Skip to content

patch(DPE-9339): MongoDB Encryption At Rest#258

Open
Gu1nness wants to merge 35 commits into8/edgefrom
DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design
Open

patch(DPE-9339): MongoDB Encryption At Rest#258
Gu1nness wants to merge 35 commits into8/edgefrom
DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design

Conversation

@Gu1nness
Copy link
Copy Markdown
Contributor

@Gu1nness Gu1nness commented Mar 19, 2026
edited
Loading

🏷️ Type of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Tooling and CI
  • Dependencies upgrade or change
  • Chores / refactoring

📝 Description

This is the implementation of MongoDB encryption at rest.
It uses Vault (Vault-k8s on kubernetes) as a backend to store the encryption keys.
It uses a config option to enable encryption at rest at boot time.
It uses an action to rotate the master key.

🧪 Manual testing steps

🌞 Sunny test

1. juju deploy <my-app> --config enable-encryption-at-rest=true
2. follow [the tutorial](https://canonical-vault-charms.readthedocs-hosted.com/en/latest/tutorial/getting_started_k8s/) to deploy and unseal vault/vault-k8s
3. juju integrate <my-app>:vault-kv vault:vault-kv
4. Profit (you can check the startup options of mongodb to ensure that it contains enableEncryption: True)
5. juju run <my-app>/<a-unit> rotate-encryption-master-key
6. Check in log file that it contains `Rotated master encryption key`.

🌧️ Rainy test:

1. juju deploy <my-app> --config enable-encryption-at-rest=false (the default)
2. follow [the tutorial](https://canonical-vault-charms.readthedocs-hosted.com/en/latest/tutorial/getting_started_k8s/) to deploy and unseal vault/vault-k8s
3. juju integrate <my-app>:vault-kv vault:vault-kv
4. It goes to blocked BUT does not prevent the charm from operating.

🔬 Automated testing steps

Positive checks that:

  • Deployment goes to blocked until integrated with vault
  • Integration restarts with correct options
  • Rotation works
  • Removing the relation goes to blocked.

Negative checks that:

  • Deploying with encryption disabled and integrating with vault goes to blocked
  • Trying to rotate master key in that scenario fails.

✅ Checklist

  • My code follows the code style of this project.
  • I have added or updated any relevant documentation.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Gu1nness and others added 22 commits March 12, 2026 10:35
patriciareinoso
patriciareinoso reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@patriciareinoso patriciareinoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extremely quick pass over the code

@Gu1nness Gu1nness requested a review from patriciareinoso April 1, 2026 12:08
@Gu1nness Gu1nness force-pushed the DPE-9339-mongo-db-encryption-at-rest-implement-encryption-at-rest-according-to-approved-design branch from 783989d to 19fd804 Compare April 1, 2026 15:33
patriciareinoso
patriciareinoso reviewed Apr 2, 2026
View reviewed changes
Gu1nness and others added 5 commits April 2, 2026 12:36
@Gu1nness @patriciareinoso
Update single_kernel_mongo/managers/config.py
751c8e1 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness @patriciareinoso
Update single_kernel_mongo/state/vault_state.py
c1f2758 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness @patriciareinoso
Update single_kernel_mongo/state/vault_state.py
7ad315e 
Co-authored-by: Patricia Reinoso <patricia.reinoso@canonical.com>
Signed-off-by: Neha Oudin <17551419+Gu1nness@users.noreply.github.com>
@Gu1nness
fix: post-review
e79859d
@Gu1nness
fix: post-review
5617989
@Gu1nness Gu1nness requested a review from patriciareinoso April 2, 2026 12:49
@Gu1nness
Merge branch '8/edge' into DPE-9339-mongo-db-encryption-at-rest-imple…
7fbd89d 
…ment-encryption-at-rest-according-to-approved-design
patriciareinoso
patriciareinoso previously approved these changes Apr 3, 2026
View reviewed changes
@Gu1nness
Merge remote-tracking branch 'origin/8/edge' into DPE-9339-mongo-db-e…
b677c05 
…ncryption-at-rest-implement-encryption-at-rest-according-to-approved-design
@Gu1nness Gu1nness requested a review from patriciareinoso April 8, 2026 14:27
Mehdi-Bendriss
Mehdi-Bendriss reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Neha, Great work! :)
I left a few comments, but my main concern is on upgrades and see how it all behaves if for ex the token expired (we'll need to followup with another PR for an integration test about it)

single_kernel_mongo/events/vault.py
self.relation_name = ExternalRequirerRelations.VAULT.value

super().__init__(parent=dependent, key=self.relation_name)
self.interface = vault_kv.VaultKvRequires(self.charm, self.relation_name, self.charm.name)
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
self.interface = vault_kv.VaultKvRequires(self.charm, self.relation_name, self.charm.name)
self.kv_interface = vault_kv.VaultKvRequires(self.charm, self.relation_name, self.charm.name)

single_kernel_mongo/events/vault.py
self.manager.set_status(VaultStatuses.INVALID_CONFIG.value, scope="both")
return

def _on_gone_away(self, event: vault_kv.VaultKvGoneAwayEvent) -> None:
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have 2 questions here,

  1. Did we test the flow when the Vault relation is removed and then re-established?
  2. What is the mongodb and vault agent behaviors regarding the expiration of the token?

single_kernel_mongo/events/vault.py
self.manager.set_status(VaultStatuses.VAULT_INTEGRATED.value, scope="both")
return
self.manager.clear_statuses(scope="both")
egress_subnets = self.manager.get_subnets()
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably worth renaming get_subnets to get_egress_subnets for clarity

single_kernel_mongo/events/vault.py
return
egress_subnets = self.manager.get_subnets()
nonce = self.manager.get_nonce()
self.interface.request_credentials(
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain this?

single_kernel_mongo/managers/config.py
return template.render(**new_content)

@override
def set_environment(self):
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing return type hint and in configure_and_restart

tests/integration/mongodb/encryption/test_encryption_invalid_scenario.py
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing docstrings in tests, and could you add more inline comments to document the flow and expectations?

tests/integration/helpers/vault.py
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing docstrings in some helpers - and could you add more inline comments to explain some of the flows?

tests/integration/mongodb/encryption/test_encryption_valid_scenario.py
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing docstrings and some explanations inline comments here and there

tests/integration/mongodb/encryption/test_encryption_valid_scenario.py

@pytest.mark.abort_on_fail
async def test_integration_goes_to_active(
ops_test: OpsTest, substrate: Substrate, vault_charm_name: str
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add continuous writes on all tests from this one on? I'd like to see the write/read side of things and expectations on the data side for every Vault related operation.

tests/integration/mongodb/encryption/test_encryption_valid_scenario.py
app_name,
status="blocked",
message="Must be integrated with vault to enable encryption at rest.",
)
Copy link
Copy Markdown
Contributor

@Mehdi-Bendriss Mehdi-Bendriss Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add 2 more tests about the restoring of the relation:

  1. after just a quick time while the token is still alive
  2. after the token expiration time

and assert that the health is restored and data can be read / written

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mehdi-Bendriss Mehdi-Bendriss Mehdi-Bendriss left review comments

@patriciareinoso patriciareinoso Awaiting requested review from patriciareinoso

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Gu1nness @patriciareinoso @Mehdi-Bendriss