mongo-charms-single-kernel 1.8.8__py3-none-any.whl → 1.8.9__py3-none-any.whl

{mongo_charms_single_kernel-1.8.8.dist-info → mongo_charms_single_kernel-1.8.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mongo-charms-single-kernel
-Version: 1.8.8
+Version: 1.8.9
 Summary: Shared and reusable code for Mongo-related charms
 License-Expression: Apache-2.0
 License-File: LICENSE

{mongo_charms_single_kernel-1.8.8.dist-info → mongo_charms_single_kernel-1.8.9.dist-info}/RECORD

@@ -1,31 +1,31 @@
 single_kernel_mongo/__init__.py,sha256=yTtXuLHbaXGJ5IgR7PhhNOzmqlpqywkTNI4bmkNECQ4,421
 single_kernel_mongo/abstract_charm.py,sha256=x8LnydlO2hoiJBp_ijRUNrfOH1YrvpcZy5SpuYR1jdg,5762
 single_kernel_mongo/config/__init__.py,sha256=OGTmp5MZXk2ZGgElT0A1yVyQz6FB4JzjG34mbeIWG2k,128
-single_kernel_mongo/config/literals.py,sha256=8e6s8L6ehDBeqgQ65pT96qFtLFlfXZaKFkPtrYUxCLY,2023
+single_kernel_mongo/config/literals.py,sha256=OH5vzTYdDaPtyZ-Qope-cYpsdxN_GEa43ElIn_98T3Q,2113
 single_kernel_mongo/config/models.py,sha256=MruFI2EJndfH3KaJ5iaNar1oyMrTfSZaTQ3yxTxllnc,6770
-single_kernel_mongo/config/relations.py,sha256=fV0_x46OV4nTxbqQx_TNRO3BAxGht9Q_3pej23MgiP0,1047
-single_kernel_mongo/config/statuses.py,sha256=sjXIWwlZu8RgCV2mrtn9J9eoGOFEpbqYa35flDy6wXs,21183
+single_kernel_mongo/config/relations.py,sha256=CisZvNUNEy27_oxEme_WpmZbN7DuDGfh4EUrAeoJprw,1096
+single_kernel_mongo/config/statuses.py,sha256=hJ-BB-o85DfnRwEU-_6SGzMzebmYbDZNSvcBmHvL2hc,25761
 single_kernel_mongo/core/__init__.py,sha256=K1XAyFSIkldkT-008Eeg_o7H_XveWaxRuXGJnwoB_DU,124
 single_kernel_mongo/core/abstract_upgrades_v3.py,sha256=AU_eiZ5PU76mcJWoXcZZRaVWCTAZqLyw0RXk3J3bxbQ,5744
 single_kernel_mongo/core/k8s_workload.py,sha256=wp3plDVg6h8vfG8Zpi_p2mq_TNP_2uBlPMt0kWlWrgk,5442
 single_kernel_mongo/core/kubernetes_upgrades_v3.py,sha256=OdzU2g2m2_QI9fAzxaJKnAek5dEc9ZxQ05bgqIT7GHw,339
 single_kernel_mongo/core/machine_upgrades_v3.py,sha256=ae_ehbL_dK778qhF3YYy4BB7ir9uekKp0HIdtf_S41o,1961
-single_kernel_mongo/core/operator.py,sha256=xgmDfMS_loqxsNtnyhSrRenaSulARIgTf8szA9p1at4,14551
+single_kernel_mongo/core/operator.py,sha256=3k5CNyvndaNMjkLYMGMajX1saVUEAxSJi98CAvzyitI,14760
 single_kernel_mongo/core/secrets.py,sha256=SOS19OhzpWdPur7JpggJ84u333tNyapTEgf_kjDjD6M,6755
