From b53695db74949bf08120b496a8ef31172d451324 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Wed, 4 Sep 2024 09:33:51 +0300 Subject: [PATCH 1/6] K8SPSMDB-1132: add `spec.secrets.keyFile` field https://perconadev.atlassian.net/browse/K8SPSMDB-1132 --- .../bases/psmdb.percona.com_perconaservermongodbs.yaml | 2 ++ deploy/bundle.yaml | 2 ++ deploy/cr.yaml | 1 + deploy/crd.yaml | 2 ++ deploy/cw-bundle.yaml | 2 ++ e2e-tests/version-service/conf/crd.yaml | 2 ++ pkg/apis/psmdb/v1/psmdb_defaults.go | 9 +++++++-- pkg/apis/psmdb/v1/psmdb_types.go | 1 + pkg/controller/perconaservermongodb/psmdb_controller.go | 8 +++----- pkg/psmdb/const.go | 5 ----- pkg/psmdb/mongos.go | 6 +++--- pkg/psmdb/statefulset.go | 6 +++--- 12 files changed, 28 insertions(+), 18 deletions(-) diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index 09f89e40eb..42518f7807 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -8187,6 +8187,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index e57ad5044b..e59a8940f7 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -8860,6 +8860,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 7c6f71fcd7..96bb4b4509 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -49,6 +49,7 @@ spec: secrets: users: my-cluster-name-secrets encryptionKey: my-cluster-name-mongodb-encryption-key +# keyFile: my-cluster-name-mongodb-keyfile # vault: my-cluster-name-vault # ldapSecret: my-ldap-secret # sse: my-cluster-name-sse diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 6c2ee036bd..2168bc0772 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -8860,6 +8860,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index db45f99da1..d27da3d49d 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -8860,6 +8860,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 6c2ee036bd..2168bc0772 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -8860,6 +8860,8 @@ spec: properties: encryptionKey: type: string + keyFile: + type: string ldapSecret: type: string sse: diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index 44d8c5d27d..a4777d61cb 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -6,12 +6,13 @@ import ( "time" "github.com/go-logr/logr" - "github.com/percona/percona-backup-mongodb/pbm/compress" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "github.com/percona/percona-backup-mongodb/pbm/compress" + "github.com/percona/percona-server-mongodb-operator/pkg/mcs" "github.com/percona/percona-server-mongodb-operator/pkg/util/numstr" "github.com/percona/percona-server-mongodb-operator/version" @@ -25,6 +26,7 @@ const MultiClusterDefaultDNSSuffix = "svc.clusterset.local" const ( MongodRESTencryptDir = "/etc/mongodb-encryption" + InternalKeyName = "mongodb-key" EncryptionKeyName = "encryption-key" ) @@ -72,6 +74,10 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log cr.Spec.Secrets.Users = defaultUsersSecretName } + if cr.Spec.Secrets.InternalKey == "" { + cr.Spec.Secrets.InternalKey = cr.Name + "-mongodb-keyfile" + } + if cr.Spec.Secrets.EncryptionKey == "" { cr.Spec.Secrets.EncryptionKey = cr.Name + "-mongodb-encryption-key" } @@ -889,7 +895,6 @@ const AffinityOff = "none" // - if topology key set to valuse of `AffinityOff` - disable the affinity at all // - if `Advanced` affinity is set - leave everything as it is and set topology key to nil (Advanced options has a higher priority) func (m *MultiAZ) reconcileAffinityOpts(cr *PerconaServerMongoDB) { - if cr.CompareVersion("1.16.0") < 0 { affinityValidTopologyKeys = map[string]struct{}{ AffinityOff: {}, diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index debbf2b795..a4545d4f29 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -685,6 +685,7 @@ type SecretsSpec struct { Users string `json:"users,omitempty"` SSL string `json:"ssl,omitempty"` SSLInternal string `json:"sslInternal,omitempty"` + InternalKey string `json:"keyFile,omitempty"` EncryptionKey string `json:"encryptionKey,omitempty"` Vault string `json:"vault,omitempty"` SSE string `json:"sse,omitempty"` diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go index e9f157cd50..90bce59d71 100644 --- a/pkg/controller/perconaservermongodb/psmdb_controller.go +++ b/pkg/controller/perconaservermongodb/psmdb_controller.go @@ -395,15 +395,13 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r return reconcile.Result{}, err } - internalKey := psmdb.InternalKey(cr) - ikCreated, err := r.ensureSecurityKey(ctx, cr, internalKey, "mongodb-key", 768, true) + ikCreated, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.InternalKey, api.InternalKeyName, 768, true) if err != nil { - err = errors.Wrapf(err, "ensure mongo Key %s", internalKey) + err = errors.Wrapf(err, "ensure mongo Key %s", cr.Spec.Secrets.InternalKey) return reconcile.Result{}, err } - if ikCreated { - log.Info("Created a new mongo key", "KeyName", internalKey) + log.Info("Created a new mongo key", "KeyName", cr.Spec.Secrets.InternalKey) } created, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.EncryptionKey, api.EncryptionKeyName, 32, false) diff --git a/pkg/psmdb/const.go b/pkg/psmdb/const.go index ba9beb3f68..0c08ba8d18 100644 --- a/pkg/psmdb/const.go +++ b/pkg/psmdb/const.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" - api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -38,10 +37,6 @@ const ( mongosPortName = "mongos" ) -func InternalKey(cr *api.PerconaServerMongoDB) string { - return cr.Name + "-mongodb-keyfile" -} - type CustomConfig struct { Type VolumeSourceType HashHex string diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index 246b647538..e9e57bf539 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -122,7 +122,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan MountPath: MongodContainerDataDir, }, { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.InternalKey, MountPath: mongodSecretsDir, ReadOnly: true, }, @@ -301,11 +301,11 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core volumes := []corev1.Volume{ { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.InternalKey, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: InternalKey(cr), + SecretName: cr.Spec.Secrets.InternalKey, Optional: &fvar, }, }, diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go index 468c63238f..8dd9568bec 100644 --- a/pkg/psmdb/statefulset.go +++ b/pkg/psmdb/statefulset.go @@ -82,11 +82,11 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap volumes := []corev1.Volume{ { - Name: InternalKey(cr), + Name: cr.Spec.Secrets.InternalKey, VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: InternalKey(cr), + SecretName: cr.Spec.Secrets.InternalKey, Optional: &fvar, }, }, @@ -143,7 +143,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap } } - c, err := container(ctx, cr, replset, containerName, resources, InternalKey(cr), customConf.Type.IsUsable(), + c, err := container(ctx, cr, replset, containerName, resources, cr.Spec.Secrets.InternalKey, customConf.Type.IsUsable(), livenessProbe, readinessProbe, containerSecurityContext) if err != nil { return