canonical · Gu1nness · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 13, 2026
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -49,24 +49,24 @@ repos:
       - id: ruff-format
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.13.0
+    rev: v1.19.1
     hooks:
       - id: mypy
         language: system
-        args: ["--config-file=pyproject.toml","."]
+        args: ["--config-file=pyproject.toml", "."]
         pass_filenames: false
 
   - repo: https://github.com/codespell-project/codespell
     rev: v2.2.6
     hooks:
-    - id: codespell
-      additional_dependencies: [tomli]
-      args: ["--write-changes"]
+      - id: codespell
+        additional_dependencies: [tomli]
+        args: ["--write-changes"]
 
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.7
     hooks:
-    - id: actionlint
+      - id: actionlint
 
 exclude: |
   (?x)(

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -3,7 +3,7 @@
 
 [project]
 name = "mongo-charms-single-kernel"
-dynamic = ["version"]
+dynamic = []
 description = "Shared and reusable code for Mongo-related charms"
 readme = "README.md"
 license = "Apache-2.0"
@@ -40,8 +40,12 @@ dependencies = [
     "python-ldap",
     "charm-refresh (>=3.1.0.2,<4.0.0.0)",
     "google-cloud-storage (~=2.16.0)",
-    "google-api-core (~=2.17.0)"
+    "google-api-core (~=2.17.0)",
+    "pytest-interface-tester (>=3.4.1,<4.0.0)",
+    "hvac (>=2.4.0,<3.0.0)",
+    "python-hcl2"
 ]
+version = "1.8.32.post7.dev0+3ed1c6295.dirty"
 
 [project.urls]
 homepage = "https://github.com/canonical/mongo-single-kernel-library"
@@ -58,14 +62,13 @@ packages = [
 ]
 include = ["single_kernel_mongo/templates/"]
 exclude = ["single_kernel_mongo/charmcraft.yaml"]
-version = "0.0.0"
 
 [tool.poetry.requires-plugins]
 poetry-plugin-export = ">=1.8"
 poetry-dynamic-versioning = { version = ">=1.0.0,<2.0.0", extras = ["plugin"] }
 
 [tool.poetry-dynamic-versioning]
-enable = true
+enable = false
 vcs = "git"
 dirty = true
 strict = true
@@ -121,6 +124,7 @@ parameterized = "^0.9.0"
 factory_boy = "*"
 mongomock = "^4.2.0.post1"
 pytest-mock = "*"
+ops = {version = "*", extras = ["testing"]}
 
 [tool.poetry.group.integration.dependencies]
 coverage = {extras = ["toml"], version = "^7.5.0"}
@@ -141,6 +145,7 @@ boto3 = "^1.37.12"
 mypy-boto3-s3 = "^1.37.0"
 tomli = '*'
 tomli-w = '*'
+hvac = ">=2.4.0,<3.0.0"
 
 [tool.ruff]
 target-version = "py310"

diff --git a/single_kernel_mongo/config/literals.py b/single_kernel_mongo/config/literals.py
@@ -88,6 +88,14 @@ class VmUser(WorkloadUser[int]):
     group: int = 0
 
 
+@dataclass(frozen=True)
+class RootUser(WorkloadUser[str]):
+    """The system user for VM charms."""
+
+    user: str = "root"
+    group: str = "root"
+
+
 CRON_FILE = Path("/etc/cron.d/mongodb")
 
 SYSTEMD_MONGODB_OVERRIDE = Path("/etc/systemd/system/snap.charmed-mongodb.mongod.service.d")
@@ -116,3 +124,4 @@ class TrustStoreFiles(str, Enum):
 
     PBM = "pbm.crt"
     LDAP = "ldap.crt"
+    VAULT = "vault.crt"
diff --git a/single_kernel_mongo/config/models.py b/single_kernel_mongo/config/models.py
@@ -74,6 +74,9 @@ class THPConfig:
 THP_CONFIG = THPConfig()
 
 
+VAULT_AGENT_TEMPLATE: Traversable = TEMPLATE_DIRECTORY / "vault-agent.hcl.j2"
+
+
 @dataclass(frozen=True)
 class OverrideFile:
     """Dataclass for the systemd override."""
@@ -194,6 +197,19 @@ class PasswordManagementState(Enum):
     NEED_PASSWORD_UPDATE = auto()
 