-single_kernel_mongo/core/structured_config.py,sha256=wUC6RyzvnL7L7lKmf0cD0V1h0YN5e20Hc0uZAMCD0K4,4246
+single_kernel_mongo/core/structured_config.py,sha256=5M2za_9Kh7_8tLLS16BcIBxU6EmtlmMqVHF-AczPDYc,4434
 single_kernel_mongo/core/version_checker.py,sha256=q8HZZUvy-h3CKxcaCtBss6UvwoexD92OaLmru6ikuJ0,3711
 single_kernel_mongo/core/vm_workload.py,sha256=7KUgc82DaWVaxx3UEypuLZ3AIR_dlnqDnB6sorhbArw,7043
-single_kernel_mongo/core/workload.py,sha256=l0AqhnvgcXfrm0c-mKcGUf3-hoo5Gzc8EhQh01RfQKU,10107
+single_kernel_mongo/core/workload.py,sha256=EHQdsL9uLb4zREChobxa9QvlzT1a1efMLkV2wAjaBBI,10239
 single_kernel_mongo/events/__init__.py,sha256=xatr1vi0ZKdqF1X-L2vaRuz1vJHwxschJu0XYxd_zoM,126
 single_kernel_mongo/events/backups.py,sha256=01yq8bk5n2YlbNA0XcBT5ENSK1EsT8WmtDPh-M_zmEM,13168
-single_kernel_mongo/events/cluster.py,sha256=oEKrdB6UCdUnSV12Kh1Nm3k2fTHxGQ9rLLW8lbRu0cY,7802
+single_kernel_mongo/events/cluster.py,sha256=503SETbcmbkML98uDOnECdDSyaxmGPhrsXC50gaByLo,8185
 single_kernel_mongo/events/database.py,sha256=xcmeLnEnYyaL2Y7e-peHEVRZUKuM8w0w9Eh-9f8t7U4,6046
 single_kernel_mongo/events/ldap.py,sha256=XyU-2BD7hqqQ6EvEZvVXaHTtFX-4Nu2w5fdBhEB3oRk,6510
 single_kernel_mongo/events/lifecycle.py,sha256=huLQemAFfqNlCOu1AxsYHz9tCMBCvS1Ps2DvEXYcCuY,10927
 single_kernel_mongo/events/primary_action.py,sha256=S7BE2BPnqZwXMuAZbn-OjfsZtTR-pe7Pdo69nimSCG4,1304
-single_kernel_mongo/events/sharding.py,sha256=A5T7n7P36u_7_7QoTfRy4TWUsPT-rYan7ZWxWmTnYxQ,7259
-single_kernel_mongo/events/tls.py,sha256=SN43SWlpsfCe9V3f__eJGWnj0q72ne6MqnEsvTucSmU,8891
-single_kernel_mongo/exceptions.py,sha256=frF-vmLwSQH9BxgRgnZTfkkihnyf3epv1pHz31RkOaY,7416
+single_kernel_mongo/events/sharding.py,sha256=8bwt7vdF1EZNrSamie6L78LKfnWzi30I0eKAbdXZh9k,7414
+single_kernel_mongo/events/tls.py,sha256=W5uglBFU17iWYs47jw5rDolqUcYp5TntyeVY9c6rP74,10036
+single_kernel_mongo/exceptions.py,sha256=pOkJJfdN2EWiWPFrTmFnk_T4USc3zHnGtjCwLpE3hs4,7194
 single_kernel_mongo/lib/charms/certificate_transfer_interface/v0/certificate_transfer.py,sha256=KnvPKlHwkUSn1ND5fJ6ddAiBussfITBw5dMGKPqy8-8,17999
 single_kernel_mongo/lib/charms/data_platform_libs/v0/data_interfaces.py,sha256=BOabAUHQ2KeHHWA_BpB45sFEUz_RdGcf3YWUAAw6gXw,202649
 single_kernel_mongo/lib/charms/data_platform_libs/v0/s3.py,sha256=INOhfzcJWr7eXxVgvVqtenVeoODnSxjgFne6AbL_3bY,28557
@@ -37,19 +37,19 @@ single_kernel_mongo/lib/charms/operator_libs_linux/v0/sysctl.py,sha256=FwLyNGlNV
 single_kernel_mongo/lib/charms/operator_libs_linux/v1/systemd.py,sha256=eyexodlMtvlcX7yUl5PBeJyOVAr8QapuyB0aGi8upno,8505
 single_kernel_mongo/lib/charms/operator_libs_linux/v2/snap.py,sha256=9vycyj8zDYqBRpNiSlR28DX1f7ZEw2zJbJwxfj_eIUM,48916
 single_kernel_mongo/lib/charms/prometheus_k8s/v0/prometheus_scrape.py,sha256=Wrq14k-KwYRAK7sfF3ycy4Agb7Ez7qKzjfjUFD3z7vw,99121
-single_kernel_mongo/lib/charms/tls_certificates_interface/v3/tls_certificates.py,sha256=N0Z9vZsySy1L4UyPCfFFFs5COIQMjnNa5X-1ALSWltI,94254
+single_kernel_mongo/lib/charms/tls_certificates_interface/v4/tls_certificates.py,sha256=Y6nI8mtF-IQP8g2DvRr9Y3J10GJ8CTOejnfEHvRgEjo,82104
 single_kernel_mongo/managers/__init__.py,sha256=EUhvtK85skMEcT3yacYwezyIW4ajsoC5SwxpZcmPZnM,145
 single_kernel_mongo/managers/backups.py,sha256=L5UrxCSoYEJI8dtWA4tikNvTo71IQJqtMamvgKxsTGQ,40176
-single_kernel_mongo/managers/cluster.py,sha256=IjifWuqa7cUDnLCKUDDL0KiBEnQvkp0nSN2LepJ3gGU,20672
-single_kernel_mongo/managers/config.py,sha256=wHMs6XLuWKGOxDCKh_L66HJKP6y1OAepKv21_CuijRI,18332
+single_kernel_mongo/managers/cluster.py,sha256=FhqbWFuozstdXMB1cO7QYMDMguhCrGSQY-uISuZaNaM,22557
+single_kernel_mongo/managers/config.py,sha256=F4qszxKV5A8ZPlpRXFWm5xXnjRFEqM5eouSCnLP4hqQ,18609
 single_kernel_mongo/managers/k8s.py,sha256=I9NNaUKYlOGt6JoTa3gicqzPdO9yPWgO4tPgGBac1uQ,11036
 single_kernel_mongo/managers/ldap.py,sha256=xDyfWZWdrku1WY1phAJELPZAwynBM1Q2bXRA2gOyQto,15823
-single_kernel_mongo/managers/mongo.py,sha256=_ffIIsDsR59v9SJN9sZ1Fg_QEGLM4XRCziyENSBG7eg,24325
-single_kernel_mongo/managers/mongodb_operator.py,sha256=stS2-IXS1SRHMM6q-H0wAxuJ5U-HRsqh0vfsYDlXOQU,55989
-single_kernel_mongo/managers/mongos_operator.py,sha256=8MFM5HpxllG4_CJBh5VfuqK-dYDlqa03WNsDoqnKGOA,25487
+single_kernel_mongo/managers/mongo.py,sha256=SMGion-lciKU9REzI7HTHs_R8rMafngbZzS7BfAWybc,24326
+single_kernel_mongo/managers/mongodb_operator.py,sha256=fcBSmV3ELs5x3NYhBAVN_iIYk1cwS7snP7-0mmOm8oY,56703
+single_kernel_mongo/managers/mongos_operator.py,sha256=ZVW7eIsQo0DmK4VzYruDlMsQkKL_ju4TtJkU4FXGIJo,25475
 single_kernel_mongo/managers/observability.py,sha256=j5Nt5Wv43HaYVcr2f6Y_DqHJaP5XhUMjjh7Gg8JwsZI,3584
-single_kernel_mongo/managers/sharding.py,sha256=0CYPFHZiwqsQGSaTY40r3FYnhtW4ftQkeZxLqqWDOHg,46045
-single_kernel_mongo/managers/tls.py,sha256=7WRR8nV2Tq3LCyxZmvRqteUxbbi1_ITIunfxYQi9Mpg,15481
+single_kernel_mongo/managers/sharding.py,sha256=l2HYRdziu3yHq9mS8xuH5EwQHNG9Bz4HnVwHKPw2gqs,47461
+single_kernel_mongo/managers/tls.py,sha256=-r0hj2b5LuHh-2Md1ask3CdICC09A5yiYzC6OjGuTpY,15834
 single_kernel_mongo/managers/upgrade_v3.py,sha256=Wci00SC1Ey599T0VefWHbfsl3nnqUVNru7RU3qJnCbY,19673
 single_kernel_mongo/managers/upgrade_v3_status.py,sha256=IRo4Geyv3mUmqy8QgnD4qWzQaTHLiGkMkKD1dC4ZZq4,5770
 single_kernel_mongo/observability_rules/__init__.py,sha256=VuClFh0iGrw64cP4JppbSotFRyGpNVGmT8oD8pAbJoM,146
@@ -61,12 +61,12 @@ single_kernel_mongo/observability_rules/vm_prometheus_alert_rules/percona-mongod
 single_kernel_mongo/state/__init__.py,sha256=V5TWoUtibFiyVO0BqPHnZOZrLNTIIgiVm3vmrhw8tS4,145
 single_kernel_mongo/state/abstract_state.py,sha256=2bSGXu0KehBw_XIu7THWZEVzrX6C8-73_9mlUrfEMXg,2471
 single_kernel_mongo/state/app_peer_state.py,sha256=ul2Z4EBFBm2HW58UaDFrR0mgj6cE8O5zWPzlTPRl8Cs,7501
-single_kernel_mongo/state/charm_state.py,sha256=yiYsRuUuP-7uIenxAKK531QZSLeqpmt2KTEYVU9CqbY,29359
-single_kernel_mongo/state/cluster_state.py,sha256=KI2Ful1H-ChkUC5kJfp0nUfe8m3SGFW5rx9to-sNKSQ,2947
-single_kernel_mongo/state/config_server_state.py,sha256=L-UZv3S1mBzgQJu23dnwNFvBq9Gc4AUD4Q2c9IEYCbw,3799
+single_kernel_mongo/state/charm_state.py,sha256=-g-Ag5zbfmyM9-caXsE_j2xWeNb2s3P_FwUbdqNZHUY,30279
+single_kernel_mongo/state/cluster_state.py,sha256=CmtC2ztAl02K_UEzix-jnObHri72m1pplzUbO7HKLB8,3228
+single_kernel_mongo/state/config_server_state.py,sha256=u9mr_-OCuIgbadHDLNxVkzL23qigVAn84GbnSemg-yo,4109
 single_kernel_mongo/state/ldap_state.py,sha256=7XxjYoFMI8vujlqbCj5JyqigIlmYc-ebL9e0MEDW23Q,7915
 single_kernel_mongo/state/models.py,sha256=Ipfy2OdCekL1bIBr22Cb-pJiYhQdNvLIZYR4wPmc30g,592
-single_kernel_mongo/state/tls_state.py,sha256=pCdMBxCXdJaYiDKqTyNz1D7yDX0WwaiBfC6NZdscg7c,2300
+single_kernel_mongo/state/tls_state.py,sha256=CVNvMHmsX83wgStOHwWTOqqApv9LTm4lJLQFDqoNFSQ,3413
 single_kernel_mongo/state/unit_peer_state.py,sha256=99Qn6DkKXO_y5isuLXICfrQeVg3uqy0uW_48g7WqGK0,4080
 single_kernel_mongo/templates/__init__.py,sha256=8-zJnYHONfuTjeihx1ZL34URMW6c_MwJaIMBJgoPGTc,141
 single_kernel_mongo/templates/enable-transparent-huge-pages.service.j2,sha256=hHYGtnZq9pVsx4jqNxiyuvnqK5rDf-WM6OsktfhJzBk,511
@@ -74,7 +74,7 @@ single_kernel_mongo/templates/ldap.conf.j2,sha256=aPTzSu42jheL1i3RXAp6P7SQRIdmPf
 single_kernel_mongo/templates/logrotate.j2,sha256=iemZzi9hHjA9ANzP7QxW63mdM7fJRUzqkqgsR2qpPQU,753
 single_kernel_mongo/utils/__init__.py,sha256=JH9SDM2bQq7R5hb1nRTeUKQVHbdqg6RbQu5-qAJ0Xpg,116
 single_kernel_mongo/utils/event_helpers.py,sha256=_rVQZKjs0osHGtjA5LEdV5LTnxCVXGPe2UY8wmRazBE,981
-single_kernel_mongo/utils/helpers.py,sha256=VdDERCFkUxMZ2SzLEl76BBrzcEjkFVmz509e0_e-Uac,4006
+single_kernel_mongo/utils/helpers.py,sha256=N99hZq9USaWdi87XU9JR2W8SP9KfdAOaJy5f85xQ2ZE,3584
 single_kernel_mongo/utils/mongo_config.py,sha256=tU7dGUZPSWdfttUn868vi_q5y6EWvGN2SREfexM8pxU,4134
 single_kernel_mongo/utils/mongo_connection.py,sha256=330gz1Ha5WdfdfxYmci1jVRnrRswtomoukn3AASSXCU,28540
 single_kernel_mongo/utils/mongo_error_codes.py,sha256=mM_KHTR3b9UA4BaxmzSlCVrFUNhRAc458ndBvJ4fg_8,479
@@ -85,7 +85,7 @@ single_kernel_mongo/workload/log_rotate_workload.py,sha256=VmWUJ_mqxN4v_IAFHw6lL
 single_kernel_mongo/workload/mongodb_workload.py,sha256=UHXVUQI1FyAhnP2TTLKiTFWWrUUaX-On4wDIsT5DXvQ,1527
 single_kernel_mongo/workload/mongos_workload.py,sha256=p1ZjqbGTokcxNnqKCvCIUQvmDvkOcN8pRvkPfA7Rgeg,1815
 single_kernel_mongo/workload/monitor_workload.py,sha256=dw-F3Y11_jpqI30Hg30-y6kxFFXGnHcSbgdAAJE8C8Q,1793
-mongo_charms_single_kernel-1.8.8.dist-info/METADATA,sha256=dY1Trv07HoAiqp6LaI8bZgc2JzNjfh37l4NVRzGVhD4,5310
-mongo_charms_single_kernel-1.8.8.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-mongo_charms_single_kernel-1.8.8.dist-info/licenses/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
-mongo_charms_single_kernel-1.8.8.dist-info/RECORD,,
+mongo_charms_single_kernel-1.8.9.dist-info/METADATA,sha256=Nh_SFhIekPoSscT6kfdNC-Ui8vdQ9TeUF47jeAebrr0,5310
+mongo_charms_single_kernel-1.8.9.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+mongo_charms_single_kernel-1.8.9.dist-info/licenses/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
+mongo_charms_single_kernel-1.8.9.dist-info/RECORD,,

single_kernel_mongo/config/literals.py

@@ -34,6 +34,13 @@ class Scope(str, Enum):
     UNIT = "unit"
 
 
+class TLSType(str, Enum):
+    """TLS types."""
+
+    PEER = "peer"
+    CLIENT = "client"
+
+
 class MongoPorts(IntEnum):
     """The default Mongo ports."""
 

single_kernel_mongo/config/relations.py

@@ -35,7 +35,8 @@ class Scopes(str, Enum):
 class ExternalRequirerRelations(str, Enum):
     """The relations we require externally."""
 
-    TLS = "certificates"
+    CLIENT_TLS = "client-certificates"
+    PEER_TLS = "peer-certificates"
     S3_CREDENTIALS = "s3-credentials"
     LDAP = "ldap"
     LDAP_CERT = "ldap-certificate-transfer"

single_kernel_mongo/config/statuses.py

@@ -118,24 +118,45 @@ class MongosStatuses(Enum):
         check="Config validation failed.",
         action="Set the expose-external config to a valid value: `nodeport` or `none`.",
     )
-    MISSING_TLS_REL = StatusObject(
+    MISSING_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
-        short_message="Missing certificates relation.",
+        message="Peer TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing peer-certificates relation.",
         check="Relation validation failed.",
-        action="Add the certificates relation (tls-certificates interface) to mongos.",
+        action="Add the peer-certificates relation to mongos.",
     )
-    INVALID_TLS_REL = StatusObject(
+    INVALID_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
-        short_message="Invalid certificates relation.",
+        message="Peer TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid peer-certificates relation.",
         check="Relation validation failed.",
-        action="Remove the certificates relation (tls-certificates interface) from this application.",
+        action="Remove the peer-certificates relation from this application.",
     )
-    CA_MISMATCH = StatusObject(
+    MISSING_CLIENT_TLS_REL = StatusObject(
         status="blocked",
-        message="The mongos CA and Config-Server CA don't match.",
-        short_message="CA mismatch.",
+        message="Client TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing client-certificates relation.",
+        check="Relation validation failed.",
+        action="Add the client-certificates relation to mongos.",
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Client TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Remove the client-certificates relation from this application.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos peer CA and Config-Server peer CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
         check="Relation validation failed.",
         action="Verify the certificates relations. Use the same CA for all cluster components.",
     )
@@ -153,6 +174,27 @@ class MongosStatuses(Enum):
         status="maintenance", message="Starting mongos.", running="blocking"
     )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class CharmStatuses(Enum):
     """Charm Statuses."""
@@ -182,11 +224,28 @@ class CharmStatuses(Enum):
 class TLSStatuses(Enum):
     """TLS statuses."""
 
-    # RUNNING statuses:
-    DISABLING_TLS = StatusObject(
+    INVALID_PEER_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid peer private key",
+        check="Peer private key format validation failed",
+        action="Update the peer private key secret.",
+    )
+    INVALID_CLIENT_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid client private key",
+        check="Client private key format validation failed.",
+        action="Update the client privatekey secret.",
+    )
+    DISABLING_PEER_TLS = StatusObject(
         status="maintenance",
-        message="Disabling TLS...",
-        check="Certificates relation (tls-certificates interface) removed.",
+        message="Disabling peer TLS...",
+        check="Peer certificates relation (tls-certificates interface) removed.",
+        running="blocking",
+    )
+    DISABLING_CLIENT_TLS = StatusObject(
+        status="maintenance",
+        message="Disabling client TLS...",
+        check="Client certificates relation (tls-certificates interface) removed.",
         running="blocking",
     )
     # Enabling TLS takes a while because we wait for multiple certs so it's
@@ -343,12 +402,39 @@ class ConfigServerStatuses(Enum):
 class ShardStatuses(Enum):
     """Shard statuses."""
 
-    REQUIRES_TLS = StatusObject(status="blocked", message="Shard requires TLS to be enabled.")
-    REQUIRES_NO_TLS = StatusObject(
-        status="blocked", message="Shard has TLS enabled, but config-server does not."
+    MISSING_PEER_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires peer TLS to be enabled."
     )
-    CA_MISMATCH = StatusObject(
-        status="blocked", message="Shard CA and Config-Server CA don't match."
+    INVALID_PEER_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid peer-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the peer-certificates relation from the shard.",
+    )
+    MISSING_CLIENT_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires client TLS to be enabled."
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the client-certificates relation from the shard.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard internal CA and Config-Server internal CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the peer-certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the client-certificates relations. Use the same CA for all cluster components.",
     )
 
     MISSING_CONF_SERVER_REL = StatusObject(
@@ -399,6 +485,27 @@ class ShardStatuses(Enum):
             message=f"Charm revision ({current_charms_version}{local_identifier}) is not up-to date with config-server.",
         )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class MongodStatuses(Enum):
     """MongoD statuses."""

single_kernel_mongo/core/operator.py

@@ -37,6 +37,7 @@ from single_kernel_mongo.config.literals import (
     TrustStoreFiles,
 )
 from single_kernel_mongo.config.models import SNAP_NAME, THP_CONFIG, CharmSpec, LogRotateConfig
+from single_kernel_mongo.core.structured_config import MongoConfigModel
 from single_kernel_mongo.events.ldap import LDAPEventHandler
 from single_kernel_mongo.exceptions import (
     DeferrableFailedHookChecksError,
@@ -106,6 +107,12 @@ class OperatorProtocol(ABC, Object, ManagerStatusProtocol):
 
         def __init__(self, dependent: AbstractMongoCharm): ...
 
+    @property
+    @abstractmethod
+    def config(self) -> MongoConfigModel:
+        """The pydantic model of the config."""
+        ...
+
     @property
     @abstractmethod
     def components(self) -> tuple[ManagerStatusProtocol, ...]:

single_kernel_mongo/core/structured_config.py

@@ -100,6 +100,8 @@ class MongoConfigModel(BaseConfigModel):
     role: SerializeLiteralAsStr[MongoDBRoles]
     ldap_user_to_dn_mapping: str | None = Field(default=None, alias="ldap-user-to-dn-mapping")
     ldap_query_template: str | None = Field(default=None, alias="ldap-query-template")
+    tls_peer_private_key_id: str | None = Field(default=None, alias="tls-peer-private-key")
+    tls_client_private_key_id: str | None = Field(default=None, alias="tls-client-private-key")
 
     @field_validator("expose_external", mode="before")
     @classmethod

single_kernel_mongo/core/workload.py

@@ -93,15 +93,21 @@ class MongoPaths:
         return Path(f"{self.conf_path}/internal-ca.crt")
 
     @property
-    def tls_files(self) -> set[Path]:
-        """Set of all TLS files."""
+    def tls_peer_files(self) -> set[Path]:
+        """Set of peer TLS files."""
         return {
-            self.ext_pem_file,
-            self.ext_ca_file,
             self.int_pem_file,
             self.int_ca_file,
         }
 
+    @property
+    def tls_client_files(self) -> set[Path]:
+        """Set of client TLS files."""
+        return {
+            self.ext_pem_file,
+            self.ext_ca_file,
+        }
+
     @property
     def ldap_path(self) -> Path:
         """The LDAP conf path."""

single_kernel_mongo/events/cluster.py

@@ -136,6 +136,11 @@ class ClusterMongosEventHandler(Object):
     def _on_relation_created(self, event: RelationCreatedEvent) -> None:
         """Relation created event handler."""
         self.manager.set_relation_created_status()
+        # Edge condition: mongos was integrated with the certificates provider
+        # before being integrated with the config-server. We trigger the refresh
+        # of the certificates to use the config-server as CSR subject.
+        if self.manager.state.peer_tls_relation or self.manager.state.client_tls_relation:
+            self.dependent.tls_events.refresh_certificates()
 
     def _on_database_created(self, event: DatabaseCreatedEvent) -> None:
         """Database Created event handler.

single_kernel_mongo/events/sharding.py

@@ -162,8 +162,10 @@ class ShardEventHandler(Object):
         """SecretChanged event handler, which is used to propagate the updated passwords."""
         try:
             self.manager.handle_secret_changed(event.secret.label or "")
-        except (NotReadyError, FailedToUpdateCredentialsError):
+        except (NotReadyError, FailedToUpdateCredentialsError, DeferrableFailedHookChecksError):
             event.defer()
+        except NonDeferrableFailedHookChecksError as e:
+            logger.info(f"Skipping {str(type(event))}: {str(e)}")
         except WaitingForSecretsError:
             logger.info("Missing secrets, ignoring")