provider mongodb.rb has confusion between client and server configurations/arguments

[dabelenda]

• Module version: all (?)

How to reproduce (e.g Puppet code you use)

When trying to set mTLS authentication in mongod there will be issues. I Did not hit it directly but when configuring SSL/TLS for mongod I was misled by a CA validation issue and reading the code I found a big confusion between mongod (server) and mongo (client) in provider command setup.

What are you seeing

At lines: 30-31 the mongo_conf (client configuration) function loads the mongod_conf_file (server configuration file):

puppet-mongodb/lib/puppet/provider/mongodb.rb

Lines 30 to 31 in 7cd4c06

	def self.mongo_conf
	config = YAML.load_file(mongod_conf_file) || {}

Then at line 85

puppet-mongodb/lib/puppet/provider/mongodb.rb

Line 85 in 7cd4c06

args += ['--sslPEMKeyFile', config['sslcert']]

the argument to mongo (client) for mTLS authentication (--sslPEMKeyFile) is setup using the sslcert value from the hash. This entry in the hash is the sslPEMKeyFile parameter from the Server configuration file. This means that the client will perform mTLS authentication using the Server certificate. In a general case, mTLS will be disabled on the server side, but if enabled this will most likely make the client fail to connect every single time.

What behaviour did you expect instead

The client configuration should be set separately from the server configuration in the puppet module. For the following reasons:

• the sslCAFile (or tlsCAFile) parameter of the server (used to validate client certificates during mTLS) is not expected to be the same as the sslCAFile (or tlsCAFile) parameter of the client (used to validate the server certificate)
• the sslPEMKeyFile (or tlsPEMKeyFile) of the server (used to allow ssl/tls connections to the server) is not the same as the sslPEMKeyFile (or tlsPEMKeyFile) of the client (used to enable mTLS authentication)

Output log

Any additional information you'd like to impart