diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index e4134e27c3..ccd6678c6f 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -8370,6 +8370,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index 5648d78c9d..9e80fdeaf2 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -9052,6 +9052,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 377c71000b..c56f19be11 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -51,6 +51,7 @@ spec: secrets: users: my-cluster-name-secrets encryptionKey: my-cluster-name-mongodb-encryption-key +# keyFile: my-cluster-name-mongodb-keyfile # vault: my-cluster-name-vault # ldapSecret: my-ldap-secret # sse: my-cluster-name-sse diff --git a/deploy/crd.yaml b/deploy/crd.yaml index dedef3c022..06cbe05c3a 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -9052,6 +9052,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index 7390b761ec..8083f7a9c7 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -9052,6 +9052,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml new file mode 100644 index 0000000000..f47d56cf95 --- /dev/null +++ b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml @@ -0,0 +1,219 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: mydb-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: mydb +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: mydb-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=requireTLS + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --config=/etc/mongodb-config/mongod.conf + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: mydb + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-mydb-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 300m + memory: 500M + requests: + cpu: 300m + memory: 500M + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: mydb-custom-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/mongodb-config + name: config + - mountPath: /opt/percona + name: bin + - mountPath: /etc/mongodb-encryption + name: mydb-custom-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 300m + memory: 500M + requests: + cpu: 300m + memory: 500M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: mydb-custom-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-mongodb-keyfile + - emptyDir: {} + name: bin + - configMap: + defaultMode: 420 + name: mydb-rs0-mongod + optional: true + name: config + - name: mydb-custom-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: mydb-custom-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-mydb-users + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/serviceless-external-nodes/conf/external.yml b/e2e-tests/serviceless-external-nodes/conf/external.yml index 3ddd74c52c..74ca3b0473 100644 --- a/e2e-tests/serviceless-external-nodes/conf/external.yml +++ b/e2e-tests/serviceless-external-nodes/conf/external.yml @@ -11,10 +11,11 @@ spec: image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: - users: mydb-users - ssl: mydb-ssl - sslInternal: mydb-ssl-internal - encryptionKey: mydb-encryption-key + users: mydb-custom-users + ssl: mydb-custom-ssl + sslInternal: mydb-custom-ssl-internal + encryptionKey: mydb-custom-encryption-key + keyFile: mydb-custom-mongodb-keyfile replsets: - name: rs0 diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index ca2b8c328e..171d366365 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -7,13 +7,16 @@ spec: replsetSize: true mongosSize: true clusterServiceDNSMode: "Internal" + tls: + mode: requireTLS image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: - users: mydb-users - ssl: mydb-ssl - sslInternal: mydb-ssl-internal - encryptionKey: mydb-encryption-key + users: mydb-custom-users + ssl: mydb-custom-ssl + sslInternal: mydb-custom-ssl-internal + encryptionKey: mydb-custom-encryption-key + keyFile: mydb-custom-mongodb-keyfile replsets: - name: rs0 diff --git a/e2e-tests/serviceless-external-nodes/conf/secrets.yml b/e2e-tests/serviceless-external-nodes/conf/secrets.yml index 74417678f3..a77015b418 100644 --- a/e2e-tests/serviceless-external-nodes/conf/secrets.yml +++ b/e2e-tests/serviceless-external-nodes/conf/secrets.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: mydb-users + name: mydb-custom-users type: Opaque stringData: MONGODB_BACKUP_USER: backup @@ -23,7 +23,7 @@ data: encryption-key: WnFlNS9NaXRoUWdFMEp3cTlteXJGR2kvT1p4akdnWWNMcmNidFlUUzVIMD0= kind: Secret metadata: - name: mydb-encryption-key + name: mydb-custom-encryption-key --- apiVersion: v1 data: @@ -32,7 +32,7 @@ data: tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbGhWejBQbUFXTTRIUW1xQUtkUFExOC9oelV6aG0wVXdxVDdpUFBHTFpuaE9jVlRqCjlnOGFteGdGM0psSXJNV0d0QXhwM3ZwNnRzVFBLSGJYV3l2TDZXNkREa251MGNPNDYxYVoyVGE4alI4dUxHaGsKbHYzRm5DVUNnRW9xNHUyMDJvRm1qdkVLS1Y1NnNSZHZZZTMxWlJ1UDBCN3k4WnpXanhDcjcrYWVMeCtSQ3lGYwpLZ3d6VmdSeE14WlVEYkQ2VWpmOWZGVDFtS01FQTQ3UlQyblBFQ1UyVVpHeEI4dVh0VVNKY1ZlSTRUdWFiWWI3ClJwbkhtSENEQmpEOEE2WmhjUUtVbFA4dWowYUpHdndtR01CT2ExQ0x0eVJ2dWR3RXRoQXhQcEE1SHRNdHRJcW0KMlNjZjNvQWVnd1BxSm9KU1dWRlpUSlBMdnFzMlNnNlBVdDVzZ3dJREFRQUJBb0lCQUJiODFpNXQ2TUN4WGQ5SQpYTFVMWW5PTHZiUXFVR3Z0M3hRdE00M09HV0hxajJsQWJXSWswaGhyUjRxUVY5ZE9zZUVsL1psUG1EZ2lVUENMCnMxU2RrckFBWTBadkFJdFVoU0JXdFYzVnltOTdGU0ZzSSt3VWxvM2lCVTRORGlDUDlDRjdyRys4YjZnQ2RweGwKVUlRWlpIckdDL0wrcW90alVHRzlWZmg2eEVQSFArNDg2b2NYeHZSOUZmWHd2YlgrU1FPQVRHWDNZK3MwZ09zWAp6cEUzWk5NNnpFR3l1NEVYWGpGV0tLUjJQc1VPM2FQTFZCTkNNS1BtSFo1RXhFbFd2dVdtSVh0eXI1MVZINXRKClJjclREZi9VVitWWDVEZnJxOVpVQnQ5dkw2Uyt2cm8ra0dTMHBnN002VDh1NlNDa3h3aGtVNzhaMFQyU3o0RDQKdjU1d2grRUNnWUVBeEYzTlMzRVdvLzBPZVk0OHJOTzV6R0Fya1MraFZ1Zk5iZktZQ1NIaTluNzVySEdqckluWQp4M3JQV0srcWh1WjRiT0dZa0xaOXRTTFZpZVBXVzZTUnRxNWhrQXpXaFFJM21HVyswanU0QXMyTG90bkQzZmw4CnhtcWtkQkNJQ21ka0Z2M0dvMHd0bHZRUk9DbERPUkRJT2RWcVdKMk5HVndhS3o5MzlNQ0E4dXNDZ1lFQXc2bDcKTi9JdUxQTW14TkRNdE9DYVVwTEpXanlXemVoRWEySm5BUk1iUmR0KzVWRHZLUGRGR3NnS3ZiakhNWWo2R0FGUwpwWS9tSERNRjVQb1pybkpJb3VVdldOc1hNT3ZDRE0xS3hBWUZENXhJQUtSQmQzengxMTA1dU9pMmk0eXVUSUFOCjJzT3RoQ0tlQno5R3gyL2Jka2tvMlI0VDVoSGZuYjJkRVFkZWxza0NnWUVBaWxmN3R0YnB1SWNrbDRjYVFEaTYKZ2I2UGN5NDNZTjdXNEVzMXlkbFI2WS96bndaQTVlSUlGQ0gxeXVtWUhvcG85V3pLNjhsbUx5Tm5oa282VHo1VwpXbm5veW5BQkFweFpSc2tIODEyWGVvSU5pcUlaV0YzWkJvRkRjM0hpSmxKSk5kbDlCTGM2dDBza2hvaXJqNXkvCk05K2ptT01HOFlMdC9PSXVSUVVLMUJrQ2dZQmliSFB1VGFZS3VIbXRFYmVYMlUvbjc2elg5cGlKbGFndE9IL0cKRzUxaGc2dU9vU3JkT1oyS2ZreGc2WDFTSHF4bnZPcWRIQWpOOEtDcmNWL1B6KzlYK2QvYVc4T0x1VnlRNGdnVgpHVTRjYnlvTklKTktEeEQ4bkFtNFNWL2lUTzgwemttcDNUc0F1QVUwY2hFaHE5UUM2WVJoeTI2SkVqNmhjOHQ1CjBISTFlUUtCZ0ZMa2xUTDNoZjNUOWFtZ3R1OFJIOWJ1alVYUHh3ajBtQ0N4RmVCVFYwMXBWSVpldHI1MThzNWMKQ2EzUUpwcTRVVUdLYUFyeW1hRUVLVjArVWdoVTV1bHZBMHR1VS9wSEZ5c0R1VUpDNDgwK3g5d1VOa0tNOHN3OQpENis0dkhKeURFS0xPNXIveTZFRDFKcHFnT3lKV1UwKzd3akp6K1kzaUZOU3NNUHVPVmpKCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: - name: mydb-ssl + name: mydb-custom-ssl type: kubernetes.io/tls --- apiVersion: v1 @@ -42,7 +42,7 @@ data: tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBek1MYkJOdXR1NnM1d0VwOTVNNWhhaVBVNXFIckt2ZjA4Snh2V3dqSkVxblh1VUVrCi9wYXByNFRqL1RMQkRxN3dKTFRhNkJMZ3dhSGJlK2R0MFA2SnpWd0o0SHBhZFNqQ3QxNkhXMDJhVGQxcmJNeGoKMlhpOHpPc2szZUNSOExCb1pkRVRkUnZ5SGp2ZStpL0hqZkxNY2JLazdxYU5McUJTUS8vekdGMGNCTW9idTZRMwprMEdxL0xJSWs5dWp3S09KVTdtU1NQd3pBeU9YVitHMjBoS0dITGlyRDU5Nlpva1ordDEyYjJBMTM1OWpXVUUrCkFwekJMQ0dZQ2RkeElUQzRudFl6aDFEanAxYTNtbmw5bHZRWHV4Y2RmRGEzVlVaajg1eEdiMU5xdkR1UG5ENFIKcDBrS2JGSk1uc2JnMEFjSlEvMXdzZGJFdEUzRUdObGQ5dUpvandJREFRQUJBb0lCQUMyd0FLeVowNjcvS3BpawpSbWpxUDhRdUVKQVJhdWFnZ3UrNUNBTzQ5eHlKOXc5bjRMaEpwN3o1R3VIaEZFQ1JlaFhHb04yTmNNYmp0WlIwCjlBVGc5cUJ5dStWeGg0T0N2OGVvZU8wL2FJR2RPUjRDa1BqeVByWStkWEJvYmtmVkpNWXJHM3RTNi9naEJjU3YKS29pYXQxRmJPZi9oKzdoK256eDYvS1BnQ3FOcWl3OHZRMEE2bWd3bFd0YWNjMjJFNytMdG4xeGZwNHE5NXdkUwowcXBlSzJjZ3BaMHlzdHhta3RFNklzRThRaU01QUdpYVhuWjdtOEhDNXMwRko3RzR0eGVGTVp3M0tCTVQvcHM0ClE5Z0p1U045bnNqaE5wWHRYdTc1dU9TeGhibkcrUW9ZZTN3SFE2SFVZVG5zTExyZkc1QmJXMWdKMXFUVzA3SGkKN2VrKzlsRUNnWUVBNWxWSmM1NzBYVUcyMW8vN29yTmJaWVZjUXdLRmFSSWtrb3J2N0cycCtJaFZGZDRuWGhUcwpJOVZGSTFVOGNZR2N0djBDMCt4ZzdONnFuN3U0UVhkYzdqUUNCaC9peUFHSzh3VUt1WVpubVc5UTdKVTEzVkxmCjZJL2VKbWdBRHczWHpEaWtLYXJsSmVSS2lwUVJNdFU4dndqNUtlSW1FN21sUGtKbVl3OExONGtDZ1lFQTQ1UVQKaW1zMXQ2SDFDSVpoMVRjNHJLUDlURXlYVVZTOXl2MVY1TmRwbi8zUU10eHFrN0h0WGFaWEFlOUlmVkVXak1BTgpuMFpTd2tPbVExdU0ybHNGeXdJbXhZTWxzZ0lmK3dJWlRCWU5zSUJaMW1KV2ZHOE1KbWY4UGJad0FsdGczRDlSCmVKQ0V2YndsdnZTVEFVYUxYUVpKdXhWcWd6MW5LVHVCRTVaREFWY0NnWUVBMG00a3R1OEh6Wk5WMlZ5ZHhwMFoKNlB3WHVGaTdUYXozb0xJeVU4dzB0d3pHdnozQXRhRmp3N0Q2Z3pkQ0Mya2dwY1V0S2pRUXNSY1V4dTRYZmlmdwp6T2JTMm9tVEJLcjBLT1g0VUZyTWwwOHRuWmNNS1BHb0FxNDloTlVMQ0xYYTY0YnI0KzF2Z0ZpN0NUUVJLbUhLCko3V28vV3pRNE1DQWlRcmN3NjlnemhFQ2dZRUF0cFA3d1ZjVnQ0ZEZzRnN2YmdGcGhJZmtGU3gxVVppczA0ZS8KTzJMZXFLN1dNNWZHSVV2ajVQZ29ZYkw0OHlEMCtHSzBDdzQrSXdCbkNTOFBwN2JTeFBXcTZWYTREVUhMS25PYQpuQUl0WldienJCMGt5WnZGb2FKWEthT041VFl1VlVTdk5neXJraFM2SzZMSHRZUkZGcEtPNEhya0F2cG1JeHhNCkI4ekxZTzBDZ1lBdGkwZEc2ODIyUjlaeHh6Uk51eDB5UlhMVSswbGNJUVNIR2YwL3pWY2NPTFlHRjRkZ1FGY2UKeGpRRlpnZ1Zzc3dtankrUUd0UFI1bVBjdmx0djEybnFINXZJRVpPVDhxY0pzaXJIdjFqSGpaMUYzZzlwVS9xTQp2cS9BTGVTSjl3S0pqMUNGdDZnZWp5SEI5bE9UYjVGWTVLM29hVFJHRm0rbWoxY3ZkNksrcUE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: - name: mydb-ssl-internal + name: mydb-custom-ssl-internal type: kubernetes.io/tls --- apiVersion: v1 @@ -50,5 +50,5 @@ data: mongodb-key: bm5ydmNaYVJobW9IV0Nob3I1RWE5d1RxamMvWDhwRkJ5MW5BNVBsRklkQmI4NnN2M0czRFNOeVcwNm5McTZBcEFkeFhHUW9uRnEzWjNIVHNQSUNLaGE3aVVuYUZ1Y1ozK2pJSEY2aVErRTJqUUMzenI0aDg0eGtnWnlNMEVleFBVbGF3UndwbkZNbnl5MktyY25NaHpzQ2d4Q21VS3h1Mko1cktucFJNL3Npdm1INXhIQkFJUkRRaUY3UVFlYXYyQnEwcGhqeit5Z2kxYjlwVnk1M3VQbkUxK3h3d2JPdU9NaVBIZGl2aFZOZTFMK0lRMnY5amlpd09PUWtXRW1WWm13UGlScFFVUml2QXRPVWpocVk3ZDFoT085SHVtUFU1dFlxQXFvaHZnUFUxL0tpSC9uSjRJL2x5dFFJVm5BdmVHcmdib254a2d3V0o3QnEybWVUZHZuMFpOUWx4b0poaStTTThmTWtpREo5bXRKYWZ0QkVuMDBGYlpkR3pNb3RoSjZLZFlhRGFlaTZ0TlIrZEh1Z0xsaTZwRVdEOVRNNy84YVVGdkdEZ1ovbHVBb09rZDJUVWhKSklMWEpYdlpoajFnOEhMK0VNUnZaVDFMSmZVc2czdkphb0xEczVLM1V0YU9RejYvOTZGRXhOQUJnSU1LWEhPWEhaeC9tYlhtYzZJd2R0RjZ1Q1I0L2loTVJEY1BBZmtXb2ZwWi9ucDBNTnZpU2VPWktldHFmbEdXYVpRMExoYlRJRGJXZE00VlRnMHgzYWJQNlozdHJyejhva1FubEw1VUg1cVZBREQ5UXBtTTVqMkZuc3FuRFJ3V2xBNk9YWXhXQytVTjhmZGlyM0tvZDVYNWEvSFY4a1Yyd1B1NG9YTWR3Q2lKTklCUisvWEQycUdQREJMeVZsVXorMjdURTg2M3J5ZCtlSGFTQVl0RUJhaWZxdDc1YWh2aHJPTkVjRGRIQitDMkNaa29Pd002VXVNUGl3NU0yQm9QMW1HTTdML3cyc2VFTjZFaGFWYjVWL3FEbTlZZiszQUpOR0VtZlNWN1hUVDMyVWdFYzg0bjFTMkRULzhxRWNGNGN2dFFrWGFBNWZLTWZNUWR6ZWtNdDV6RFR5RlVCV1MralFnZEx0NHBIOXZMNFA0UGxsS1dkZ2t2TVRCNFpMejZJcjZxbE5uVGJWNXRoNkkvbGZTNzRpVTlFdGl0Ri9BN2xpWHMrTkoyTnphZUtTUVFmK0VwWlNKbU1rSWtyQUNEdnFUcWZRQ0tmNEphc3BucnQ2cEUrU1phMXo4c29DTmd0d0dUVklpdzFwdG1oWmtybFQ5bDVVb1ZzenNBQmxWYWJXQmh3SUU1ZFVnNFB0STcrVg== kind: Secret metadata: - name: mydb-mongodb-keyfile + name: mydb-custom-mongodb-keyfile type: Opaque diff --git a/e2e-tests/serviceless-external-nodes/run b/e2e-tests/serviceless-external-nodes/run index a207ee4c25..2d87c765bf 100755 --- a/e2e-tests/serviceless-external-nodes/run +++ b/e2e-tests/serviceless-external-nodes/run @@ -20,6 +20,13 @@ kubectl_bin apply \ apply_cluster "$test_dir/conf/main.yml" wait_for_running "$cluster-rs0" 1 +compare_kubectl statefulset/mydb-rs0 + +secrets_count=$(kubectl_bin get secret -o yaml | yq '.items | length') +if [[ $secrets_count != 6 ]]; then + echo "It's expected to have 6 secrets. Currently have $secrets_count" + exit 1 +fi desc "Start External Cluster in unmanaged mode" kubectl_bin config set-context $(kubectl_bin config current-context) --namespace="$replica_namespace" @@ -34,6 +41,12 @@ apply_cluster "$test_dir/conf/external.yml" wait_pod ${cluster}-rs0-0 wait_pod ${cluster}-rs0-1 +secrets_count=$(kubectl_bin get secret -o yaml | yq '.items | length') +if [[ $secrets_count != 6 ]]; then + echo "It's expected to have 6 secrets. Currently have $secrets_count" + exit 1 +fi + kubectl_bin config set-context $(kubectl_bin config current-context) --namespace="$namespace" kubectl_bin get psmdb $cluster -o yaml >$tmp_dir/psmdb.yaml diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index dedef3c022..06cbe05c3a 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -9052,6 +9052,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index b170a607dd..c55379b28b 