 
+class VaultConfigurationState(Enum):
+    """State that can be mapped to a status."""
+
+    INVALID_CONFIG = auto()
+    DISABLED = auto()
+    VAULT_INTEGRATED = auto()
+    VAULT_NOT_INTEGRATED = auto()
+    MISSING_DATA = auto()
+    VAULT_UNREACHABLE = auto()
+    VAULT_AGENT_FAILED = auto()
+    ACTIVE = auto()
+
+
 @dataclass
 class PasswordManagementContext:
     """Represents the current context of password management for internal users.

diff --git a/single_kernel_mongo/config/relations.py b/single_kernel_mongo/config/relations.py
@@ -41,6 +41,7 @@ class ExternalRequirerRelations(str, Enum):
     GCS_CREDENTIALS = "gcs-credentials"
     LDAP = "ldap"
     LDAP_CERT = "ldap-certificate-transfer"
+    VAULT = "vault-kv"
 
 
 class ExternalProviderRelations(str, Enum):

diff --git a/single_kernel_mongo/config/statuses.py b/single_kernel_mongo/config/statuses.py
@@ -722,3 +722,59 @@ class PasswordManagementStatuses(Enum):
         message="Failed to update user passwords.",
         action="Check logs.",
     )
+
+
+class VaultStatuses(Enum):
+    """Vault statuses for encryption at rest."""
+
+    INVALID_CONFIG = StatusObject(
+        status="blocked",
+        message="The enable-encryption-at-rest config option is invalid.",
+        short_message="Wrong enable-encryption-at-rest config.",
+        check="Config validation failed.",
+        action="Revert config option enable-encryption-at-rest value.",
+        approved_critical_component=True,
+    )
+    VAULT_INTEGRATED = StatusObject(
+        status="blocked",
+        message="The vault-kv interface cannot be used with encryption at rest disabled.",
+        short_message="Invalid vault-kv relation.",
+        check="Encryption at rest is disabled.",
+        action="Remove vault integration",
+    )
+    VAULT_NOT_INTEGRATED = StatusObject(
+        status="blocked",
+        message="Must be integrated with vault to enable encryption at rest.",
+        short_message="Integrate with vault.",
+        check="Missing vault relation.",
+        action="Integrate with vault charm.",
+        approved_critical_component=True,
+    )
+    MISSING_DATA = StatusObject(
+        status="waiting",
+        message="Still waiting data from vault.",
+        check="Missing vault relation.",
+    )
+    VAULT_UNREACHABLE = StatusObject(
+        status="blocked",
+        message="Vault is unreachable.",
+        check="Approle login failed.",
+        action="Ensure vault is running and reachable.",
+    )
+    VAULT_AGENT_FAILED = StatusObject(
+        status="blocked",
+        message="Vault agent failed to start.",
+        check="Vault agent is not running.",
+        action="Check configuration of vault agent.",
+    )
+    ACTIVE = StatusObject(
+        status="active",
+        message="",
+    )
+
+    ### Running status
+    VAULT_ROTATE_MASTER_KEY = StatusObject(
+        status="maintenance",
+        message="Master key rotation in progress.",
+        running="blocking",
+    )
diff --git a/single_kernel_mongo/core/k8s_workload.py b/single_kernel_mongo/core/k8s_workload.py
@@ -27,6 +27,7 @@ class KubernetesWorkload(WorkloadBase):
     substrate = "k8s"
     container: Container  # We always have a container in a Kubernetes Workload
     users = KubernetesUser()
+    command_user = KubernetesUser()
 
     def __init__(self, role: CharmSpec, container: Container | None) -> None:
         if not container:
@@ -139,6 +140,8 @@ def exec(
         env: dict[str, str] | None = None,
         working_dir: str | None = None,
         input: str | None = None,
+        user: str | None = None,
+        group: str | None = None,
     ) -> str:
         masked_cmd = mask_sensitive_information(command)
         try:
@@ -148,6 +151,8 @@ def exec(
                 working_dir=working_dir,
                 combine_stderr=True,
                 stdin=input,
+                user=user,
+                group=group,
             )
             output, _ = process.wait_output()
             return output

diff --git a/single_kernel_mongo/core/structured_config.py b/single_kernel_mongo/core/structured_config.py
@@ -120,6 +120,7 @@ class MongoDBCharmConfig(MongoConfigModel):
     system_users: str | None = Field(default=None, alias="system-users")
 
     role: SerializeLiteralAsStr[MongoDBRoles] = Field(default=MongoDBRoles.REPLICATION)
+    enable_encryption_at_rest: bool = Field(default=False, alias="enable-encryption-at-rest")
 
     @field_validator("role", mode="before")
     @classmethod

diff --git a/single_kernel_mongo/core/vm_workload.py b/single_kernel_mongo/core/vm_workload.py
@@ -18,6 +18,7 @@
 
 from single_kernel_mongo.config.literals import (
     CRON_FILE,
+    RootUser,
     VmUser,
 )
 from single_kernel_mongo.config.models import SNAP_NAME, CharmSpec
@@ -39,6 +40,7 @@ class VMWorkload(WorkloadBase):
     substrate = "vm"
     container: None
     users = VmUser()
+    command_user = RootUser()
 
     def __init__(self, role: CharmSpec, container: Container | None) -> None:
         super().__init__(role, container)
@@ -131,6 +133,8 @@ def exec(
         env: Mapping[str, str] | None = None,
         working_dir: str | None = None,
         input: str | None = None,
+        user: str | None = None,
+        group: str | None = None,
     ) -> str:
         try:
             output = subprocess.check_output(
@@ -141,6 +145,8 @@ def exec(
                 env=env,
                 cwd=working_dir,
                 input=input,
+                user=user,
+                group=group,
             )
             logger.debug(f"{output=}")
             return output

diff --git a/single_kernel_mongo/core/workload.py b/single_kernel_mongo/core/workload.py
@@ -129,6 +129,16 @@ def ldap_certificates_file(self) -> Path:
         """The LDAP certificates file path."""
         return Path(f"{self.ldap_certificates_dir}/ldap.crt")
 
+    @property
+    def vault_cert(self) -> Path:
+        """Vault configuration file path."""
+        return Path(f"{self.etc_path}/vault/vault_cert.pem")
+
+    @property
+    def vault_token_file_path(self) -> Path:
+        """Vault configuration file path."""
+        return Path(f"{self.etc_path}/vault/vaultTokenFile")
+
 
 class WorkloadBase(ABC):  # pragma: nocover
     """The protocol for workloads.
@@ -147,6 +157,9 @@ class WorkloadBase(ABC):  # pragma: nocover
     layer_name: ClassVar[str]
     container: Container | None
     users: ClassVar[WorkloadUser]
+    # Used as a command runner for all the cases where we need the user that runs the mongodb calls
+    # This is root:root on VM and mongodb:mongodb on kubernetes
+    command_user: ClassVar[WorkloadUser]
     bin_cmd: ClassVar[str]
     env_var: ClassVar[str]
     snap_param: ClassVar[str]
@@ -246,6 +259,8 @@ def exec(
         env: dict[str, str] | None = None,
         working_dir: str | None = None,
         input: str | None = None,
+        user: str | None = None,
+        group: str | None = None,
     ) -> str:
         """Runs a command on the workload substrate."""
         ...

diff --git a/single_kernel_mongo/events/lifecycle.py b/single_kernel_mongo/events/lifecycle.py
@@ -61,6 +61,7 @@
     SetPasswordError,
     UpgradeInProgressError,
     WaitingForLeaderError,
+    WaitingForVaultError,
     WorkloadNotReadyError,
     WorkloadServiceError,
 )
@@ -156,6 +157,10 @@ def on_start(self, event: StartEvent):
             )
             event.defer()
             return
+        except WaitingForVaultError:
+            logger.info("Waiting for vault to be integrated.")
+            event.defer()
+            return
         except Exception as e:
             logger.error(f"Deferring because of {e.__class__.__name__} {e}")
             self.dependent.state.statuses.add(