Merging upstream version 9.4.0+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 152 insertions, 32 deletions

diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md b/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md
index 51a801296..f2bf1d935 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md
@@ -6,29 +6,34 @@ A simple role to aid in the setup of a MongoDB replicaset.
 Role Variables
 --------------
 
-* `mongod_port`: The port used by the mongod process. Default 27017.
-* `mongod_service`: The name of the mongod service. Default mongod.
-* `mongodb_user`: The Linux OS user for MongoDB. Default mongod.
-* `mongodb_group`: The Linux OS user group for MongoDB. Default mongod.
-* `bind_ip`: The IP address mongod will bind to. Default 0.0.0.0.
-* `bind_ip_all`: Have mongod bind to all IP addresses instead of specifying `bind_ip`. Default false.
-* `log_path`: Path of the log file. Default: /var/log/mongodb/mongod.log.
-* `repl_set_name`: The name of the replicaset the member will participate in. Default rs0.
-* `authorization`: Enable authorization. Default enabled.
+* `mongod_port`: The port used by the mongod process. Default `27017`.
+* `mongod_service`: The name of the mongod service. Default `mongod`.
+* `mongodb_user`: The Linux OS user for MongoDB. Default `mongod`.
+* `mongodb_group`: The Linux OS user group for MongoDB. Default `mongod`.
+* `bind_ip`: The IP address mongod will bind to. Default `0.0.0.0`.
+* `bind_ip_all`: Have mongod bind to all IP addresses instead of specifying `bind_ip`. Default `false`.
+* `log_path`: Path of the log file. Default: `/var/log/mongodb/mongod.log`.
+* `repl_set_name`: The name of the replicaset the member will participate in. Default `rs0`.
+* `authorization`: Enable authorization. Default `enabled`.
 * `openssl_keyfile_content`: The keyfile content that MongoDB uses to authenticate within a replicaset. Generate with cmd: openssl rand -base64 756.
-* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: /etc/keyfile
-* `mongodb_admin_user`: MongoDB admin username. Default admin.
-* `mongodb_admin_pwd`: MongoDB admin password. Default admin.
-* `mongod_package`: The mongod package to install. Default mongodb-org-server.
-* `replicaset`: When enabled add a replication section to the configuration. Default true.
-* `sharding`: If this replicaset member will form part of a sharded cluster. Default false.
+* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: `/etc/keyfile`.
+* `mongodb_admin_user`: MongoDB admin username. Default `admin`.
+* `mongodb_admin_pwd`: MongoDB admin password. Default `admin`.
+* `mongod_package`: The mongod package to install. Default `mongodb-org-server`.
+* `replicaset`: When enabled add a replication section to the configuration. Default `true`.
+* `sharding`: If this replicaset member will form part of a sharded cluster. Default `false`.
 * `net_compressors`: If this is set, this sets `net.compression.compressors` in mongod.conf.
-* `mongod_config_template`: If defined allows to override path to mongod config template with custom configuration. Default "mongod.conf.j2"
+* `mongod_config_template`: If defined allows to override path to mongod config template with custom configuration. Default `mongod.conf.j2`.
 * `skip_restart`: If set to `true` will skip restarting mongod service when config file or the keyfile content changes. Default `true`.
 * `db_path`: Path to database data location. Default `/var/lib/mongodb` on Debian based distributions, `/var/lib/mongo` for others.
-* `mongodb_use_tls`: Wether to use tls. Default false.
+* `mongodb_use_tls`: Whether to use tls. Default `false`.
+* `mongodb_disabled_tls_protocols`: The tls protocols to be disabled. Leave blank to let MongoDB decide which protocols to allow according to the ones available on the system; check the [official docs](https://www.mongodb.com/docs/v6.0/reference/configuration-options/#mongodb-setting-net.tls.disabledProtocols) for details. Default "".
+* `mongodb_allow_connections_without_certificates`: When enabled allows to bypass the certificate validation for clients that do not present a certificate, if a certificate is provided it _must_ be valid. Default `false`.
 * `mongodb_certificate_key_file`: Path to the PEM-file containing the certficate and private key.
 * `mongodb_certificate_ca_file`:  Path to the CA-file.
+* `mongodb_logrotate_enabled`: Add logrotate configuration. Default: `false`.
+* `mongodb_logrotate_template`: Jinja template for the logrotate configuration. Default `mongodb.logrotate.j2`.
+* `mongodb_systemd_service_override`: Content of a file to override systemd configuration.
 
