Skip to content

patch(DPE-9339): MongoDB Encryption At Rest#258

Open
Gu1nness wants to merge 35 commits into8/edgefrom
DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design
Open

patch(DPE-9339): MongoDB Encryption At Rest#258
Gu1nness wants to merge 35 commits into8/edgefrom
DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design

Conversation

@Gu1nness
Copy link
Copy Markdown
Contributor

@Gu1nness Gu1nness commented Mar 19, 2026
edited
Loading

🏷️ Type of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Tooling and CI
  • Dependencies upgrade or change
  • Chores / refactoring

📝 Description

This is the implementation of MongoDB encryption at rest.
It uses Vault (Vault-k8s on kubernetes) as a backend to store the encryption keys.
It uses a config option to enable encryption at rest at boot time.
It uses an action to rotate the master key.

🧪 Manual testing steps

🌞 Sunny test

1. juju deploy <my-app> --config enable-encryption-at-rest=true
2. follow [the tutorial](https://canonical-vault-charms.readthedocs-hosted.com/en/latest/tutorial/getting_started_k8s/) to deploy and unseal vault/vault-k8s
3. juju integrate <my-app>:vault-kv vault:vault-kv
4. Profit (you can check the startup options of mongodb to ensure that it contains enableEncryption: True)
5. juju run <my-app>/<a-unit> rotate-encryption-master-key
6. Check in log file that it contains `Rotated master encryption key`.

🌧️ Rainy test:

1. juju deploy <my-app> --config enable-encryption-at-rest=false (the default)
2. follow [the tutorial](https://canonical-vault-charms.readthedocs-hosted.com/en/latest/tutorial/getting_started_k8s/) to deploy and unseal vault/vault-k8s
3. juju integrate <my-app>:vault-kv vault:vault-kv
4. It goes to blocked BUT does not prevent the charm from operating.

🔬 Automated testing steps

Positive checks that:

  • Deployment goes to blocked until integrated with vault
  • Integration restarts with correct options
  • Rotation works
  • Removing the relation goes to blocked.

Negative checks that:

  • Deploying with encryption disabled and integrating with vault goes to blocked
  • Trying to rotate master key in that scenario fails.

✅ Checklist

  • My code follows the code style of this project.
  • I have added or updated any relevant documentation.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Gu1nness and others added 22 commits March 12, 2026 10:35
patriciareinoso
patriciareinoso reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@patriciareinoso patriciareinoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extremely quick pass over the code

@Gu1nness Gu1nness requested a review from patriciareinoso April 1, 2026 12:08
@Gu1nness Gu1nness force-pushed the DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design branch from 783989d to 19fd804 Compare April 1, 2026 15:33
patriciareinoso
patriciareinoso reviewed Apr 2, 2026
View reviewed changes
Gu1nness and others added 5 commits April 2, 2026 12:36
@Gu1nness @patriciareinoso
Update single_kernel_mongo/managers/config.py
751c8e1 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness @patriciareinoso
Update single_kernel_mongo/state/vault_state.py
c1f2758 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness @patriciareinoso
Update single_kernel_mongo/state/vault_state.py
7ad315e 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness
fix: post-review
e79859d
@Gu1nness
fix: post-review
5617989
@Gu1nness Gu1nness requested a review from patriciareinoso April 2, 2026 12:49
@Gu1nness
Merge branch '8/edge' into DPE-9339-mongo-db-encryption-at-rest-imple…
7fbd89d 
…ment-encryption-at-rest-according-to-approved-design
patriciareinoso
patriciareinoso previously approved these changes Apr 3, 2026
View reviewed changes
@Gu1nness
Merge remote-tracking branch 'origin/8/edge' into DPE-9339-mongo-db-e…
b677c05 
…ncryption-at-rest-implement-encryption-at-rest-according-to-approved-design
@Gu1nness Gu1nness requested a review from patriciareinoso April 8, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mehdi-Bendriss Mehdi-Bendriss Awaiting requested review from Mehdi-Bendriss

@patriciareinoso patriciareinoso Awaiting requested review from patriciareinoso

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Gu1nness @patriciareinoso