mongo-charms-single-kernel 1.8.8__py3-none-any.whl → 1.8.10__py3-none-any.whl

single_kernel_mongo/state/charm_state.py

@@ -73,12 +73,12 @@ from single_kernel_mongo.utils.mongo_config import MongoConfiguration
 from single_kernel_mongo.utils.mongo_connection import MongoConnection
 from single_kernel_mongo.utils.mongo_error_codes import MongoErrorCodes
 from single_kernel_mongo.utils.mongodb_users import (
-    BackupUser,
+    CharmedBackupUser,
+    CharmedLogRotateUser,
+    CharmedOperatorUser,
+    CharmedStatsUser,
     InternalUsers,
-    LogRotateUser,
     MongoDBUser,
-    MonitorUser,
-    OperatorUser,
     RoleNames,
 )
 
@@ -212,9 +212,14 @@ class CharmState(Object, StatusesStateProtocol):
         return set(self.model.relations[RelationNames.CONFIG_SERVER.value])
 
     @property
-    def tls_relation(self) -> Relation | None:
-        """The TLS relation."""
-        return self.model.get_relation(ExternalRequirerRelations.TLS.value)
+    def client_tls_relation(self) -> Relation | None:
+        """The client TLS relation if it exists."""
+        return self.model.get_relation(ExternalRequirerRelations.CLIENT_TLS.value)
+
+    @property
+    def peer_tls_relation(self) -> Relation | None:
+        """The peer TLS relation if it exists."""
+        return self.model.get_relation(ExternalRequirerRelations.PEER_TLS.value)
 
     @property
     def s3_relation(self) -> Relation | None:
@@ -342,7 +347,11 @@ class CharmState(Object, StatusesStateProtocol):
     @property
     def tls(self) -> TLSState:
         """A view of the TLS status from the local unit databag."""
-        return TLSState(relation=self.peer_relation, secrets=self.secrets)
+        return TLSState(
+            peer_relation=self.peer_tls_relation,
+            client_relation=self.client_tls_relation,
+            secrets=self.secrets,
+        )
 
     @property
     def ldap(self) -> LdapState:
@@ -554,8 +563,8 @@ class CharmState(Object, StatusesStateProtocol):
         return f"{replica_set_name}/{','.join(hosts)}"
 
     # END: Helpers
-    def update_ca_secrets(self, new_ca: str | None) -> None:
-        """Updates the CA secret in the cluster and config-server relations."""
+    def _update_ca_secrets(self, new_ca: str | None, cluster_key: str, sharding_key: str) -> None:
+        """Updates the CA secret for the right values on the right fields."""
         # Only the leader can update the databag
         if not self.charm.unit.is_leader():
             return
@@ -564,22 +573,36 @@ class CharmState(Object, StatusesStateProtocol):
         for relation in self.cluster_relations:
             if new_ca is None:
                 self.cluster_provider_data_interface.delete_relation_data(
-                    relation.id, [ClusterStateKeys.INT_CA_SECRET.value]
+                    relation.id, [cluster_key]
                 )
             else:
                 self.cluster_provider_data_interface.update_relation_data(
-                    relation.id, {ClusterStateKeys.INT_CA_SECRET.value: new_ca}
+                    relation.id, {cluster_key: new_ca}
                 )
         for relation in self.config_server_relation:
             if new_ca is None:
-                self.config_server_data_interface.delete_relation_data(
-                    relation.id, [AppShardingComponentKeys.INT_CA_SECRET.value]
-                )
+                self.config_server_data_interface.delete_relation_data(relation.id, [sharding_key])
             else:
                 self.config_server_data_interface.update_relation_data(
-                    relation.id, {AppShardingComponentKeys.INT_CA_SECRET.value: new_ca}
+                    relation.id, {sharding_key: new_ca}
                 )
 