 IMPORTANT NOTE: It is expected that `mongodb_admin_user` & `mongodb_admin_pwd` values be overridden in your own file protected by Ansible Vault. These values are primary included here for Molecule/Travis CI integration. Any production environments should protect these values. For more information see [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html)
 
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml
index b0d9da221..3fd788ec2 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml
@@ -34,3 +34,15 @@ mongod_config_template: "mongod.conf.j2"
 skip_restart: true
 db_path: "{{ '/var/lib/mongodb' if ansible_os_family == 'Debian' else '/var/lib/mongo' if ansible_os_family == 'RedHat' else '/var/lib/mongo' }}"
 mongodb_use_tls: false
+mongodb_disabled_tls_protocols: ""
+mongodb_allow_connections_without_certificates: false
+mongodb_logrotate_enabled: false
+mongodb_logrotate_template: "mongodb.logrotate.j2"
+
+# Override systemd default configuration
+# Some properties are not overridden: https://askubuntu.com/questions/659267/how-do-i-override-or-configure-systemd-services
+# Examples:
+# mongodb_systemd_service_override: |
+#   [Service]
+#   Restart=on-failure # Mongod will restart on-failure (by default mongod don't restart)
+mongodb_systemd_service_override: ""
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml
index 026817530..6653f9651 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml
@@ -12,3 +12,8 @@
     host: "{{ bind_ip | split(',') | first }}"
     port: "{{ mongod_port }}"
   when: not skip_restart
+
+- name: Reload systemd configuration
+  listen: daemon-reload
+  systemd:
+    daemon_reload: true
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml
index e98e993dc..e3b8a0288 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml
@@ -18,8 +18,8 @@ platforms:
     networks:
       - name: "mongod"
     network_mode: "mongod"
-  - name: ubuntu_18
-    image: ubuntu:18.04
+  - name: ubuntu_22_04
+    image: ubuntu:22.04
     command: /sbin/init
     privileged: True
     networks:
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml
index e0bee962e..6e7f5cbc7 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml
@@ -15,9 +15,20 @@
         name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}"
       when: ansible_hostname == "fedora"
 
+    - name: Determine openssl version
+      command: openssl version
+      changed_when: false
+      register: openssl
+
+    - name: Set mongosh package version
+      set_fact:
+        mongosh_package: "{{ 'mongodb-mongosh-shared-openssl3' if openssl.stdout.startswith('OpenSSL 3') else 'mongodb-mongosh-shared-openssl11' }}"
+      when: mongosh_package is not defined
+
     - name: Install MongoDB Shell
       package:
-        name: mongodb-mongosh
+        name:
+          - "{{ mongosh_package }}"
 
     - name: Initialise replicaset
       community.mongodb.mongodb_replicaset:
@@ -27,7 +38,7 @@
         members:
           - almalinux_8:27017
           - fedora:27017
-          - ubuntu_18:27017
+          - ubuntu_22_04:27017
           - debian_bullseye:27017
           - ubuntu_22:27017
       when: ansible_hostname == "fedora"
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py
index 9aca8518e..4376de40c 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py
@@ -64,7 +64,7 @@ def test_mongod_replicaset(host):
         assert "rs0" in r.stdout
         assert "almalinux_8:{0}".format(port) in r.stdout
         assert "fedora:{0}".format(port) in r.stdout
-        assert "ubuntu_18:{0}".format(port) in r.stdout
+        assert "ubuntu_22_04:{0}".format(port) in r.stdout
         assert "ubuntu_22:{0}".format(port) in r.stdout
         assert "debian_bullseye:{0}".format(port) in r.stdout
 