appsv1.StatefulSetSpec{}, fmt.Errorf("failed to create container %v", err) From 24a97ea1334ff454d1abd98a6fbc06d955e37ad8 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Mon, 9 Sep 2024 08:49:56 +0300 Subject: [PATCH 2/6] add test --- .../serviceless-external-nodes/conf/external.yml | 9 +++++---- e2e-tests/serviceless-external-nodes/conf/main.yml | 9 +++++---- .../serviceless-external-nodes/conf/secrets.yml | 10 +++++----- e2e-tests/serviceless-external-nodes/run | 12 ++++++++++++ 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/e2e-tests/serviceless-external-nodes/conf/external.yml b/e2e-tests/serviceless-external-nodes/conf/external.yml index d010398c6f..6958854392 100644 --- a/e2e-tests/serviceless-external-nodes/conf/external.yml +++ b/e2e-tests/serviceless-external-nodes/conf/external.yml @@ -11,10 +11,11 @@ spec: image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: - users: mydb-users - ssl: mydb-ssl - sslInternal: mydb-ssl-internal - encryptionKey: mydb-encryption-key + users: mydb-custom-users + ssl: mydb-custom-ssl + sslInternal: mydb-custom-ssl-internal + encryptionKey: mydb-custom-encryption-key + keyFile: mydb-custom-mongodb-keyfile replsets: - name: rs0 diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index 6b07bdc59e..6c2275c4b0 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -10,10 +10,11 @@ spec: image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: - users: mydb-users - ssl: mydb-ssl - sslInternal: mydb-ssl-internal - encryptionKey: mydb-encryption-key + users: mydb-custom-users + ssl: mydb-custom-ssl + sslInternal: mydb-custom-ssl-internal + encryptionKey: mydb-custom-encryption-key + keyFile: mydb-custom-mongodb-keyfile replsets: - name: rs0 diff --git a/e2e-tests/serviceless-external-nodes/conf/secrets.yml b/e2e-tests/serviceless-external-nodes/conf/secrets.yml index 74417678f3..a77015b418 100644 --- a/e2e-tests/serviceless-external-nodes/conf/secrets.yml +++ b/e2e-tests/serviceless-external-nodes/conf/secrets.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: mydb-users + name: mydb-custom-users type: Opaque stringData: MONGODB_BACKUP_USER: backup @@ -23,7 +23,7 @@ data: encryption-key: WnFlNS9NaXRoUWdFMEp3cTlteXJGR2kvT1p4akdnWWNMcmNidFlUUzVIMD0= kind: Secret metadata: - name: mydb-encryption-key + name: mydb-custom-encryption-key --- apiVersion: v1 data: @@ -32,7 +32,7 @@ data: tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbGhWejBQbUFXTTRIUW1xQUtkUFExOC9oelV6aG0wVXdxVDdpUFBHTFpuaE9jVlRqCjlnOGFteGdGM0psSXJNV0d0QXhwM3ZwNnRzVFBLSGJYV3l2TDZXNkREa251MGNPNDYxYVoyVGE4alI4dUxHaGsKbHYzRm5DVUNnRW9xNHUyMDJvRm1qdkVLS1Y1NnNSZHZZZTMxWlJ1UDBCN3k4WnpXanhDcjcrYWVMeCtSQ3lGYwpLZ3d6VmdSeE14WlVEYkQ2VWpmOWZGVDFtS01FQTQ3UlQyblBFQ1UyVVpHeEI4dVh0VVNKY1ZlSTRUdWFiWWI3ClJwbkhtSENEQmpEOEE2WmhjUUtVbFA4dWowYUpHdndtR01CT2ExQ0x0eVJ2dWR3RXRoQXhQcEE1SHRNdHRJcW0KMlNjZjNvQWVnd1BxSm9KU1dWRlpUSlBMdnFzMlNnNlBVdDVzZ3dJREFRQUJBb0lCQUJiODFpNXQ2TUN4WGQ5SQpYTFVMWW5PTHZiUXFVR3Z0M3hRdE00M09HV0hxajJsQWJXSWswaGhyUjRxUVY5ZE9zZUVsL1psUG1EZ2lVUENMCnMxU2RrckFBWTBadkFJdFVoU0JXdFYzVnltOTdGU0ZzSSt3VWxvM2lCVTRORGlDUDlDRjdyRys4YjZnQ2RweGwKVUlRWlpIckdDL0wrcW90alVHRzlWZmg2eEVQSFArNDg2b2NYeHZSOUZmWHd2YlgrU1FPQVRHWDNZK3MwZ09zWAp6cEUzWk5NNnpFR3l1NEVYWGpGV0tLUjJQc1VPM2FQTFZCTkNNS1BtSFo1RXhFbFd2dVdtSVh0eXI1MVZINXRKClJjclREZi9VVitWWDVEZnJxOVpVQnQ5dkw2Uyt2cm8ra0dTMHBnN002VDh1NlNDa3h3aGtVNzhaMFQyU3o0RDQKdjU1d2grRUNnWUVBeEYzTlMzRVdvLzBPZVk0OHJOTzV6R0Fya1MraFZ1Zk5iZktZQ1NIaTluNzVySEdqckluWQp4M3JQV0srcWh1WjRiT0dZa0xaOXRTTFZpZVBXVzZTUnRxNWhrQXpXaFFJM21HVyswanU0QXMyTG90bkQzZmw4CnhtcWtkQkNJQ21ka0Z2M0dvMHd0bHZRUk9DbERPUkRJT2RWcVdKMk5HVndhS3o5MzlNQ0E4dXNDZ1lFQXc2bDcKTi9JdUxQTW14TkRNdE9DYVVwTEpXanlXemVoRWEySm5BUk1iUmR0KzVWRHZLUGRGR3NnS3ZiakhNWWo2R0FGUwpwWS9tSERNRjVQb1pybkpJb3VVdldOc1hNT3ZDRE0xS3hBWUZENXhJQUtSQmQzengxMTA1dU9pMmk0eXVUSUFOCjJzT3RoQ0tlQno5R3gyL2Jka2tvMlI0VDVoSGZuYjJkRVFkZWxza0NnWUVBaWxmN3R0YnB1SWNrbDRjYVFEaTYKZ2I2UGN5NDNZTjdXNEVzMXlkbFI2WS96bndaQTVlSUlGQ0gxeXVtWUhvcG85V3pLNjhsbUx5Tm5oa282VHo1VwpXbm5veW5BQkFweFpSc2tIODEyWGVvSU5pcUlaV0YzWkJvRkRjM0hpSmxKSk5kbDlCTGM2dDBza2hvaXJqNXkvCk05K2ptT01HOFlMdC9PSXVSUVVLMUJrQ2dZQmliSFB1VGFZS3VIbXRFYmVYMlUvbjc2elg5cGlKbGFndE9IL0cKRzUxaGc2dU9vU3JkT1oyS2ZreGc2WDFTSHF4bnZPcWRIQWpOOEtDcmNWL1B6KzlYK2QvYVc4T0x1VnlRNGdnVgpHVTRjYnlvTklKTktEeEQ4bkFtNFNWL2lUTzgwemttcDNUc0F1QVUwY2hFaHE5UUM2WVJoeTI2SkVqNmhjOHQ1CjBISTFlUUtCZ0ZMa2xUTDNoZjNUOWFtZ3R1OFJIOWJ1alVYUHh3ajBtQ0N4RmVCVFYwMXBWSVpldHI1MThzNWMKQ2EzUUpwcTRVVUdLYUFyeW1hRUVLVjArVWdoVTV1bHZBMHR1VS9wSEZ5c0R1VUpDNDgwK3g5d1VOa0tNOHN3OQpENis0dkhKeURFS0xPNXIveTZFRDFKcHFnT3lKV1UwKzd3akp6K1kzaUZOU3NNUHVPVmpKCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: - name: mydb-ssl + name: mydb-custom-ssl type: kubernetes.io/tls --- apiVersion: v1 @@ -42,7 +42,7 @@ data: tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBek1MYkJOdXR1NnM1d0VwOTVNNWhhaVBVNXFIckt2ZjA4Snh2V3dqSkVxblh1VUVrCi9wYXByNFRqL1RMQkRxN3dKTFRhNkJMZ3dhSGJlK2R0MFA2SnpWd0o0SHBhZFNqQ3QxNkhXMDJhVGQxcmJNeGoKMlhpOHpPc2szZUNSOExCb1pkRVRkUnZ5SGp2ZStpL0hqZkxNY2JLazdxYU5McUJTUS8vekdGMGNCTW9idTZRMwprMEdxL0xJSWs5dWp3S09KVTdtU1NQd3pBeU9YVitHMjBoS0dITGlyRDU5Nlpva1ordDEyYjJBMTM1OWpXVUUrCkFwekJMQ0dZQ2RkeElUQzRudFl6aDFEanAxYTNtbmw5bHZRWHV4Y2RmRGEzVlVaajg1eEdiMU5xdkR1UG5ENFIKcDBrS2JGSk1uc2JnMEFjSlEvMXdzZGJFdEUzRUdObGQ5dUpvandJREFRQUJBb0lCQUMyd0FLeVowNjcvS3BpawpSbWpxUDhRdUVKQVJhdWFnZ3UrNUNBTzQ5eHlKOXc5bjRMaEpwN3o1R3VIaEZFQ1JlaFhHb04yTmNNYmp0WlIwCjlBVGc5cUJ5dStWeGg0T0N2OGVvZU8wL2FJR2RPUjRDa1BqeVByWStkWEJvYmtmVkpNWXJHM3RTNi9naEJjU3YKS29pYXQxRmJPZi9oKzdoK256eDYvS1BnQ3FOcWl3OHZRMEE2bWd3bFd0YWNjMjJFNytMdG4xeGZwNHE5NXdkUwowcXBlSzJjZ3BaMHlzdHhta3RFNklzRThRaU01QUdpYVhuWjdtOEhDNXMwRko3RzR0eGVGTVp3M0tCTVQvcHM0ClE5Z0p1U045bnNqaE5wWHRYdTc1dU9TeGhibkcrUW9ZZTN3SFE2SFVZVG5zTExyZkc1QmJXMWdKMXFUVzA3SGkKN2VrKzlsRUNnWUVBNWxWSmM1NzBYVUcyMW8vN29yTmJaWVZjUXdLRmFSSWtrb3J2N0cycCtJaFZGZDRuWGhUcwpJOVZGSTFVOGNZR2N0djBDMCt4ZzdONnFuN3U0UVhkYzdqUUNCaC9peUFHSzh3VUt1WVpubVc5UTdKVTEzVkxmCjZJL2VKbWdBRHczWHpEaWtLYXJsSmVSS2lwUVJNdFU4dndqNUtlSW1FN21sUGtKbVl3OExONGtDZ1lFQTQ1UVQKaW1zMXQ2SDFDSVpoMVRjNHJLUDlURXlYVVZTOXl2MVY1TmRwbi8zUU10eHFrN0h0WGFaWEFlOUlmVkVXak1BTgpuMFpTd2tPbVExdU0ybHNGeXdJbXhZTWxzZ0lmK3dJWlRCWU5zSUJaMW1KV2ZHOE1KbWY4UGJad0FsdGczRDlSCmVKQ0V2YndsdnZTVEFVYUxYUVpKdXhWcWd6MW5LVHVCRTVaREFWY0NnWUVBMG00a3R1OEh6Wk5WMlZ5ZHhwMFoKNlB3WHVGaTdUYXozb0xJeVU4dzB0d3pHdnozQXRhRmp3N0Q2Z3pkQ0Mya2dwY1V0S2pRUXNSY1V4dTRYZmlmdwp6T2JTMm9tVEJLcjBLT1g0VUZyTWwwOHRuWmNNS1BHb0FxNDloTlVMQ0xYYTY0YnI0KzF2Z0ZpN0NUUVJLbUhLCko3V28vV3pRNE1DQWlRcmN3NjlnemhFQ2dZRUF0cFA3d1ZjVnQ0ZEZzRnN2YmdGcGhJZmtGU3gxVVppczA0ZS8KTzJMZXFLN1dNNWZHSVV2ajVQZ29ZYkw0OHlEMCtHSzBDdzQrSXdCbkNTOFBwN2JTeFBXcTZWYTREVUhMS25PYQpuQUl0WldienJCMGt5WnZGb2FKWEthT041VFl1VlVTdk5neXJraFM2SzZMSHRZUkZGcEtPNEhya0F2cG1JeHhNCkI4ekxZTzBDZ1lBdGkwZEc2ODIyUjlaeHh6Uk51eDB5UlhMVSswbGNJUVNIR2YwL3pWY2NPTFlHRjRkZ1FGY2UKeGpRRlpnZ1Zzc3dtankrUUd0UFI1bVBjdmx0djEybnFINXZJRVpPVDhxY0pzaXJIdjFqSGpaMUYzZzlwVS9xTQp2cS9BTGVTSjl3S0pqMUNGdDZnZWp5SEI5bE9UYjVGWTVLM29hVFJHRm0rbWoxY3ZkNksrcUE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: - name: mydb-ssl-internal + name: mydb-custom-ssl-internal type: kubernetes.io/tls --- apiVersion: v1 @@ -50,5 +50,5 @@ data: mongodb-key: bm5ydmNaYVJobW9IV0Nob3I1RWE5d1RxamMvWDhwRkJ5MW5BNVBsRklkQmI4NnN2M0czRFNOeVcwNm5McTZBcEFkeFhHUW9uRnEzWjNIVHNQSUNLaGE3aVVuYUZ1Y1ozK2pJSEY2aVErRTJqUUMzenI0aDg0eGtnWnlNMEVleFBVbGF3UndwbkZNbnl5MktyY25NaHpzQ2d4Q21VS3h1Mko1cktucFJNL3Npdm1INXhIQkFJUkRRaUY3UVFlYXYyQnEwcGhqeit5Z2kxYjlwVnk1M3VQbkUxK3h3d2JPdU9NaVBIZGl2aFZOZTFMK0lRMnY5amlpd09PUWtXRW1WWm13UGlScFFVUml2QXRPVWpocVk3ZDFoT085SHVtUFU1dFlxQXFvaHZnUFUxL0tpSC9uSjRJL2x5dFFJVm5BdmVHcmdib254a2d3V0o3QnEybWVUZHZuMFpOUWx4b0poaStTTThmTWtpREo5bXRKYWZ0QkVuMDBGYlpkR3pNb3RoSjZLZFlhRGFlaTZ0TlIrZEh1Z0xsaTZwRVdEOVRNNy84YVVGdkdEZ1ovbHVBb09rZDJUVWhKSklMWEpYdlpoajFnOEhMK0VNUnZaVDFMSmZVc2czdkphb0xEczVLM1V0YU9RejYvOTZGRXhOQUJnSU1LWEhPWEhaeC9tYlhtYzZJd2R0RjZ1Q1I0L2loTVJEY1BBZmtXb2ZwWi9ucDBNTnZpU2VPWktldHFmbEdXYVpRMExoYlRJRGJXZE00VlRnMHgzYWJQNlozdHJyejhva1FubEw1VUg1cVZBREQ5UXBtTTVqMkZuc3FuRFJ3V2xBNk9YWXhXQytVTjhmZGlyM0tvZDVYNWEvSFY4a1Yyd1B1NG9YTWR3Q2lKTklCUisvWEQycUdQREJMeVZsVXorMjdURTg2M3J5ZCtlSGFTQVl0RUJhaWZxdDc1YWh2aHJPTkVjRGRIQitDMkNaa29Pd002VXVNUGl3NU0yQm9QMW1HTTdML3cyc2VFTjZFaGFWYjVWL3FEbTlZZiszQUpOR0VtZlNWN1hUVDMyVWdFYzg0bjFTMkRULzhxRWNGNGN2dFFrWGFBNWZLTWZNUWR6ZWtNdDV6RFR5RlVCV1MralFnZEx0NHBIOXZMNFA0UGxsS1dkZ2t2TVRCNFpMejZJcjZxbE5uVGJWNXRoNkkvbGZTNzRpVTlFdGl0Ri9BN2xpWHMrTkoyTnphZUtTUVFmK0VwWlNKbU1rSWtyQUNEdnFUcWZRQ0tmNEphc3BucnQ2cEUrU1phMXo4c29DTmd0d0dUVklpdzFwdG1oWmtybFQ5bDVVb1ZzenNBQmxWYWJXQmh3SUU1ZFVnNFB0STcrVg== kind: Secret metadata: - name: mydb-mongodb-keyfile + name: mydb-custom-mongodb-keyfile type: Opaque diff --git a/e2e-tests/serviceless-external-nodes/run b/e2e-tests/serviceless-external-nodes/run index a207ee4c25..96d0668e94 100755 --- a/e2e-tests/serviceless-external-nodes/run +++ b/e2e-tests/serviceless-external-nodes/run @@ -21,6 +21,12 @@ kubectl_bin apply \ apply_cluster "$test_dir/conf/main.yml" wait_for_running "$cluster-rs0" 1 +secrets_count=$(kubectl_bin get secret -o yaml | yq '.items | length') +if [[ $secrets_count != 6 ]]; then + echo "It's expected to have 6 secrets. Currently have $secrets_count" + exit 1 +fi + desc "Start External Cluster in unmanaged mode" kubectl_bin config set-context $(kubectl_bin config current-context) --namespace="$replica_namespace" create_namespace $replica_namespace 0 @@ -34,6 +40,12 @@ apply_cluster "$test_dir/conf/external.yml" wait_pod ${cluster}-rs0-0 wait_pod ${cluster}-rs0-1 +secrets_count=$(kubectl_bin get secret -o yaml | yq '.items | length') +if [[ $secrets_count != 6 ]]; then + echo "It's expected to have 6 secrets. Currently have $secrets_count" + exit 1 +fi + kubectl_bin config set-context $(kubectl_bin config current-context) --namespace="$namespace" kubectl_bin get psmdb $cluster -o yaml >$tmp_dir/psmdb.yaml From 0e53564b15b5990879a10c82ec14a0f5e0beffa2 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Thu, 19 Sep 2024 14:31:44 +0300 Subject: [PATCH 3/6] use keyfile auth when secret is specified --- .../compare/statefulset_mydb-rs0.yml | 219 ++++++++++++++++++ .../serviceless-external-nodes/conf/main.yml | 2 + e2e-tests/serviceless-external-nodes/run | 1 + pkg/psmdb/container.go | 13 +- 4 files changed, 225 insertions(+), 10 deletions(-) create mode 100644 e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml diff --git a/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml new file mode 100644 index 0000000000..f47d56cf95 --- /dev/null +++ b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml @@ -0,0 +1,219 