Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8SPSMDB-1132: add spec.secrets.keyFile field #1639

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

K8SPSMDB-1132: add spec.secrets.keyFile field #1639

wants to merge 12 commits into from
+299 −59

Conversation

pooknull
Copy link
Contributor

@pooknull pooknull commented Sep 4, 2024
edited
Loading

K8SPSMDB-1132 Powered by Pull Request Badge

https://perconadev.atlassian.net/browse/K8SPSMDB-1132

DESCRIPTION

Problem:
We can't specify custom keyfile secret in the cr.yaml

Solution:
Add field .spec.secrets.keyFile to the cr.yaml

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported MongoDB version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/M 30-99 lines label Sep 4, 2024
@pooknull pooknull marked this pull request as ready for review September 9, 2024 05:50
nmarukovich
nmarukovich previously approved these changes Sep 9, 2024
View reviewed changes
inelpandzic
inelpandzic previously approved these changes Sep 10, 2024
View reviewed changes
hors
hors requested changes Sep 12, 2024
View reviewed changes
Copy link
Collaborator

@hors hors left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@egegunes should operator automatically set

  tls:
    mode: allowTLS

When the user sets "keyFile: test-keyfile" via CR? Because now, if the user specifies this option, the mongod will not use key file.
And at the same time I see a problem with mongos right now. When I set "mode: allowTLS" mongos still use x509 for clusterAuthMode and it is a bug that should be fixed as well.

@pooknull don't forget to update helm charts with these new fields.

@inelpandzic
Copy link
Contributor

@egegunes should operator automatically set

  tls:
    mode: allowTLS

When the user sets "keyFile: test-keyfile" via CR? Because now, if the user specifies this option, the mongod will not use key file. And at the same time I see a problem with mongos right now. When I set "mode: allowTLS" mongos still use x509 for clusterAuthMode and it is a bug that should be fixed as well.

@pooknull don't forget to update helm charts with these new fields.

If you ask me, I wouldn't touch user CR, rather than that we should probably prevent setting keyFile if proper tls.mode is not set.

@egegunes
Copy link
Contributor

@hors I agree with @inelpandzic, operator shouldn't do this automatically but return error if tls.mode is not compatible with keyFile

@egegunes
Copy link
Contributor

@pooknull we need to use keyFile authentication if keyFile secret is specified in cr.yaml, no matter what tls.mode is

@pull-request-size pull-request-size bot added size/L 100-499 lines and removed size/M 30-99 lines labels Sep 19, 2024
egegunes
egegunes requested changes Sep 20, 2024
View reviewed changes
pkg/psmdb/container.go
args = append(args, "--clusterAuthMode=x509")
}
} else if cr.UnsafeTLSDisabled() {
if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cr.Spec.Secrets.InternalKey != "" this will always be true because we set it by default in https://github.com/percona/percona-server-mongodb-operator/blob/dev/K8SPSMDB-1132/pkg/apis/psmdb/v1/psmdb_defaults.go#L77-L79

this is why all tests are failing

@egegunes
Copy link
Contributor

@pooknull we also need to use keyFile auth for mongos if secret is specified

inelpandzic
inelpandzic previously approved these changes Sep 24, 2024
View reviewed changes
egegunes
egegunes requested changes Sep 25, 2024
View reviewed changes
pkg/psmdb/mongos.go Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't see we're using keyFile for mongos if secret is set

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cf4e799

@JNKPercona
Copy link
Collaborator

Test name Status
arbiter passed
balancer passed
custom-replset-name passed
custom-tls passed
custom-users-roles passed
custom-users-roles-sharded passed
cross-site-sharded passed
data-at-rest-encryption passed
data-sharded passed
demand-backup passed
demand-backup-eks-credentials passed
demand-backup-physical passed
demand-backup-physical-sharded passed
demand-backup-sharded passed
expose-sharded passed
ignore-labels-annotations passed
init-deploy passed
finalizer passed
ldap passed
ldap-tls passed
limits passed
liveness passed
mongod-major-upgrade passed
mongod-major-upgrade-sharded passed
monitoring-2-0 failure
multi-cluster-service passed
non-voting passed
one-pod passed
operator-self-healing-chaos passed
pitr passed
pitr-sharded passed
pitr-physical passed
pvc-resize passed
recover-no-primary passed
replset-overrides passed
rs-shard-migration passed
scaling passed
scheduled-backup passed
security-context passed
self-healing-chaos passed
service-per-pod passed
serviceless-external-nodes failure
smart-update passed
split-horizon passed
storage passed
tls-issue-cert-manager passed
upgrade passed
upgrade-consistency passed
upgrade-consistency-sharded-tls passed
upgrade-sharded passed
users passed
version-service passed
We run 52 out of 52

commit: 4e49c79
image: perconalab/percona-server-mongodb-operator:PR-1639-4e49c79c

inelpandzic
inelpandzic reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@inelpandzic inelpandzic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pooknull this looks good, but pls check serviceless-external-nodes test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inelpandzic inelpandzic inelpandzic left review comments

@nmarukovich nmarukovich nmarukovich left review comments

@tplavcic tplavcic Awaiting requested review from tplavcic tplavcic is a code owner

@ptankov ptankov Awaiting requested review from ptankov ptankov is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@hors hors Awaiting requested review from hors hors is a code owner

@egegunes egegunes Awaiting requested review from egegunes egegunes is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
size/L 100-499 lines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pooknull @inelpandzic @egegunes @JNKPercona @hors @nmarukovich