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml
index 2cbd158c4..deb681763 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml
@@ -18,8 +18,8 @@ platforms:
     networks:
       - name: "mongod"
     network_mode: "mongod"
-  - name: ubuntu_18
-    image: ubuntu:18.04
+  - name: ubuntu_22_04
+    image: ubuntu:22.04
     command: /sbin/init
     privileged: True
     networks:
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml
index 54b4def97..0ef97010b 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml
@@ -13,9 +13,20 @@
         name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}"
       when: ansible_hostname == "fedora"
 
+    - name: Determine openssl version
+      command: openssl version
+      changed_when: false
+      register: openssl
+
+    - name: Set mongosh package version
+      set_fact:
+        mongosh_package: "{{ 'mongodb-mongosh-shared-openssl3' if openssl.stdout.startswith('OpenSSL 3') else 'mongodb-mongosh-shared-openssl11' }}"
+      when: mongosh_package is not defined
+
     - name: Install MongoDB Shell
       package:
-        name: mongodb-mongosh
+        name:
+          - "{{ mongosh_package }}"
 
     - name: Initialise replicaset
       community.mongodb.mongodb_replicaset:
@@ -25,7 +36,7 @@
         members:
           - almalinux_8:27017
           - fedora:27017
-          - ubuntu_18:27017
+          - ubuntu_22_04:27017
           - debian_bullseye:27017
           - ubuntu_22:27017
       when: ansible_hostname == "fedora"
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py
index 896f0ee58..6a68ce52c 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py
@@ -64,7 +64,7 @@ def test_mongod_replicaset(host):
         assert "rs0" in r.stdout
         assert "almalinux_8:{0}".format(port) in r.stdout
         assert "fedora:{0}".format(port) in r.stdout
-        assert "ubuntu_18:{0}".format(port) in r.stdout
+        assert "ubuntu_22_04:{0}".format(port) in r.stdout
         assert "ubuntu_22:{0}".format(port) in r.stdout
         assert "debian_bullseye:{0}".format(port) in r.stdout
 
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml
index b3f2e1199..20a80cfc7 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml
@@ -18,8 +18,8 @@ platforms:
     networks:
       - name: "mongod"
     network_mode: "mongod"
-  - name: ubuntu_18
-    image: ubuntu:18.04
+  - name: ubuntu_22_04
+    image: ubuntu:22.04
     command: /sbin/init
     privileged: True
     networks:
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml
index ba1a7f28a..7593d0781 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml
@@ -16,9 +16,20 @@
         name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}"
       when: ansible_hostname == "fedora"
 
+    - name: Determine openssl version
+      command: openssl version
+      changed_when: false
+      register: openssl
+
+    - name: Set mongosh package version
+      set_fact:
+        mongosh_package: "{{ 'mongodb-mongosh-shared-openssl3' if openssl.stdout.startswith('OpenSSL 3') else 'mongodb-mongosh-shared-openssl11' }}"
+      when: mongosh_package is not defined
+
     - name: Install MongoDB Shell
       package:
-        name: mongodb-mongosh
+        name:
+          - "{{ mongosh_package }}"
 
     - name: Initialise replicaset
       community.mongodb.mongodb_replicaset:
@@ -28,7 +39,7 @@
         members:
           - almalinux_8:27017
           - fedora:27017
-          - ubuntu_18:27017
+          - ubuntu_22_04:27017
           - debian_bullseye:27017
           - ubuntu_22:27017
       when: ansible_hostname == "fedora"
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py
index 6f54d5aad..adc23cda5 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py
@@ -64,7 +64,7 @@ def test_mongod_replicaset(host):
         assert "rs0" in r.stdout
         assert "almalinux_8:{0}".format(port) in r.stdout
         assert "fedora:{0}".format(port) in r.stdout
-        assert "ubuntu_18:{0}".format(port) in r.stdout
+        assert "ubuntu_22_04:{0}".format(port) in r.stdout
         assert "ubuntu_22:{0}".format(port) in r.stdout
         assert "debian_bullseye:{0}".format(port) in r.stdout
 
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/logrotate.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/logrotate.yml
new file mode 100644
index 000000000..e72fa33d2
--- /dev/null
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/logrotate.yml
@@ -0,0 +1,9 @@
+---
+- name: Install logrotate configuration
+  ansible.builtin.template:
+    src: "{{ mongodb_logrotate_template }}"
+    dest: /etc/logrotate.d/mongod
+  tags:
+    - "mongodb"
+    - "setup"
+    - "service"
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml
index bd1eb944d..1f1072a63 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml
@@ -64,6 +64,30 @@
     - "mongodb"
     - "setup"
 
+- name: Override mongod service
+  when: mongodb_systemd_service_override | length > 0
+  tags:
+    - "mongodb"
+    - "setup"
+    - "service"
+  block:
+  - name: "Create {{ mongod_service }}.service.d directory"
+    file:
+      path: "/etc/systemd/system/{{ mongod_service }}.service.d/"
+      state: directory
+      owner: root
+      group: root
+      mode: 0755
+
+  - name: Override mongod service from provided content
+    copy:
+      content: "{{ mongodb_systemd_service_override }}"
+      dest: "/etc/systemd/system/{{ mongod_service }}.service.d/override.conf"
+      owner: root
+      group: root
+      mode: 0644
+    notify: daemon-reload
+
 - name: Check for github override
   set_fact:
     x_github_override: "{{ lookup('env', 'X_GITHUB_OVERRIDE') | default('0', True) }}"
@@ -79,6 +103,15 @@
     - "mongodb"
     - "setup"
     - "service"
+
+- name: Configure logrotate if enabled
+  when: mongodb_logrotate_enabled
+  ansible.builtin.include_tasks: logrotate.yml
+  tags:
+    - "mongodb"
+    - "setup"
+    - "service"
+
 # debug section
 - pause:
     seconds: 5
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2
index 9ff5a5dec..cd2d1f0fc 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2
@@ -8,6 +8,9 @@ systemLog:
   destination: file
   logAppend: true
   path: {{ log_path }}
+{% if mongodb_logrotate_enabled %}
+  logRotate: reopen
+{% endif %}
 
 # Where and how to store data.
 storage:
@@ -41,6 +44,12 @@ net:
     mode: requireTLS
     certificateKeyFile: {{ mongodb_certificate_key_file }}
     CAFile: {{ mongodb_certificate_ca_file }}
+{% if mongodb_disabled_tls_protocols != "" %}
+    disabledProtocols: {{ mongodb_disabled_tls_protocols }}
+{% endif %}
+{% if mongodb_allow_connections_without_certificates %}
+    allowConnectionsWithoutCertificates: true
+{% endif %}
 {% endif %}
 
 {% if authorization == "enabled" %}
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongodb.logrotate.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongodb.logrotate.j2
new file mode 100644
index 000000000..4cecbcadd
--- /dev/null
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongodb.logrotate.j2
@@ -0,0 +1,14 @@
+{{ log_path }} {
+  daily
+  size 100M
+  rotate 5
+  missingok
+  compress
+  delaycompress
+  notifempty
+  create 640 {{ mongodb_user }} {{ mongodb_group }}
+  sharedscripts
+  postrotate
+    /bin/kill -SIGUSR1 `pidof {{ mongod_service }} 2>/dev/null` >/dev/null 2>&1
+  endscript
+}