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: mydb-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: mydb +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: mydb-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: mydb + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=requireTLS + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --config=/etc/mongodb-config/mongod.conf + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: mydb + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-mydb-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 300m + memory: 500M + requests: + cpu: 300m + memory: 500M + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: mydb-custom-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/mongodb-config + name: config + - mountPath: /opt/percona + name: bin + - mountPath: /etc/mongodb-encryption + name: mydb-custom-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 300m + memory: 500M + requests: + cpu: 300m + memory: 500M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: mydb-custom-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-mongodb-keyfile + - emptyDir: {} + name: bin + - configMap: + defaultMode: 420 + name: mydb-rs0-mongod + optional: true + name: config + - name: mydb-custom-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: mydb-custom-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: mydb-custom-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-mydb-users + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index 6c2275c4b0..f354bf3c13 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -7,6 +7,8 @@ spec: replsetSize: true mongosSize: true clusterServiceDNSMode: "Internal" + tls: + mode: requireTLS image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: diff --git a/e2e-tests/serviceless-external-nodes/run b/e2e-tests/serviceless-external-nodes/run index 96d0668e94..2d87c765bf 100755 --- a/e2e-tests/serviceless-external-nodes/run +++ b/e2e-tests/serviceless-external-nodes/run @@ -20,6 +20,7 @@ kubectl_bin apply \ apply_cluster "$test_dir/conf/main.yml" wait_for_running "$cluster-rs0" 1 +compare_kubectl statefulset/mydb-rs0 secrets_count=$(kubectl_bin get secret -o yaml | yq '.items | length') if [[ $secrets_count != 6 ]]; then diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 88828822ec..1f80349b1b 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -192,20 +192,13 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args = append(args, "--sslAllowInvalidCertificates") } - if cr.TLSEnabled() { - if cr.Spec.TLS.Mode == api.TLSModeAllow { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+mongodSecretsDir+"/mongodb-key", - ) - } else { - args = append(args, "--clusterAuthMode=x509") - } - } else if cr.UnsafeTLSDisabled() { + if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) + } else if cr.TLSEnabled() { + args = append(args, "--clusterAuthMode=x509") } if cr.CompareVersion("1.16.0") >= 0 { From 226b74f47315e916a96fabac427c60aa154844b4 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Mon, 23 Sep 2024 10:58:51 +0300 Subject: [PATCH 4/6] fix --- pkg/apis/psmdb/v1/psmdb_defaults.go | 4 ---- pkg/apis/psmdb/v1/psmdb_types.go | 18 ++++++++++++++---- .../perconaservermongodb/psmdb_controller.go | 6 +++--- pkg/psmdb/mongos.go | 6 +++--- pkg/psmdb/statefulset.go | 6 +++--- 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index ce37a70f48..c55379b28b 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -75,10 +75,6 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log