6 files changed, 44 insertions, 19 deletions
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md b/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md
index 414246781..de935f0b6 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md
@@ -13,24 +13,26 @@ good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 
-* `mongos_port`: The port used by the mongos process. Default 27017.
-* `mongos_service`: The name of the mongos service. Default mongos.
-* `mongodb_user`: The Linux OS user for MongoDB. Default mongod.
-* `mongodb_group`: The Linux OS user group for MongoDB. Default mongod.
-* `pid_file`: The pid file for mongos. Default /run/mongodb/mongos.pid.
-* `bind_ip`: The IP address mongos will bind to. Default 0.0.0.0.
-* `bind_ip_all`: Have mongos bind to all IP addresses instead of specifying `bind_ip`. Default false.
-* `log_path`: Path of the log file. Default: /var/log/mongodb/mongos.log.
-* `mypy`: Python interpretor. Default python
-* `mongos_package`: The name of the mongos installation package. Default mongodb-org-mongos.
-* `config_repl_set_name`: The name of the config server replicaset. Default cfg.
+* `mongos_port`: The port used by the mongos process. Default `27017`.
+* `mongos_service`: The name of the mongos service. Default `mongos`.
+* `mongodb_user`: The Linux OS user for MongoDB. Default `mongod`.
+* `mongodb_group`: The Linux OS user group for MongoDB. Default `mongod`.
+* `pid_file`: The pid file for mongos. Default `/run/mongodb/mongos.pid`.
+* `bind_ip`: The IP address mongos will bind to. Default `0.0.0.0`.
+* `bind_ip_all`: Have mongos bind to all IP addresses instead of specifying `bind_ip`. Default `false`.
+* `log_path`: Path of the log file. Default: `/var/log/mongodb/mongos.log`.
+* `mypy`: Python interpretor. Default `python`.
+* `mongos_package`: The name of the mongos installation package. Default `mongodb-org-mongos`.
+* `config_repl_set_name`: The name of the config server replicaset. Default `cfg`.
 * `config_servers`: "config1:27019, config2:27019, config3:27019"
 * `openssl_keyfile_content`: The kexfile content that MongoDB uses to authenticate within a replicaset. Generate with cmd: openssl rand -base64 756.
-* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: /etc/keyfile
+* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: `/etc/keyfile`.
 * `net_compressors`: If this is set, this sets `net.compression.compressors` in mongos.conf.
-* `mongos_config_template`: If defined allows to override path to mongod config template with custom configuration. Default "mongos.conf.j2"
+* `mongos_config_template`: If defined allows to override path to mongod config template with custom configuration. Default `mongos.conf.j2`.
 * `skip_restart`: If set to `true` will skip restarting mongos service when config file or the keyfile content changes. Default `true`.
-* `mongodb_use_tls`: Wether to use tls. Default false.
+* `mongodb_use_tls`: Whether to use tls. Default `false`.
+* `mongodb_disabled_tls_protocols`: The tls protocols to be disabled. Leave blank to let MongoDB decide which protocols to allow according to the ones available on the system; check the [official docs](https://www.mongodb.com/docs/v6.0/reference/configuration-options/#mongodb-setting-net.tls.disabledProtocols) for details. Default "".
+* `mongodb_allow_connections_without_certificates`: When enabled allows to bypass the certificate validation for clients that do not present a certificate, if a certificate is provided it _must_ be valid. Default `false`.
 * `mongodb_certificate_key_file`: Path to the PEM-file containing the certficate and private key.
 * `mongodb_certificate_ca_file`:  Path to the CA-file.
 
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml
index 6d91e8814..0ca7f0371 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml
@@ -31,3 +31,5 @@ net_compressors: null
 mongos_config_template: "mongos.conf.j2"
 skip_restart: true
 mongodb_use_tls: false
+mongodb_disabled_tls_protocols: ""
+mongodb_allow_connections_without_certificates: false
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml
index b361e644c..f1e8d4999 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml
@@ -28,8 +28,8 @@ platforms:
     networks:
       - name: "mymongos"
     network_mode: "mymongos"
-  - name: ubuntu_18
-    image: ubuntu:18.04
+  - name: ubuntu_22_04
+    image: ubuntu:22.04
     command: /sbin/init
     privileged: True
     networks:
@@ -50,7 +50,7 @@ platforms:
   #    - name: "mymongos"
   #  network_mode: "mymongos"
   - name: config1
-    image: ubuntu:18.04
+    image: ubuntu:22.04
     command: /sbin/init
     privileged: True
     networks:
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml
index de0e856ba..cee69734a 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml
@@ -26,9 +26,20 @@
         name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}"
       when: ansible_hostname == "config1"
 
+    - name: Determine openssl version
+      command: openssl version
+      changed_when: false
+      register: openssl
+
+    - name: Set mongosh package version
+      set_fact:
+        mongosh_package: "{{ 'mongodb-mongosh-shared-openssl3' if openssl.stdout.startswith('OpenSSL 3') else 'mongodb-mongosh-shared-openssl11' }}"
+      when: mongosh_package is not defined
+
     - name: Install MongoDB Shell
       package:
-        name: mongodb-mongosh
+        name:
+          - "{{ mongosh_package }}"
 
     - name: Init config server replicaset
       community.mongodb.mongodb_replicaset:
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml
index 40efdd033..d9a4dd252 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml
@@ -20,4 +20,8 @@
     ansible.builtin.package:
       name: "{{ redhat_packages }}"
       state: present
-    when: ansible_os_family == "RedHat"
-\ No newline at end of file
+    when: ansible_os_family == "RedHat"
+
+  - name: Install openssl
+    package:
+      name: openssl
+\ No newline at end of file
diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2
index 6c61b8716..f9726f2f5 100644
--- a/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2
+++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2
@@ -19,6 +19,12 @@ net:
     mode: requireTLS
     certificateKeyFile: {{ mongodb_certificate_key_file }}
     CAFile: {{ mongodb_certificate_ca_file }}
+{% if mongodb_disabled_tls_protocols != "" %}
+    disabledProtocols: {{ mongodb_disabled_tls_protocols }}
+{% endif %}
+{% if mongodb_allow_connections_without_certificates %}
+    allowConnectionsWithoutCertificates: true
+{% endif %}
 {% endif %}
 sharding:
   configDB: "{{ config_repl_set_name }}/{{ config_servers }}"