From 4b2e669011ddee0e04cc8a641a067bfd2eef9ba1 Mon Sep 17 00:00:00 2001 From: Mia Altieri Date: Wed, 3 Jan 2024 16:52:38 +0000 Subject: [PATCH 1/4] set libpatch --- lib/charms/mongodb/v0/config_server_interface.py | 2 +- lib/charms/mongodb/v1/shards_interface.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/charms/mongodb/v0/config_server_interface.py b/lib/charms/mongodb/v0/config_server_interface.py index b1dbb145b..eeb1ee299 100644 --- a/lib/charms/mongodb/v0/config_server_interface.py +++ b/lib/charms/mongodb/v0/config_server_interface.py @@ -35,7 +35,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 6 +LIBPATCH = 1 class ClusterProvider(Object): diff --git a/lib/charms/mongodb/v1/shards_interface.py b/lib/charms/mongodb/v1/shards_interface.py index 8f1244fed..da7cc8320 100644 --- a/lib/charms/mongodb/v1/shards_interface.py +++ b/lib/charms/mongodb/v1/shards_interface.py @@ -51,7 +51,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 4 +LIBPATCH = 2 KEYFILE_KEY = "key-file" HOSTS_KEY = "host" OPERATOR_PASSWORD_KEY = MongoDBUser.get_password_key_name_for_user(OperatorUser.get_username()) From 64edd1893024ea4bdb38cfe9622073f0c9487c88 Mon Sep 17 00:00:00 2001 From: Mia Altieri Date: Thu, 4 Jan 2024 17:46:43 +0000 Subject: [PATCH 2/4] remove tlsAllowInvalidCertificates option --- lib/charms/mongodb/v1/helpers.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py index ea2dd7363..8f9e6ff98 100644 --- a/lib/charms/mongodb/v1/helpers.py +++ b/lib/charms/mongodb/v1/helpers.py @@ -29,7 +29,7 @@ # Increment this PATCH version before using `charmcraft publish-lib` or reset # to 0 if you are raising the major API version -LIBPATCH = 1 +LIBPATCH = 2 # path to store mongodb ketFile KEY_FILE = "keyFile" @@ -172,7 +172,6 @@ def get_mongod_args( cmd.extend( [ "--clusterAuthMode=x509", - "--tlsAllowInvalidCertificates", f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}", f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}", ] From e2468ff204074b614c5eac8d781c6b2fbe411368 Mon Sep 17 00:00:00 2001 From: Mia Altieri Date: Fri, 5 Jan 2024 23:53:50 +0000 Subject: [PATCH 3/4] set to require TLS --- lib/charms/mongodb/v1/helpers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py index 8f9e6ff98..7f66faad1 100644 --- a/lib/charms/mongodb/v1/helpers.py +++ b/lib/charms/mongodb/v1/helpers.py @@ -163,7 +163,7 @@ def get_mongod_args( f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}", f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}", # allow non-TLS connections - "--tlsMode=preferTLS", + "--tlsMode=requireTLS", ] ) From 83b1263419332289f9ea3026c45a14349aee13ea Mon Sep 17 00:00:00 2001 From: Mia Altieri Date: Thu, 18 Jan 2024 22:54:05 +0000 Subject: [PATCH 4/4] restrict tls modes --- lib/charms/mongodb/v1/helpers.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py index e3668718e..967c397ce 100644 --- a/lib/charms/mongodb/v1/helpers.py +++ b/lib/charms/mongodb/v1/helpers.py @@ -175,6 +175,7 @@ def get_mongod_args( f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}", # allow non-TLS connections "--tlsMode=requireTLS", + "--tlsDisabledProtocols=TLS1_0,TLS1_1", ] )