator(OperatorProtocol, Object):
                 return
 
     @property
-    def config(self):
+    @override
+    def config(self) -> MongoDBCharmConfig:
         """Returns the actual config."""
         return self.charm.parsed_config
 
@@ -393,6 +392,7 @@ class MongoDBOperator(OperatorProtocol, Object):
         return (
             self,
             self.mongo_manager,
+            self.tls_manager,
             self.shard_manager,
             self.config_server_manager,
             self.backup_manager,
@@ -487,7 +487,9 @@ class MongoDBOperator(OperatorProtocol, Object):
         except (NotReadyError, PyMongoError, WorkloadExecError) as e:
             logger.error(f"Deferring on start: error={e}")
             self.state.statuses.add(
-                MongodStatuses.WAITING_REPL_SET_INIT.value, scope="unit", component=self.name
+                MongodStatuses.WAITING_REPL_SET_INIT.value,
+                scope="unit",
+                component=self.name,
             )
             raise
 
@@ -717,10 +719,10 @@ class MongoDBOperator(OperatorProtocol, Object):
 
         Adds the unit as a replica to the MongoDB replica set.
         """
-        # Changing the monitor or the backup password will lead to non-leader
-        # units receiving a relation changed event. We must update the monitor
-        # and pbm URI if the password changes so that COS/pbm can continue to
-        # work.
+        # Changing the charmed-stats or the charmed-backup password will lead
+        # to non-leader units receiving a relation changed event. We must update
+        # the monitor and pbm URI if the password changes so that COS/pbm can
+        # continue to work.
         if self.state.db_initialised and self.workload.active():
             self.mongodb_exporter_config_manager.configure_and_restart()
             self.backup_manager.configure_and_restart()
@@ -879,22 +881,17 @@ class MongoDBOperator(OperatorProtocol, Object):
     @override
     def update_status(self) -> None:
         """Status update Handler."""
-        # TODO update the usage of this once the spec is approved and we have a consistent way of
-        # handling statuses
         if self.basic_statuses():
             logger.info("Early return invalid statuses.")
             return
 
+        if self.state.is_role(MongoDBRoles.SHARD) and self._should_skip_because_of_incomplete_tls():
+            return
+
         if self.cluster_version_checker.get_cluster_mismatched_revision_status():
             logger.info("Early return, cluster mismatch version.")
             return
 
-        if self.state.is_role(MongoDBRoles.SHARD):
-            shard_has_tls, config_server_has_tls = self.shard_manager.tls_status()
-            if config_server_has_tls and not shard_has_tls:
-                logger.info("Shard is missing TLS.")
-                return
-
         if not self.mongo_manager.mongod_ready():
             logger.info("Mongod not ready.")
             return
@@ -915,16 +912,18 @@ class MongoDBOperator(OperatorProtocol, Object):
     def update_single_user_password(self, user: MongoDBUser, new_password: str) -> None:
         """Set password in Mongod and restart the appropriate services."""
         self.mongo_manager.set_user_password(user, new_password)
-        if user == BackupUser:
+        if user == CharmedBackupUser:
             # Update and restart PBM Agent.
             self.backup_manager.configure_and_restart()
-        if user == MonitorUser:
+        if user == CharmedStatsUser:
             # Update and restart mongodb exporter.
             self.mongodb_exporter_config_manager.configure_and_restart()
-        if user == LogRotateUser:
+        if user == CharmedLogRotateUser:
             # Update and restart logrotate.
             self.logrotate_config_manager.configure_and_restart()
-        if user in (OperatorUser, BackupUser) and self.state.is_role(MongoDBRoles.CONFIG_SERVER):
+        if user in (CharmedOperatorUser, CharmedBackupUser) and self.state.is_role(
+            MongoDBRoles.CONFIG_SERVER
+        ):
             self.config_server_manager.update_credentials(
                 user.password_key_name,
                 new_password,
@@ -1055,7 +1054,9 @@ class MongoDBOperator(OperatorProtocol, Object):
         except WorkloadServiceError as e:
             logger.error("An exception occurred when starting mongod agent, error: %s.", str(e))
             self.charm.state.statuses.add(
-                MongoDBStatuses.WAITING_FOR_MONGODB_START.value, scope="unit", component=self.name
+                MongoDBStatuses.WAITING_FOR_MONGODB_START.value,
+                scope="unit",
+                component=self.name,
             )
             raise
 
@@ -1075,7 +1076,9 @@ class MongoDBOperator(OperatorProtocol, Object):
             self.backup_manager.configure_and_restart()
         except WorkloadServiceError:
             self.state.statuses.add(
-                BackupStatuses.WAITING_FOR_PBM_START.value, scope="unit", component=self.name
+                BackupStatuses.WAITING_FOR_PBM_START.value,
+                scope="unit",
+                component=self.name,
             )
             raise
 
@@ -1116,7 +1119,10 @@ class MongoDBOperator(OperatorProtocol, Object):
             logger.error("Charm is in sharding mode. Does not support %s interface.", rel_name)
             return MongoDBStatuses.INVALID_CFG_SRV_ON_SHARD_REL.value
         if self.state.is_role(MongoDBRoles.CONFIG_SERVER) and rel_name == RelationNames.SHARDING:
-            logger.error("Charm is in config-server mode. Does not support %s interface.", rel_name)
+            logger.error(
+                "Charm is in config-server mode. Does not support %s interface.",
+                rel_name,
+            )
             return MongoDBStatuses.INVALID_SHARD_ON_CFG_SRV_REL.value
         if not self.state.is_role(MongoDBRoles.CONFIG_SERVER) and rel_name == RelationNames.CLUSTER:
             logger.error("Charm is not a config-server, cannot integrate mongos")
@@ -1136,7 +1142,9 @@ class MongoDBOperator(OperatorProtocol, Object):
         self.build_local_tls_directory()
 
         # Push TLS files if necessary
-        self.tls_manager.push_tls_files_to_workload()
+        for internal in [True, False]:
+            self.tls_manager.push_tls_files_to_workload(internal)
+
         self.ldap_manager.save_certificates(self.state.ldap.chain)
 
         # Update licenses
@@ -1354,3 +1362,19 @@ class MongoDBOperator(OperatorProtocol, Object):
                 scope="app",
                 component=self.name,
             )
+
+    def _should_skip_because_of_incomplete_tls(self) -> bool:
+        """Checks if the update status hook needs skipping due to an incomplete TLS integration."""
+        shard_has_peer_tls, config_server_has_peer_tls = (
+            self.shard_manager.shard_and_config_server_peer_tls_status()
+        )
+        if config_server_has_peer_tls and not shard_has_peer_tls:
+            logger.info("Shard is missing peer TLS.")
+            return True
+        shard_has_client_tls, config_server_has_client_tls = (
+            self.shard_manager.shard_and_config_server_client_tls_status()
+        )
+        if config_server_has_client_tls and not shard_has_client_tls:
+            logger.info("Shard is missing client TLS.")
+            return True
+        return False

single_kernel_mongo/managers/mongos_operator.py

@@ -104,12 +104,7 @@ class MongosOperator(OperatorProtocol, Object):
             self.state,
             self.substrate,
         )
-        self.tls_manager = TLSManager(
-            self,
-            self.workload,
-            self.state,
-            self.substrate,
-        )
+        self.tls_manager = TLSManager(self, self.workload, self.state)
         self.cluster_manager = ClusterRequirer(
             self, self.workload, self.state, self.substrate, RelationNames.CLUSTER
         )
@@ -201,9 +196,10 @@ class MongosOperator(OperatorProtocol, Object):
     @property
     def components(self) -> tuple[ManagerStatusProtocol, ...]:
         """The ordered list of components for this operator."""
-        return (self, self.ldap_manager, self.upgrades_status_manager)
+        return (self, self.tls_manager, self.ldap_manager, self.upgrades_status_manager)
 
     @property
+    @override
     def config(self) -> MongosCharmConfig:
         """Returns the actual config."""
         return self.charm.parsed_config
@@ -222,8 +218,8 @@ class MongosOperator(OperatorProtocol, Object):
         # Instantiate the local directory for k8s
         self.build_local_tls_directory()
 
-        # Push certificates
-        self.tls_manager.push_tls_files_to_workload()
+        for internal in [True, False]:
+            self.tls_manager.push_tls_files_to_workload(internal)
 
         # Save LDAP certificates
         self.ldap_manager.save_certificates(self.state.ldap.chain)
@@ -301,8 +297,7 @@ class MongosOperator(OperatorProtocol, Object):
                 component=self.name,
             )
             self.update_k8s_external_services()
-
-            self.tls_manager.update_tls_sans()
+            self.tls_events.refresh_certificates()
             self.share_connection_info()
 
     @override
@@ -345,7 +340,7 @@ class MongosOperator(OperatorProtocol, Object):
             # our SANS as necessary.
             # The connection info will be updated when we receive the new certificates.
             if self.substrate == Substrates.K8S:
-                self.tls_manager.update_tls_sans()
+                self.tls_events.refresh_certificates()
 
     @override
     def new_peer(self) -> None:
@@ -390,11 +385,10 @@ class MongosOperator(OperatorProtocol, Object):
             self.mongos_config_manager.configure_and_restart(force=force)
         except WorkloadServiceError as e:
             logger.error("An exception occurred when starting mongos agent, error: %s.", str(e))
-            self.charm.status_handler.set_running_status(
+            self.charm.state.statuses.add(
                 MongosStatuses.WAITING_FOR_MONGOS_START.value,
                 scope="unit",
-                statuses_state=self.state.statuses,
-                component_name=self.name,
+                component=self.name,
             )
             raise
 
@@ -579,8 +573,9 @@ class MongosOperator(OperatorProtocol, Object):
             )
             return False
 
-        if status := self.cluster_manager.get_tls_statuses():
-            logger.info(f"Invalid TLS integration: {status.message}")
+        if statuses := self.cluster_manager.tls_statuses():
+            for status in statuses:
+                logger.info(f"Invalid TLS integration: {status.message}")
             return False
 
         if not self.is_mongos_running():
@@ -618,10 +613,11 @@ class MongosOperator(OperatorProtocol, Object):
             # don't bother checking remaining statuses if no config-server is present
             return charm_statuses
 
-        if status := self.cluster_manager.get_tls_statuses():
-            logger.info(f"Invalid TLS integration: {status.message}")
+        if statuses := self.cluster_manager.tls_statuses():
+            for status in statuses:
+                logger.info(f"Invalid TLS integration: {status.message}")
             # if TLS is misconfigured we will get redherrings on the remaining messages
-            charm_statuses.append(status)
+            charm_statuses += statuses
             return charm_statuses
 
         if self.state.mongos_cluster_relation and not self.state.cluster.config_server_uri: