Update file paths and rock tag (#121)

* update file paths

* update lib

* update code + tests

* update int tests to use new paths

* save tls files to correct dir

* update rock tag

* PR comments

lib/charms/mongodb/v0/helpers.py

@@ -19,22 +19,29 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 3
+LIBPATCH = 4
 
 
 # path to store mongodb ketFile
-KEY_FILE = "/etc/mongodb/keyFile"
-TLS_EXT_PEM_FILE = "/etc/mongodb/external-cert.pem"
-TLS_EXT_CA_FILE = "/etc/mongodb/external-ca.crt"
-TLS_INT_PEM_FILE = "/etc/mongodb/internal-cert.pem"
-TLS_INT_CA_FILE = "/etc/mongodb/internal-ca.crt"
+KEY_FILE = "keyFile"
+TLS_EXT_PEM_FILE = "external-cert.pem"
+TLS_EXT_CA_FILE = "external-ca.crt"
+TLS_INT_PEM_FILE = "internal-cert.pem"
+TLS_INT_CA_FILE = "internal-ca.crt"
 
+MONGODB_COMMON_DIR = "/var/snap/charmed-mongodb/common"
+MONGODB_SNAP_DATA_DIR = "/var/snap/charmed-mongodb/current"
 
+
+DATA_DIR = "/var/lib/mongodb"
+CONF_DIR = "/etc/mongod"
 logger = logging.getLogger(__name__)
 
 
 # noinspection GrazieInspection
-def get_create_user_cmd(config: MongoDBConfiguration, mongo_path="mongo") -> List[str]:
+def get_create_user_cmd(
+    config: MongoDBConfiguration, mongo_path="charmed-mongodb.mongo"
+) -> List[str]:
     """Creates initial admin user for MongoDB.
 
     Initial admin user can be created only through localhost connection.
@@ -64,26 +71,44 @@ def get_create_user_cmd(config: MongoDBConfiguration, mongo_path="mongo") -> Lis
     ]
 
 
-def get_mongod_cmd(config: MongoDBConfiguration) -> str:
+def get_mongod_args(
+    config: MongoDBConfiguration,
+    auth: bool = True,
+    snap_install: bool = False,
+) -> str:
     """Construct the MongoDB startup command line.
 
     Returns:
         A string representing the command used to start MongoDB.
     """
+    #
+    full_data_dir = f"{MONGODB_COMMON_DIR}{DATA_DIR}" if snap_install else DATA_DIR
+    full_conf_dir = f"{MONGODB_SNAP_DATA_DIR}{CONF_DIR}" if snap_install else CONF_DIR
     cmd = [
-        "mongod",
         # bind to localhost and external interfaces
         "--bind_ip_all",
-        # enable auth
-        "--auth",
         # part of replicaset
         f"--replSet={config.replset}",
+        # db must be located within the snap common directory since the snap is strictly confined
+        f"--dbpath={full_data_dir}",
     ]
+    if auth:
+        cmd.extend(["--auth"])
+
+    if auth and not config.tls_internal:
+        # keyFile cannot be used without auth and cannot be used in tandem with internal TLS
+        cmd.extend(
+            [
+                "--clusterAuthMode=keyFile",
+                f"--keyFile={full_conf_dir}/{KEY_FILE}",
+            ]
+        )
+
     if config.tls_external:
         cmd.extend(
             [
-                f"--tlsCAFile={TLS_EXT_CA_FILE}",
-                f"--tlsCertificateKeyFile={TLS_EXT_PEM_FILE}",
+                f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}",
+                f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}",
                 # allow non-TLS connections
                 "--tlsMode=preferTLS",
             ]
@@ -95,18 +120,12 @@ def get_mongod_cmd(config: MongoDBConfiguration) -> str:
             [
                 "--clusterAuthMode=x509",
                 "--tlsAllowInvalidCertificates",
-                f"--tlsClusterCAFile={TLS_INT_CA_FILE}",
-                f"--tlsClusterFile={TLS_INT_PEM_FILE}",
-            ]
-        )
-    else:
-        # keyFile used for authentication replica set peers if no internal tls configured.
-        cmd.extend(
-            [
-                "--clusterAuthMode=keyFile",
-                f"--keyFile={KEY_FILE}",
+                f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}",
+                f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}",
             ]
         )
+
+    cmd.append("\n")
     return " ".join(cmd)
 
 

lib/charms/mongodb/v0/mongodb_tls.py

@@ -32,7 +32,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 3
+LIBPATCH = 4
 
 
 logger = logging.getLogger(__name__)
@@ -79,7 +79,6 @@ def _on_set_tls_private_key(self, event: ActionEvent) -> None:
             event.fail(str(e))
 
     def _request_certificate(self, scope: str, param: Optional[str]):
-
         if param is None:
             key = generate_private_key()
         else:
@@ -90,6 +89,7 @@ def _request_certificate(self, scope: str, param: Optional[str]):
             subject=self.get_host(self.charm.unit),
             organization=self.charm.app.name,
             sans=self._get_sans(),
+            sans_ip=[str(self.charm.model.get_binding(self.peer_relation).network.bind_address)],
         )
 
         self.charm.set_secret(scope, "key", key.decode("utf-8"))
@@ -227,6 +227,7 @@ def _on_certificate_expiring(self, event: CertificateExpiringEvent) -> None:
             subject=self.get_host(self.charm.unit),
             organization=self.charm.app.name,
             sans=self._get_sans(),
+            sans_ip=[str(self.charm.model.get_binding(self.peer_relation).network.bind_address)],
         )
         logger.debug("Requesting a certificate renewal.")
 

metadata.yaml

@@ -3,11 +3,11 @@
 
 name: mongodb-k8s
 display-name: |
-    Charmed Operator for MongoDB
+  Charmed Operator for MongoDB
 description: |
-    MongoDB is a general purpose distributed document database.  This
-    charm deploys and operates MongoDB on kubernetes Clusters. It
-    supports replicated MongoDB databases.
+  MongoDB is a general purpose distributed document database.  This
+  charm deploys and operates MongoDB on kubernetes Clusters. It
+  supports replicated MongoDB databases.
 summary: A MongoDB operator charm for Kubernetes
 peers:
   database-peers:
@@ -26,13 +26,13 @@ containers:
     resource: mongodb-image
     mounts:
       - storage: db
-        location: /data/db
+        location: /var/lib/mongodb
 resources:
   mongodb-image:
     type: oci-image
     description: OCI image for mongodb
-    upstream-source: 'dataplatformoci/mongodb:5.0'
+    upstream-source: "ghcr.io/canonical/charmed-mongodb:5.0.14-22.04_edge"
 storage:
   db:
     type: filesystem
-    location: /data/db
+    location: /var/lib/mongodb

src/charm.py

@@ -14,6 +14,7 @@
 from typing import Dict, Optional
 
 from charms.mongodb.v0.helpers import (
+    CONF_DIR,
     KEY_FILE,
     TLS_EXT_CA_FILE,
     TLS_EXT_PEM_FILE,
@@ -22,7 +23,7 @@
     generate_keyfile,
     generate_password,
     get_create_user_cmd,
-    get_mongod_cmd,
+    get_mongod_args,
 )
 from charms.mongodb.v0.mongodb import (
     CHARM_USERS,
@@ -82,6 +83,7 @@ def on_mongod_pebble_ready(self, event) -> None:
         # Get a reference the container attribute
         container = self.unit.get_container("mongod")
         # mongod needs keyFile and TLS certificates on filesystem
+
         if not container.can_connect():
             logger.debug("mongod container is not ready yet.")
             event.defer()
@@ -97,12 +99,12 @@ def on_mongod_pebble_ready(self, event) -> None:
         # This function can be run in two cases:
         # 1) during regular charm start.
         # 2) if we forcefully want to apply new
-        # mongod cmd line arguments (returned from get_mongod_cmd).
+        # mongod cmd line arguments (returned from get_mongod_args).
         # In the second case, we should restart mongod
         # service only if arguments changed.
         services = container.get_services("mongod")
         if services and services["mongod"].is_running():
-            new_command = get_mongod_cmd(self.mongodb_config)
+            new_command = "mongod " + get_mongod_args(self.mongodb_config)
             cur_command = container.get_plan().services["mongod"].command
             if new_command != cur_command:
                 logger.debug("restart MongoDB due to arguments change: %s", new_command)
@@ -236,7 +238,7 @@ def _mongod_layer(self) -> Layer:
                 "mongod": {
                     "override": "replace",
                     "summary": "mongod",
-                    "command": get_mongod_cmd(self.mongodb_config),
+                    "command": "mongod " + get_mongod_args(self.mongodb_config),
                     "startup": "enabled",
                     "user": "mongodb",
                     "group": "mongodb",
@@ -317,7 +319,7 @@ def mongodb_config(self) -> MongoDBConfiguration:
     def _push_keyfile_to_workload(self, container: Container) -> None:
         """Upload the keyFile to a workload container."""
         container.push(
-            KEY_FILE,
+            CONF_DIR + "/" + KEY_FILE,
             self.get_secret("app", "keyfile"),
             make_dirs=True,
             permissions=0o400,
@@ -331,7 +333,7 @@ def _push_certificate_to_workload(self, container: Container) -> None:
         if external_ca is not None:
             logger.debug("Uploading external ca to workload container")
             container.push(
-                TLS_EXT_CA_FILE,
+                CONF_DIR + "/" + TLS_EXT_CA_FILE,
                 external_ca,
                 make_dirs=True,
                 permissions=0o400,
@@ -341,7 +343,7 @@ def _push_certificate_to_workload(self, container: Container) -> None:
         if external_pem is not None:
             logger.debug("Uploading external pem to workload container")
             container.push(
-                TLS_EXT_PEM_FILE,
+                CONF_DIR + "/" + TLS_EXT_PEM_FILE,
                 external_pem,
                 make_dirs=True,
                 permissions=0o400,
@@ -353,7 +355,7 @@ def _push_certificate_to_workload(self, container: Container) -> None:
         if internal_ca is not None:
             logger.debug("Uploading internal ca to workload container")
             container.push(
-                TLS_INT_CA_FILE,
+                CONF_DIR + "/" + TLS_INT_CA_FILE,
                 internal_ca,
                 make_dirs=True,
                 permissions=0o400,
@@ -363,7 +365,7 @@ def _push_certificate_to_workload(self, container: Container) -> None:
         if internal_pem is not None:
             logger.debug("Uploading internal pem to workload container")
             container.push(
-                TLS_INT_PEM_FILE,
+                CONF_DIR + "/" + TLS_INT_PEM_FILE,
                 internal_pem,
                 make_dirs=True,
                 permissions=0o400,

tests/integration/tls_tests/helpers.py

@@ -66,8 +66,8 @@ async def run_tls_check(ops_test: OpsTest, unit: ops.model.Unit) -> int:
 
     mongo_cmd += (
         f" {mongo_uri} --eval 'rs.status()'"
-        f" --tls --tlsCAFile /etc/mongodb/external-ca.crt"
-        f" --tlsCertificateKeyFile /etc/mongodb/external-cert.pem"
+        f" --tls --tlsCAFile /etc/mongod/external-ca.crt"
+        f" --tlsCertificateKeyFile /etc/mongod/external-cert.pem"
     )
 
     complete_command = f"ssh --container mongod {unit.name} {mongo_cmd}"

tests/integration/tls_tests/test_tls.py

@@ -11,8 +11,8 @@
 TLS_CERTIFICATES_APP_NAME = "tls-certificates-operator"
 DATABASE_APP_NAME = "mongodb-k8s"
 TLS_TEST_DATA = "tests/integration/tls_tests/data"
-EXTERNAL_CERT_PATH = "/etc/mongodb/external-ca.crt"
-INTERNAL_CERT_PATH = "/etc/mongodb/internal-ca.crt"
+EXTERNAL_CERT_PATH = "/etc/mongod/external-ca.crt"
+INTERNAL_CERT_PATH = "/etc/mongod/internal-ca.crt"
 DB_SERVICE = "mongod.service"
 
 

tests/unit/test_charm.py

@@ -54,10 +54,11 @@ def test_mongod_pebble_ready(self, defer):
                     "override": "replace",
                     "summary": "mongod",
                     "command": (
-                        "mongod --bind_ip_all --auth "
+                        "mongod --bind_ip_all "
                         "--replSet=mongodb-k8s "
+                        "--dbpath=/var/lib/mongodb --auth "
                         "--clusterAuthMode=keyFile "
-                        "--keyFile=/etc/mongodb/keyFile"
+                        "--keyFile=/etc/mongod/keyFile \n"
                     ),
                     "startup": "enabled",
                 }