+    def update_peer_ca_secrets(self, new_ca: str | None) -> None:
+        """Updates the peer CA secret in the cluster and config-server relations."""
+        self._update_ca_secrets(
+            new_ca=new_ca,
+            cluster_key=ClusterStateKeys.INT_CA_SECRET.value,
+            sharding_key=AppShardingComponentKeys.INT_CA_SECRET.value,
+        )
+
+    def update_client_ca_secrets(self, new_ca: str | None) -> None:
+        """Updates the client CA secret in the cluster and config-server relations."""
+        self._update_ca_secrets(
+            new_ca=new_ca,
+            cluster_key=ClusterStateKeys.EXT_CA_SECRET.value,
+            sharding_key=AppShardingComponentKeys.EXT_CA_SECRET.value,
+        )
+
     def is_scaling_down(self, rel_id: int) -> bool:
         """Returns True if the application is scaling down."""
         rel_departed_key = generate_relation_departed_key(rel_id)
@@ -606,7 +629,7 @@ class CharmState(Object, StatusesStateProtocol):
             return False
 
         # We can't check if we don't have a valid certificate
-        if self.shard_state.internal_ca_secret is not None and not self.tls.external_enabled:
+        if self.shard_state.external_ca_secret is not None and not self.tls.client_enabled:
             return False
 
         try:
@@ -665,7 +688,7 @@ class CharmState(Object, StatusesStateProtocol):
             hosts=hosts or user.hosts,
             port=MongoPorts.MONGODB_PORT.value,
             roles=user.roles,
-            tls_enabled=self.tls.external_enabled,
+            tls_enabled=self.tls.client_enabled,
             tls_external_keyfile=self.paths.ext_pem_file,
             tls_external_ca=self.paths.ext_ca_file,
             standalone=standalone,
@@ -695,42 +718,42 @@ class CharmState(Object, StatusesStateProtocol):
             hosts=hosts or user.hosts,
             port=MongoPorts.MONGOS_PORT.value,
             roles=user.roles,
-            tls_enabled=self.tls.external_enabled,
+            tls_enabled=self.tls.client_enabled,
             tls_external_keyfile=self.paths.ext_pem_file,
             tls_external_ca=self.paths.ext_ca_file,
         )
 
     @property
     def backup_config(self) -> MongoConfiguration:
-        """Mongo Configuration for the backup user."""
-        return self.mongodb_config_for_user(BackupUser, standalone=True)
+        """Mongo Configuration for the charmed-backup user."""
+        return self.mongodb_config_for_user(CharmedBackupUser, standalone=True)
 
     @property
-    def monitor_config(self) -> MongoConfiguration:
-        """Mongo Configuration for the monitoring user."""
-        return self.mongodb_config_for_user(MonitorUser, hosts=self.internal_hosts)
+    def stats_config(self) -> MongoConfiguration:
+        """Mongo Configuration for the charmed-stats user."""
+        return self.mongodb_config_for_user(CharmedStatsUser, hosts=self.internal_hosts)
 
     @property
     def logrotate_config(self) -> MongoConfiguration:
-        """Mongo Configuration for the logrotate user."""
-        return self.mongodb_config_for_user(LogRotateUser, standalone=True)
+        """Mongo Configuration for the charmed-logrotate user."""
+        return self.mongodb_config_for_user(CharmedLogRotateUser, standalone=True)
 
     @property
     def operator_config(self) -> MongoConfiguration:
-        """Mongo Configuration for the operator user."""
-        return self.mongodb_config_for_user(OperatorUser, hosts=self.internal_hosts)
+        """Mongo Configuration for the charmed-operator user."""
+        return self.mongodb_config_for_user(CharmedOperatorUser, hosts=self.internal_hosts)
 
     @property
     def remote_mongos_config(self) -> MongoConfiguration:
         """Mongos Configuration for the remote mongos server."""
         mongos_hosts = self.app_peer_data.mongos_hosts
-        return self.mongos_config_for_user(OperatorUser, set(mongos_hosts))
+        return self.mongos_config_for_user(CharmedOperatorUser, set(mongos_hosts))
 
     @property
     def mongos_config(self) -> MongoConfiguration:
         """Mongos Configuration for the admin mongos user."""
         if self.charm_role.name == CharmKind.MONGOD:
-            return self.mongos_config_for_user(OperatorUser, self.internal_hosts)
+            return self.mongos_config_for_user(CharmedOperatorUser, self.internal_hosts)
         username, password = self.get_user_credentials()
         database = self.app_peer_data.database
         port: int | None = MongoPorts.MONGOS_PORT.value
@@ -751,7 +774,7 @@ class CharmState(Object, StatusesStateProtocol):
             # unlike the vm mongos charm, the K8s charm does not communicate with the unix socket
             port=port,
             roles={RoleNames.ADMIN},
-            tls_enabled=self.tls.external_enabled,
+            tls_enabled=self.tls.client_enabled,
             tls_external_keyfile=self.paths.ext_pem_file,
             tls_external_ca=self.paths.ext_ca_file,
         )

single_kernel_mongo/state/cluster_state.py

@@ -23,6 +23,7 @@ class ClusterStateKeys(str, Enum):
     CONFIG_SERVER_DB = "config-server-db"
     KEYFILE = "key-file"
     INT_CA_SECRET = "int-ca-secret"
+    EXT_CA_SECRET = "ext-ca-secret"
     LDAP_USER_TO_DN_MAPPING = "ldap-user-to-dn-mapping"
     LDAP_HASH = "ldap-hash"
 
@@ -74,6 +75,13 @@ class ClusterState(AbstractRelationState[Data]):
             return None
         return self.relation_data.get(ClusterStateKeys.INT_CA_SECRET.value, None)
 
+    @property
+    def external_ca_secret(self) -> str | None:
+        """Returns the external CA secret."""
+        if not self.relation:
+            return None
+        return self.relation_data.get(ClusterStateKeys.EXT_CA_SECRET.value, None)
+
     @property
     def ldap_user_to_dn_mapping(self) -> str | None:
         """Returns the userToDNMapping config option shared by the config-server."""

single_kernel_mongo/state/config_server_state.py

@@ -18,11 +18,12 @@ class AppShardingComponentKeys(str, Enum):
     """Config Server State Model for the application."""
 
     DATABASE = "database"
-    OPERATOR_PASSWORD = "operator-password"
-    BACKUP_PASSWORD = "backup-password"
+    OPERATOR_PASSWORD = "charmed-operator-password"
+    BACKUP_PASSWORD = "charmed-backup-password"
     HOST = "host"
     KEY_FILE = "key-file"
     INT_CA_SECRET = "int-ca-secret"
+    EXT_CA_SECRET = "ext-ca-secret"
     BACKUP_CA_SECRET = "backup-ca-secret"
 
     # We don't use those except to check if we've received credentials
@@ -31,10 +32,11 @@ class AppShardingComponentKeys(str, Enum):
 
 
 SECRETS_FIELDS = [
-    "operator-password",
-    "backup-password",
+    "charmed-operator-password",
+    "charmed-backup-password",
     "key-file",
     "int-ca-secret",
+    "ext-ca-secret",
     "backup-ca-secret",
 ]
 
@@ -75,6 +77,13 @@ class AppShardingComponentState(AbstractRelationState[Data]):
             return None
         return self.relation_data.get(AppShardingComponentKeys.INT_CA_SECRET.value, None)
 
+    @property
+    def external_ca_secret(self) -> str | None:
+        """Returns the external CA secret."""
+        if not self.relation:
+            return None
+        return self.relation_data.get(AppShardingComponentKeys.EXT_CA_SECRET.value, None)
+
     @property
     def keyfile(self) -> str | None:
         """Returns the keyfile."""
@@ -84,14 +93,14 @@ class AppShardingComponentState(AbstractRelationState[Data]):
 
     @property
     def operator_password(self) -> str | None:
-        """Returns the operator password."""
+        """Returns the charmed-operator password."""
         if not self.relation:
             return None
         return self.relation_data.get(AppShardingComponentKeys.OPERATOR_PASSWORD.value, None)
 
     @property
     def backup_password(self) -> str | None:
-        """Returns the operator password."""
+        """Returns the charmed-backup password."""
         if not self.relation:
             return None
         return self.relation_data.get(AppShardingComponentKeys.BACKUP_PASSWORD.value, None)

single_kernel_mongo/state/models.py

@@ -20,7 +20,7 @@ class ConfigServerData(ProviderData, RequirerData):  # type: ignore[misc]
         "tls-ca",
         "uris",
         "key-file",
-        "operator-password",
-        "backup-password",
+        "charmed-operator-password",
+        "charmed-backup-password",
         "int-ca-secret",
     ]

single_kernel_mongo/state/tls_state.py

@@ -4,44 +4,59 @@
 
 """The TLS state."""
 
+from enum import Enum
+
 from ops import Relation
 from ops.model import Unit
 
 from single_kernel_mongo.config.literals import Scope
 from single_kernel_mongo.core.secrets import SecretCache
+from single_kernel_mongo.lib.charms.tls_certificates_interface.v4.tls_certificates import PrivateKey
 
 SECRET_KEY_LABEL = "key-secret"
 SECRET_CA_LABEL = "ca-secret"
-SECRET_CERT_LABEL = "cert-secret"
 SECRET_CSR_LABEL = "csr-secret"
+SECRET_CERT_LABEL = "cert-secret"
 SECRET_CHAIN_LABEL = "chain-secret"
-WAIT_CERT_UPDATE = "wait-cert-updated"
 INT_CERT_SECRET_KEY = "int-cert-secret"
 EXT_CERT_SECRET_KEY = "ext-cert-secret"
 
 
+class TlsManagementState(Enum):
+    """TLS management state that can be mapped to a status."""
+
+    EMPTY = ""
+    UPGRADE_IN_PROGRESS = "Upgrade in progress."
+    DB_NOT_INTIALIZED = "DB is not initialized."
+    MONGOS_MISSING_CONFIG_SERVER = "mongos is not running (not integrated to config-server)."
+    MONGOS_DB_NOT_INITIALIZED = "mongos DB is not initialized."
+
+
 class TLSState:
     """The stored state for the TLS relation."""
 
     component: Unit
 
-    def __init__(self, relation: Relation | None, secrets: SecretCache):
-        self.relation = relation
+    def __init__(
+        self, peer_relation: Relation | None, client_relation: Relation | None, secrets: SecretCache
+    ):
+        self.peer_relation = peer_relation
+        self.client_relation = client_relation
         self.secrets = secrets
 
     @property
-    def internal_enabled(self) -> bool:
-        """Is internal TLS enabled."""
+    def peer_enabled(self) -> bool:
+        """Is peer TLS enabled."""
         return (
-            self.relation is not None
+            self.peer_relation is not None
             and self.secrets.get_for_key(Scope.UNIT, INT_CERT_SECRET_KEY) is not None
         )
 
     @property
-    def external_enabled(self) -> bool:
-        """Is external TLS enabled."""
+    def client_enabled(self) -> bool:
+        """Is client TLS enabled."""
         return (
-            self.relation is not None
+            self.client_relation is not None
             and self.secrets.get_for_key(Scope.UNIT, EXT_CERT_SECRET_KEY) is not None
         )
 
@@ -49,9 +64,9 @@ class TLSState:
         """Is TLS enabled for ::internal."""
         match internal:
             case True:
-                return self.internal_enabled
+                return self.peer_enabled
             case False:
-                return self.external_enabled
+                return self.client_enabled
 
     def set_secret(self, internal: bool, label_name: str, contents: str | None) -> None:
         """Sets TLS secret, based on whether or not it is related to internal connections."""
@@ -67,3 +82,15 @@ class TLSState:
         scope = "int" if internal else "ext"
         label_name = f"{scope}-{label_name}"
         return self.secrets.get_for_key(Scope.UNIT, label_name)
+
+    @property
+    def client_private_key(self) -> PrivateKey | None:
+        """Private key for the client relation."""
+        private_key_str = self.get_secret(internal=False, label_name=SECRET_KEY_LABEL)
+        return PrivateKey(private_key_str) if private_key_str else None
+
+    @property
+    def peer_private_key(self) -> PrivateKey | None:
+        """Private key for the peer relation."""
+        private_key_str = self.get_secret(internal=True, label_name=SECRET_KEY_LABEL)
+        return PrivateKey(private_key_str) if private_key_str else None

single_kernel_mongo/utils/helpers.py

@@ -4,8 +4,6 @@
 
 """Some helpers functions that doesn't belong anywhere else."""
 
-import base64
-import re
 from functools import partial
 from logging import getLogger
 
@@ -18,21 +16,6 @@ from single_kernel_mongo.exceptions import InvalidCharmKindError
 logger = getLogger(__name__)
 
 
-def parse_tls_file(raw_content: str) -> bytes:
-    """Parse TLS files from both plain text or base64 format."""
-    if re.match(r"(-+(BEGIN|END) [A-Z ]+-+)", raw_content):
-        return (
-            re.sub(
-                r"(-+(BEGIN|END) [A-Z ]+-+)",
-                "\\1",
-                raw_content,
-            )
-            .rstrip()
-            .encode("utf-8")
-        )
-    return base64.b64decode(raw_content)
-
-
 def generate_relation_departed_key(rel_id: int) -> str:  # noqa
     return f"relation_{rel_id}_departed"
 
@@ -61,7 +44,7 @@ def hostname_from_shardname(host: str) -> str:
     return host.split("/")[0]
 
 
-def is_valid_ldapusertodnmapping(ldap_user_to_dn_mapping: str) -> bool:
+def is_valid_ldapusertodnmapping(ldap_user_to_dn_mapping: str | None) -> bool:
     """Validates the mapping, returning a boolean."""
     if not ldap_user_to_dn_mapping:
         return True
@@ -73,7 +56,9 @@ def is_valid_ldapusertodnmapping(ldap_user_to_dn_mapping: str) -> bool:
         return False
 
 
-def is_valid_ldap_options(ldap_user_to_dn_mapping: str, ldap_query_template: str) -> bool:
+def is_valid_ldap_options(
+    ldap_user_to_dn_mapping: str | None, ldap_query_template: str | None
+) -> bool:
     """Validates the combination of the two LDAP options.
 
     Rules are the following:

single_kernel_mongo/utils/mongodb_users.py

@@ -129,14 +129,14 @@ class MongoDBUser(BaseModel):
         return self.hosts
 
 
-OperatorUser = MongoDBUser(
-    username=InternalUsernames.OPERATOR,
+CharmedOperatorUser = MongoDBUser(
+    username=InternalUsernames.CHARMED_OPERATOR,
     database_name=SystemDBS.ADMIN,
     roles={RoleNames.DEFAULT},
 )
 
-MonitorUser = MongoDBUser(
-    username=InternalUsernames.MONITOR,
+CharmedStatsUser = MongoDBUser(
+    username=InternalUsernames.CHARMED_STATS,
     database_name=SystemDBS.ADMIN,
     roles={RoleNames.MONITOR},
     privileges={
@@ -154,16 +154,16 @@ MonitorUser = MongoDBUser(
     hosts={LOCALHOST},  # MongoDB Exporter can only connect to one replica.
 )
 
-BackupUser = MongoDBUser(
-    username=InternalUsernames.BACKUP,
+CharmedBackupUser = MongoDBUser(
+    username=InternalUsernames.CHARMED_BACKUP,
     roles={RoleNames.BACKUP},
     privileges={"resource": {"anyResource": True}, "actions": ["anyAction"]},
     mongodb_role="pbmAnyAction",
     hosts={LOCALHOST},  # pbm cannot make a direct connection if multiple hosts are used
 )
 
-LogRotateUser = MongoDBUser(
-    username=InternalUsernames.LOGROTATE,
+CharmedLogRotateUser = MongoDBUser(
+    username=InternalUsernames.CHARMED_LOGROTATE,
     database_name=SystemDBS.ADMIN,
     roles={RoleNames.LOGROTATE},
     privileges={"resource": {"cluster": True}, "actions": ["logRotate"]},
@@ -172,10 +172,10 @@ LogRotateUser = MongoDBUser(
 )
 
 InternalUsers = (
-    OperatorUser,
-    BackupUser,
-    MonitorUser,
-    LogRotateUser,
+    CharmedOperatorUser,
+    CharmedBackupUser,
+    CharmedStatsUser,
+    CharmedLogRotateUser,
 )
 
 
@@ -185,14 +185,14 @@ def get_user_from_username(username: str) -> MongoDBUser:
     Raises:
         ValueError: If the username is not one of the known users.
     """
-    if username == OperatorUser.username:
-        return OperatorUser
-    if username == MonitorUser.username:
-        return MonitorUser
-    if username == BackupUser.username:
-        return BackupUser
-    if username == LogRotateUser.username:
-        return LogRotateUser
+    if username == CharmedOperatorUser.username:
+        return CharmedOperatorUser
+    if username == CharmedStatsUser.username:
+        return CharmedStatsUser
+    if username == CharmedBackupUser.username:
+        return CharmedBackupUser
+    if username == CharmedLogRotateUser.username:
+        return CharmedLogRotateUser
     raise ValueError(f"Unknown user: {username}")