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -27,6 +27,7 @@ const MultiClusterDefaultDNSSuffix = "svc.clusterset.local" const ( MongodRESTencryptDir = "/etc/mongodb-encryption" + InternalKeyName = "mongodb-key" EncryptionKeyName = "encryption-key" ) diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index b505f04734..0f7d06ed42 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -736,15 +736,26 @@ type PVCSpec struct { } type SecretsSpec struct { - Users string `json:"users,omitempty"` - SSL string `json:"ssl,omitempty"` - SSLInternal string `json:"sslInternal,omitempty"` + Users string `json:"users,omitempty"` + SSL string `json:"ssl,omitempty"` + SSLInternal string `json:"sslInternal,omitempty"` + + // Use (*SecretsSpec) GetInternalKey() to get InternalKey + InternalKey string `json:"keyFile,omitempty"` + EncryptionKey string `json:"encryptionKey,omitempty"` Vault string `json:"vault,omitempty"` SSE string `json:"sse,omitempty"` LDAPSecret string `json:"ldapSecret,omitempty"` } +func (s *SecretsSpec) GetInternalKey(cr *PerconaServerMongoDB) string { + if s == nil || s.InternalKey == "" { + return cr.Name + "-mongodb-keyfile" + } + return s.InternalKey +} + func SSLSecretName(cr *PerconaServerMongoDB) string { return cr.Spec.Secrets.SSL } diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go index f265883123..acd7c5239b 100644 --- a/pkg/controller/perconaservermongodb/psmdb_controller.go +++ b/pkg/controller/perconaservermongodb/psmdb_controller.go @@ -396,15 +396,13 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r return reconcile.Result{}, err } - internalKey := psmdb.InternalKey(cr) - ikCreated, err := r.ensureSecurityKey(ctx, cr, internalKey, "mongodb-key", 768, true) + ikCreated, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.GetInternalKey(cr), api.InternalKeyName, 768, true) if err != nil { - err = errors.Wrapf(err, "ensure mongo Key %s", internalKey) + err = errors.Wrapf(err, "ensure mongo Key %s", cr.Spec.Secrets.GetInternalKey(cr)) return reconcile.Result{}, err } - if ikCreated { - log.Info("Created a new mongo key", "KeyName", internalKey) + log.Info("Created a new mongo key", "KeyName", cr.Spec.Secrets.GetInternalKey(cr)) } created, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.EncryptionKey, api.EncryptionKeyName, 32, false) diff --git a/pkg/psmdb/const.go b/pkg/psmdb/const.go index ba9beb3f68..0c08ba8d18 100644 --- a/pkg/psmdb/const.go +++ b/pkg/psmdb/const.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" - api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -38,10 +37,6 @@ const ( mongosPortName = "mongos" ) -func InternalKey(cr *api.PerconaServerMongoDB) string { - return cr.Name + "-mongodb-keyfile" -} - type CustomConfig struct { Type VolumeSourceType HashHex string diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 88828822ec..1f80349b1b 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -192,20 +192,13 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args = append(args, "--sslAllowInvalidCertificates") } - if cr.TLSEnabled() { - if cr.Spec.TLS.Mode == api.TLSModeAllow { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+mongodSecretsDir+"/mongodb-key", - ) - } else { - args = append(args, "--clusterAuthMode=x509") - } - } else if cr.UnsafeTLSDisabled() { + if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) + } else if cr.TLSEnabled() { + args = append(args, "--clusterAuthMode=x509") } if cr.CompareVersion("1.16.0") >= 0 { diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index c4e3f89fbf..e91183573b 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -122,7 +122,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan MountPath: MongodContainerDataDir, }, { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.GetInternalKey(cr), MountPath: mongodSecretsDir, ReadOnly: true, }, @@ -245,30 +245,25 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgIn "mongos", "--bind_ip_all", "--port=" + strconv.Itoa(int(msSpec.Port)), - "--sslAllowInvalidCertificates", - "--configdb", - configDB, } - if cr.CompareVersion("1.7.0") >= 0 { - args = append(args, - "--relaxPermChecks", - ) + if !cr.TLSEnabled() || *cr.Spec.TLS.AllowInvalidCertificates { + args = append(args, "--sslAllowInvalidCertificates") } + args = append(args, []string{ + "--configdb", + configDB, + "--relaxPermChecks", + }...) - if cr.TLSEnabled() { - if !*cr.Spec.TLS.AllowInvalidCertificates { - // remove --sslAllowInvalidCertificates - args = append(args[:3], args[3+1:]...) - } - - args = append(args, - "--clusterAuthMode=x509", - ) - } else if (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) { + if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) + } else if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) } if cr.CompareVersion("1.16.0") >= 0 { @@ -301,11 +296,11 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core volumes := []corev1.Volume{ { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.GetInternalKey(cr), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: InternalKey(cr), + SecretName: cr.Spec.Secrets.GetInternalKey(cr), Optional: &fvar, }, }, diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go index 468c63238f..22ce549ebf 100644 --- a/pkg/psmdb/statefulset.go +++ b/pkg/psmdb/statefulset.go @@ -82,11 +82,11 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap volumes := []corev1.Volume{ { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.GetInternalKey(cr), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: InternalKey(cr), + SecretName: cr.Spec.Secrets.GetInternalKey(cr), Optional: &fvar, }, }, @@ -143,7 +143,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap } } - c, err := container(ctx, cr, replset, containerName, resources, InternalKey(cr), customConf.Type.IsUsable(), + c, err := container(ctx, cr, replset, containerName, resources, cr.Spec.Secrets.GetInternalKey(cr), customConf.Type.IsUsable(), livenessProbe, readinessProbe, containerSecurityContext) if err != nil { return appsv1.StatefulSetSpec{}, fmt.Errorf("failed to create container %v", err)