-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8SPSMDB-1132: add spec.secrets.keyFile
field
#1639
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@egegunes should operator automatically set
tls:
mode: allowTLS
When the user sets "keyFile: test-keyfile" via CR? Because now, if the user specifies this option, the mongod will not use key file.
And at the same time I see a problem with mongos right now. When I set "mode: allowTLS" mongos still use x509 for clusterAuthMode and it is a bug that should be fixed as well.
@pooknull don't forget to update helm charts with these new fields.
If you ask me, I wouldn't touch user CR, rather than that we should probably prevent setting |
@hors I agree with @inelpandzic, operator shouldn't do this automatically but return error if |
@pooknull we need to use keyFile authentication if keyFile secret is specified in cr.yaml, no matter what |
0e53564
args = append(args, "--clusterAuthMode=x509") | ||
} | ||
} else if cr.UnsafeTLSDisabled() { | ||
if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cr.Spec.Secrets.InternalKey != ""
this will always be true because we set it by default in https://github.com/percona/percona-server-mongodb-operator/blob/dev/K8SPSMDB-1132/pkg/apis/psmdb/v1/psmdb_defaults.go#L77-L79
this is why all tests are failing
@pooknull we also need to use keyFile auth for mongos if secret is specified |
pkg/psmdb/mongos.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't see we're using keyFile for mongos if secret is set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commit: 4e49c79 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pooknull this looks good, but pls check serviceless-external-nodes
test.
https://perconadev.atlassian.net/browse/K8SPSMDB-1132
DESCRIPTION
Problem:
We can't specify custom keyfile secret in the
cr.yaml
Solution:
Add field
.spec.secrets.keyFile
to thecr.yaml
CHECKLIST
Jira
Needs Doc
) and QA (Needs QA
)?Tests
compare/*-oc.yml
)?Config/Logging/Testability