cr.Spec.Secrets.Users = defaultUsersSecretName } - if cr.Spec.Secrets.InternalKey == "" { - cr.Spec.Secrets.InternalKey = cr.Name + "-mongodb-keyfile" - } - if cr.Spec.Secrets.EncryptionKey == "" { cr.Spec.Secrets.EncryptionKey = cr.Name + "-mongodb-encryption-key" } diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index 44b46aa043..c256bb5c3a 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -686,16 +686,26 @@ type PVCSpec struct { } type SecretsSpec struct { - Users string `json:"users,omitempty"` - SSL string `json:"ssl,omitempty"` - SSLInternal string `json:"sslInternal,omitempty"` - InternalKey string `json:"keyFile,omitempty"` + Users string `json:"users,omitempty"` + SSL string `json:"ssl,omitempty"` + SSLInternal string `json:"sslInternal,omitempty"` + + // Use (*SecretsSpec) GetInternalKey() to get InternalKey + InternalKey string `json:"keyFile,omitempty"` + EncryptionKey string `json:"encryptionKey,omitempty"` Vault string `json:"vault,omitempty"` SSE string `json:"sse,omitempty"` LDAPSecret string `json:"ldapSecret,omitempty"` } +func (s *SecretsSpec) GetInternalKey(cr *PerconaServerMongoDB) string { + if s == nil || s.InternalKey == "" { + return cr.Name + "-mongodb-keyfile" + } + return s.InternalKey +} + func SSLSecretName(cr *PerconaServerMongoDB) string { return cr.Spec.Secrets.SSL } diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go index 90bce59d71..bbb90d766a 100644 --- a/pkg/controller/perconaservermongodb/psmdb_controller.go +++ b/pkg/controller/perconaservermongodb/psmdb_controller.go @@ -395,13 +395,13 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r return reconcile.Result{}, err } - ikCreated, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.InternalKey, api.InternalKeyName, 768, true) + ikCreated, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.GetInternalKey(cr), api.InternalKeyName, 768, true) if err != nil { - err = errors.Wrapf(err, "ensure mongo Key %s", cr.Spec.Secrets.InternalKey) + err = errors.Wrapf(err, "ensure mongo Key %s", cr.Spec.Secrets.GetInternalKey(cr)) return reconcile.Result{}, err } if ikCreated { - log.Info("Created a new mongo key", "KeyName", cr.Spec.Secrets.InternalKey) + log.Info("Created a new mongo key", "KeyName", cr.Spec.Secrets.GetInternalKey(cr)) } created, err := r.ensureSecurityKey(ctx, cr, cr.Spec.Secrets.EncryptionKey, api.EncryptionKeyName, 32, false) diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index 80ae4e6074..ecf52f9171 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -122,7 +122,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan MountPath: MongodContainerDataDir, }, { - Name: cr.Spec.Secrets.InternalKey, + Name: cr.Spec.Secrets.GetInternalKey(cr), MountPath: mongodSecretsDir, ReadOnly: true, }, @@ -301,11 +301,11 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core volumes := []corev1.Volume{ { - Name: cr.Spec.Secrets.InternalKey, + Name: cr.Spec.Secrets.GetInternalKey(cr), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: cr.Spec.Secrets.InternalKey, + SecretName: cr.Spec.Secrets.GetInternalKey(cr), Optional: &fvar, }, }, diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go index 8dd9568bec..22ce549ebf 100644 --- a/pkg/psmdb/statefulset.go +++ b/pkg/psmdb/statefulset.go @@ -82,11 +82,11 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap volumes := []corev1.Volume{ { - Name: cr.Spec.Secrets.InternalKey, + Name: cr.Spec.Secrets.GetInternalKey(cr), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: &secretFileMode, - SecretName: cr.Spec.Secrets.InternalKey, + SecretName: cr.Spec.Secrets.GetInternalKey(cr), Optional: &fvar, }, }, @@ -143,7 +143,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap } } - c, err := container(ctx, cr, replset, containerName, resources, cr.Spec.Secrets.InternalKey, customConf.Type.IsUsable(), + c, err := container(ctx, cr, replset, containerName, resources, cr.Spec.Secrets.GetInternalKey(cr), customConf.Type.IsUsable(), livenessProbe, readinessProbe, containerSecurityContext) if err != nil { return appsv1.StatefulSetSpec{}, fmt.Errorf("failed to create container %v", err) From cf4e799cc5ab17ceade48eeda9145db0effc5b09 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Thu, 26 Sep 2024 21:56:50 +0300 Subject: [PATCH 5/6] fix mongos --- pkg/psmdb/mongos.go | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index ecf52f9171..e91183573b 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -245,30 +245,25 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgIn "mongos", "--bind_ip_all", "--port=" + strconv.Itoa(int(msSpec.Port)), - "--sslAllowInvalidCertificates", - "--configdb", - configDB, } - if cr.CompareVersion("1.7.0") >= 0 { - args = append(args, - "--relaxPermChecks", - ) + if !cr.TLSEnabled() || *cr.Spec.TLS.AllowInvalidCertificates { + args = append(args, "--sslAllowInvalidCertificates") } + args = append(args, []string{ + "--configdb", + configDB, + "--relaxPermChecks", + }...) - if cr.TLSEnabled() { - if !*cr.Spec.TLS.AllowInvalidCertificates { - // remove --sslAllowInvalidCertificates - args = append(args[:3], args[3+1:]...) - } - - args = append(args, - "--clusterAuthMode=x509", - ) - } else if (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) { + if (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || cr.UnsafeTLSDisabled() || cr.Spec.Secrets.InternalKey != "" { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) + } else if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) } if cr.CompareVersion("1.16.0") >= 0 { From 7728af520613aff326757f0d5b8ca612fe7ac976 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Wed, 2 Oct 2024 16:34:54 +0300 Subject: [PATCH 6/6] fix test --- .../serviceless-external-nodes/compare/statefulset_mydb-rs0.yml | 2 +- e2e-tests/serviceless-external-nodes/conf/external.yml | 2 ++ e2e-tests/serviceless-external-nodes/conf/main.yml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml index f47d56cf95..6399c342ba 100644 --- a/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml +++ b/e2e-tests/serviceless-external-nodes/compare/statefulset_mydb-rs0.yml @@ -51,7 +51,7 @@ spec: - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key - - --tlsMode=requireTLS + - --tlsMode=allowTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/serviceless-external-nodes/conf/external.yml b/e2e-tests/serviceless-external-nodes/conf/external.yml index 74ca3b0473..96f7840e55 100644 --- a/e2e-tests/serviceless-external-nodes/conf/external.yml +++ b/e2e-tests/serviceless-external-nodes/conf/external.yml @@ -3,6 +3,8 @@ kind: PerconaServerMongoDB metadata: name: mydb spec: + tls: + mode: allowTLS unmanaged: true unsafeFlags: replsetSize: true diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index 171d366365..4a9b7e3942 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -8,7 +8,7 @@ spec: mongosSize: true clusterServiceDNSMode: "Internal" tls: - mode: requireTLS + mode: allowTLS image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always secrets: