From 66935c47583539f9409a07631b8ffd45e766131a Mon Sep 17 00:00:00 2001 From: Mikalai Radchuk <509198+m1kola@users.noreply.github.com> Date: Thu, 28 Aug 2025 09:54:56 +0200 Subject: [PATCH] Remove cert hash annotations --- controllers/om/deployment/testing_utils.go | 2 +- controllers/om/process/om_process.go | 11 +--- controllers/om/replicaset/om_replicaset.go | 8 +-- controllers/operator/certs/certificates.go | 1 - .../construct/database_construction.go | 13 ----- .../multicluster/multicluster_replicaset.go | 8 +-- .../mongodbmultireplicaset_controller.go | 55 +++++++++---------- .../operator/mongodbreplicaset_controller.go | 40 ++++++++------ .../mongodbreplicaset_controller_test.go | 8 +-- pkg/util/constants.go | 4 -- 10 files changed, 65 insertions(+), 85 deletions(-) diff --git a/controllers/om/deployment/testing_utils.go b/controllers/om/deployment/testing_utils.go index 922d25024..d62a1aca2 100644 --- a/controllers/om/deployment/testing_utils.go +++ b/controllers/om/deployment/testing_utils.go @@ -32,7 +32,7 @@ func CreateFromReplicaSet(mongoDBImage string, forceEnterprise bool, rs *mdb.Mon } d.MergeReplicaSet( - replicaset.BuildFromStatefulSet(mongoDBImage, forceEnterprise, sts, rs.GetSpec(), rs.Status.FeatureCompatibilityVersion), + replicaset.BuildFromStatefulSet(mongoDBImage, forceEnterprise, sts, rs.GetSpec(), rs.Status.FeatureCompatibilityVersion, ""), rs.Spec.AdditionalMongodConfig.ToMap(), lastConfig.ToMap(), zap.S(), diff --git a/controllers/om/process/om_process.go b/controllers/om/process/om_process.go index da02f70cf..20dc293ec 100644 --- a/controllers/om/process/om_process.go +++ b/controllers/om/process/om_process.go @@ -8,22 +8,15 @@ import ( mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb" mdbmultiv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdbmulti" "github.com/mongodb/mongodb-kubernetes/controllers/om" - "github.com/mongodb/mongodb-kubernetes/controllers/operator/certs" "github.com/mongodb/mongodb-kubernetes/pkg/dns" - "github.com/mongodb/mongodb-kubernetes/pkg/util" ) -func CreateMongodProcessesWithLimit(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, limit int, fcv string) []om.Process { +func CreateMongodProcessesWithLimit(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, limit int, fcv string, tlsCertPath string) []om.Process { hostnames, names := dns.GetDnsForStatefulSetReplicasSpecified(set, dbSpec.GetClusterDomain(), limit, dbSpec.GetExternalDomain()) processes := make([]om.Process, len(hostnames)) - certificateFileName := "" - if certificateHash, ok := set.Annotations[certs.CertHashAnnotationKey]; ok { - certificateFileName = fmt.Sprintf("%s/%s", util.TLSCertMountPath, certificateHash) - } - for idx, hostname := range hostnames { - processes[idx] = om.NewMongodProcess(names[idx], hostname, mongoDBImage, forceEnterprise, dbSpec.GetAdditionalMongodConfig(), dbSpec, certificateFileName, set.Annotations, fcv) + processes[idx] = om.NewMongodProcess(names[idx], hostname, mongoDBImage, forceEnterprise, dbSpec.GetAdditionalMongodConfig(), dbSpec, tlsCertPath, set.Annotations, fcv) } return processes diff --git a/controllers/om/replicaset/om_replicaset.go b/controllers/om/replicaset/om_replicaset.go index 09ce05162..2e72d2c3e 100644 --- a/controllers/om/replicaset/om_replicaset.go +++ b/controllers/om/replicaset/om_replicaset.go @@ -15,15 +15,15 @@ import ( // BuildFromStatefulSet returns a replica set that can be set in the Automation Config // based on the given StatefulSet and MongoDB resource. -func BuildFromStatefulSet(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, fcv string) om.ReplicaSetWithProcesses { - return BuildFromStatefulSetWithReplicas(mongoDBImage, forceEnterprise, set, dbSpec, int(*set.Spec.Replicas), fcv) +func BuildFromStatefulSet(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, fcv string, tlsCertPath string) om.ReplicaSetWithProcesses { + return BuildFromStatefulSetWithReplicas(mongoDBImage, forceEnterprise, set, dbSpec, int(*set.Spec.Replicas), fcv, tlsCertPath) } // BuildFromStatefulSetWithReplicas returns a replica set that can be set in the Automation Config // based on the given StatefulSet and MongoDB spec. The amount of members is set by the replicas // parameter. -func BuildFromStatefulSetWithReplicas(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, replicas int, fcv string) om.ReplicaSetWithProcesses { - members := process.CreateMongodProcessesWithLimit(mongoDBImage, forceEnterprise, set, dbSpec, replicas, fcv) +func BuildFromStatefulSetWithReplicas(mongoDBImage string, forceEnterprise bool, set appsv1.StatefulSet, dbSpec mdbv1.DbSpec, replicas int, fcv string, tlsCertPath string) om.ReplicaSetWithProcesses { + members := process.CreateMongodProcessesWithLimit(mongoDBImage, forceEnterprise, set, dbSpec, replicas, fcv, tlsCertPath) replicaSet := om.NewReplicaSet(set.Name, dbSpec.GetMongoDBVersion()) rsWithProcesses := om.NewReplicaSetWithProcesses(replicaSet, members, dbSpec.GetMemberOptions()) rsWithProcesses.SetHorizons(dbSpec.GetHorizonConfig()) diff --git a/controllers/operator/certs/certificates.go b/controllers/operator/certs/certificates.go index f5948aea9..29f0bd6ba 100644 --- a/controllers/operator/certs/certificates.go +++ b/controllers/operator/certs/certificates.go @@ -31,7 +31,6 @@ type certDestination string const ( OperatorGeneratedCertSuffix = "-pem" - CertHashAnnotationKey = "certHash" Unused = "unused" Database = "database" diff --git a/controllers/operator/construct/database_construction.go b/controllers/operator/construct/database_construction.go index 66d51dd72..d2076d7cc 100644 --- a/controllers/operator/construct/database_construction.go +++ b/controllers/operator/construct/database_construction.go @@ -466,14 +466,8 @@ func buildDatabaseStatefulSetConfigurationFunction(mdb databaseStatefulSetSource appLabelKey: opts.ServiceName, } - annotationFunc := statefulset.WithAnnotations(defaultStatefulSetAnnotations(opts.CertificateHash)) podTemplateAnnotationFunc := podtemplatespec.NOOP() - annotationFunc = statefulset.Apply( - annotationFunc, - statefulset.WithAnnotations(map[string]string{util.InternalCertAnnotationKey: opts.InternalClusterHash}), - ) - if vault.IsVaultSecretBackend() { podTemplateAnnotationFunc = podtemplatespec.Apply(podTemplateAnnotationFunc, podtemplatespec.WithAnnotations(secretsToInject.DatabaseAnnotations(mdb.GetNamespace()))) } @@ -530,7 +524,6 @@ func buildDatabaseStatefulSetConfigurationFunction(mdb databaseStatefulSetSource statefulset.WithServiceName(opts.ServiceName), statefulset.WithReplicas(opts.Replicas), statefulset.WithOwnerReference(opts.OwnerReference), - annotationFunc, volumeClaimFuncs, shareProcessNs, statefulset.WithPodSpecTemplate(podtemplatespec.Apply(podTemplateModifications...)), @@ -1057,12 +1050,6 @@ func DatabaseStartupProbe() probes.Modification { ) } -func defaultStatefulSetAnnotations(certHash string) map[string]string { - return map[string]string{ - certs.CertHashAnnotationKey: certHash, - } -} - // TODO: temprorary duplication to avoid circular imports func NewDefaultPodSpecWrapper(podSpec mdbv1.MongoDbPodSpec) *mdbv1.PodSpecWrapper { return &mdbv1.PodSpecWrapper{ diff --git a/controllers/operator/construct/multicluster/multicluster_replicaset.go b/controllers/operator/construct/multicluster/multicluster_replicaset.go index 9bc0e4307..bb216592f 100644 --- a/controllers/operator/construct/multicluster/multicluster_replicaset.go +++ b/controllers/operator/construct/multicluster/multicluster_replicaset.go @@ -7,7 +7,6 @@ import ( mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb" mdbmultiv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdbmulti" - "github.com/mongodb/mongodb-kubernetes/controllers/operator/certs" "github.com/mongodb/mongodb-kubernetes/controllers/operator/construct" "github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/util/merge" "github.com/mongodb/mongodb-kubernetes/pkg/handler" @@ -65,9 +64,9 @@ func WithStsOverride(stsOverride *appsv1.StatefulSetSpec) func(options *construc } } -func WithAnnotations(resourceName string, certHash string) func(options *construct.DatabaseStatefulSetOptions) { +func WithAnnotations(resourceName string) func(options *construct.DatabaseStatefulSetOptions) { return func(options *construct.DatabaseStatefulSetOptions) { - options.Annotations = statefulSetAnnotations(resourceName, certHash) + options.Annotations = statefulSetAnnotations(resourceName) } } @@ -75,10 +74,9 @@ func statefulSetName(mdbmName string, clusterNum int) string { return fmt.Sprintf("%s-%d", mdbmName, clusterNum) } -func statefulSetAnnotations(mdbmName string, certHash string) map[string]string { +func statefulSetAnnotations(mdbmName string) map[string]string { return map[string]string{ handler.MongoDBMultiResourceAnnotation: mdbmName, - certs.CertHashAnnotationKey: certHash, } } diff --git a/controllers/operator/mongodbmultireplicaset_controller.go b/controllers/operator/mongodbmultireplicaset_controller.go index 8b5274179..013844268 100644 --- a/controllers/operator/mongodbmultireplicaset_controller.go +++ b/controllers/operator/mongodbmultireplicaset_controller.go @@ -171,12 +171,32 @@ func (r *ReconcileMongoDbMultiReplicaSet) Reconcile(ctx context.Context, request return r.updateStatus(ctx, &mrs, workflow.Failed(err), log) } + // If tls is enabled we need to configure the "processes" array in opsManager/Cloud Manager with the + // correct tlsCertPath, with the new tls design, this path has the certHash in it(so that cert can be rotated + // without pod restart). + tlsCertPath := "" + internalClusterCertPath := "" + if mrs.Spec.Security.IsTLSEnabled() { + certSecretName := mrs.Spec.GetSecurity().MemberCertificateSecretName(mrs.Name) + internalClusterCertSecretName := mrs.Spec.GetSecurity().InternalClusterAuthSecretName(mrs.Name) + tlsCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, certSecretName, "", log) + internalClusterCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, internalClusterCertSecretName, "", log) + + if internalClusterCertHash != "" { + internalClusterCertPath = fmt.Sprintf("%s%s", util.InternalClusterAuthMountPath, internalClusterCertHash) + } + + if tlsCertHash != "" { + tlsCertPath = fmt.Sprintf("%s/%s", util.TLSCertMountPath, tlsCertHash) + } + } + // Recovery prevents some deadlocks that can occur during reconciliation, e.g. the setting of an incorrect automation // configuration and a subsequent attempt to overwrite it later, the operator would be stuck in Pending phase. // See CLOUDP-189433 and CLOUDP-229222 for more details. if recovery.ShouldTriggerRecovery(mrs.Status.Phase != mdbstatus.PhaseRunning, mrs.Status.LastTransition) { log.Warnf("Triggering Automatic Recovery. The MongoDB resource %s/%s is in %s state since %s", mrs.Namespace, mrs.Name, mrs.Status.Phase, mrs.Status.LastTransition) - automationConfigError := r.updateOmDeploymentRs(ctx, conn, mrs, true, log) + automationConfigError := r.updateOmDeploymentRs(ctx, conn, mrs, tlsCertPath, internalClusterCertPath, true, log) reconcileStatus := r.reconcileMemberResources(ctx, &mrs, log, conn, projectConfig) if !reconcileStatus.IsOK() { log.Errorf("Recovery failed because of reconcile errors, %v", reconcileStatus) @@ -188,7 +208,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) Reconcile(ctx context.Context, request status := workflow.RunInGivenOrder(publishAutomationConfigFirst, func() workflow.Status { - if err := r.updateOmDeploymentRs(ctx, conn, mrs, false, log); err != nil { + if err := r.updateOmDeploymentRs(ctx, conn, mrs, tlsCertPath, internalClusterCertPath, false, log); err != nil { return workflow.Failed(err) } return workflow.OK() @@ -499,7 +519,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) reconcileStatefulSets(ctx context.Cont mconstruct.WithClusterNum(clusterNum), Replicas(replicasThisReconciliation), mconstruct.WithStsOverride(&stsOverride), - mconstruct.WithAnnotations(mrs.Name, certHash), + mconstruct.WithAnnotations(mrs.Name), mconstruct.WithServiceName(mrs.MultiHeadlessServiceName(clusterNum)), PodEnvVars(newPodVars(conn, projectConfig, mrs.Spec.LogLevel)), CurrentAgentAuthMechanism(currentAgentAuthMode), @@ -677,7 +697,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) saveLastAchievedSpec(ctx context.Conte // updateOmDeploymentRs performs OM registration operation for the replicaset. So the changes will be finally propagated // to automation agents in containers -func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Context, conn om.Connection, mrs mdbmultiv1.MongoDBMultiCluster, isRecovering bool, log *zap.SugaredLogger) error { +func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Context, conn om.Connection, mrs mdbmultiv1.MongoDBMultiCluster, tlsCertPath, internalClusterCertPath string, isRecovering bool, log *zap.SugaredLogger) error { reachableHostnames := make([]string, 0) clusterSpecList, err := mrs.GetClusterSpecItems() @@ -725,28 +745,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Conte } log.Debugf("Existing process Ids: %+v", processIds) - certificateFileName := "" - internalClusterPath := "" - - // If tls is enabled we need to configure the "processes" array in opsManager/Cloud Manager with the - // correct certFilePath, with the new tls design, this path has the certHash in it(so that cert can be rotated - // without pod restart), we can get the cert hash from any of the statefulset, here we pick the statefulset in the first cluster. - if mrs.Spec.Security.IsTLSEnabled() { - firstStatefulSet, err := r.firstStatefulSet(ctx, &mrs) - if err != nil { - return err - } - - if hash := firstStatefulSet.Annotations[util.InternalCertAnnotationKey]; hash != "" { - internalClusterPath = fmt.Sprintf("%s%s", util.InternalClusterAuthMountPath, hash) - } - - if certificateHash := firstStatefulSet.Annotations[certs.CertHashAnnotationKey]; certificateHash != "" { - certificateFileName = fmt.Sprintf("%s/%s", util.TLSCertMountPath, certificateHash) - } - } - - processes, err := process.CreateMongodProcessesWithLimitMulti(r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, mrs, certificateFileName) + processes, err := process.CreateMongodProcessesWithLimitMulti(r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, mrs, tlsCertPath) if err != nil && !isRecovering { return err } @@ -759,7 +758,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Conte caFilePath := fmt.Sprintf("%s/ca-pem", util.TLSCaMountPath) agentCertSecretName := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.GetName()) - status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, rs.GetProcessNames(), &mrs, agentCertSecretName, caFilePath, internalClusterPath, isRecovering, log) + status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, rs.GetProcessNames(), &mrs, agentCertSecretName, caFilePath, internalClusterCertPath, isRecovering, log) if !status.IsOK() && !isRecovering { return xerrors.Errorf("failed to enable Authentication for MongoDB Multi Replicaset") } @@ -768,7 +767,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Conte err = conn.ReadUpdateDeployment( func(d om.Deployment) error { - return ReconcileReplicaSetAC(ctx, d, mrs.Spec.DbCommonSpec, lastMongodbConfig, mrs.Name, rs, caFilePath, internalClusterPath, nil, log) + return ReconcileReplicaSetAC(ctx, d, mrs.Spec.DbCommonSpec, lastMongodbConfig, mrs.Name, rs, caFilePath, internalClusterCertPath, nil, log) }, log, ) diff --git a/controllers/operator/mongodbreplicaset_controller.go b/controllers/operator/mongodbreplicaset_controller.go index a7d2943aa..3b5473bc2 100644 --- a/controllers/operator/mongodbreplicaset_controller.go +++ b/controllers/operator/mongodbreplicaset_controller.go @@ -198,11 +198,14 @@ func (r *ReconcileMongoDbReplicaSet) Reconcile(ctx context.Context, request reco } } + tlsCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.CertSecretName, databaseSecretPath, log) + internalClusterCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.InternalClusterSecretName, databaseSecretPath, log) + rsConfig := construct.ReplicaSetOptions( PodEnvVars(newPodVars(conn, projectConfig, rs.Spec.LogLevel)), CurrentAgentAuthMechanism(currentAgentAuthMode), - CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.CertSecretName, databaseSecretPath, log)), - InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.InternalClusterSecretName, databaseSecretPath, log)), + CertificateHash(tlsCertHash), + InternalClusterHash(internalClusterCertHash), PrometheusTLSCertHash(prometheusCertHash), WithVaultConfig(vaultConfig), WithLabels(rs.Labels), @@ -233,12 +236,22 @@ func (r *ReconcileMongoDbReplicaSet) Reconcile(ctx context.Context, request reco agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name) agentCertSecretSelector.Name += certs.OperatorGeneratedCertSuffix + internalClusterCertPath := "" + if internalClusterCertHash != "" { + internalClusterCertPath = fmt.Sprintf("%s%s", util.InternalClusterAuthMountPath, internalClusterCertHash) + } + + tlsCertPath := "" + if tlsCertHash != "" { + tlsCertPath = fmt.Sprintf("%s/%s", util.TLSCertMountPath, tlsCertHash) + } + // Recovery prevents some deadlocks that can occur during reconciliation, e.g. the setting of an incorrect automation // configuration and a subsequent attempt to overwrite it later, the operator would be stuck in Pending phase. // See CLOUDP-189433 and CLOUDP-229222 for more details. if recovery.ShouldTriggerRecovery(rs.Status.Phase != mdbstatus.PhaseRunning, rs.Status.LastTransition) { log.Warnf("Triggering Automatic Recovery. The MongoDB resource %s/%s is in %s state since %s", rs.Namespace, rs.Name, rs.Status.Phase, rs.Status.LastTransition) - automationConfigStatus := r.updateOmDeploymentRs(ctx, conn, rs.Status.Members, rs, sts, log, caFilePath, agentCertSecretSelector, prometheusCertHash, true).OnErrorPrepend("Failed to create/update (Ops Manager reconciliation phase):") + automationConfigStatus := r.updateOmDeploymentRs(ctx, conn, rs.Status.Members, rs, sts, log, caFilePath, tlsCertPath, internalClusterCertPath, agentCertSecretSelector, prometheusCertHash, true).OnErrorPrepend("Failed to create/update (Ops Manager reconciliation phase):") deploymentError := create.DatabaseInKubernetes(ctx, r.client, *rs, sts, rsConfig, log) if deploymentError != nil { log.Errorf("Recovery failed because of deployment errors, %w", deploymentError) @@ -254,7 +267,7 @@ func (r *ReconcileMongoDbReplicaSet) Reconcile(ctx context.Context, request reco } status = workflow.RunInGivenOrder(publishAutomationConfigFirst(ctx, r.client, *rs, lastSpec, rsConfig, log), func() workflow.Status { - return r.updateOmDeploymentRs(ctx, conn, rs.Status.Members, rs, sts, log, caFilePath, agentCertSecretSelector, prometheusCertHash, false).OnErrorPrepend("Failed to create/update (Ops Manager reconciliation phase):") + return r.updateOmDeploymentRs(ctx, conn, rs.Status.Members, rs, sts, log, caFilePath, tlsCertPath, internalClusterCertPath, agentCertSecretSelector, prometheusCertHash, false).OnErrorPrepend("Failed to create/update (Ops Manager reconciliation phase):") }, func() workflow.Status { workflowStatus := create.HandlePVCResize(ctx, r.client, &sts, log) @@ -415,7 +428,7 @@ func AddReplicaSetController(ctx context.Context, mgr manager.Manager, imageUrls // updateOmDeploymentRs performs OM registration operation for the replicaset. So the changes will be finally propagated // to automation agents in containers -func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, conn om.Connection, membersNumberBefore int, rs *mdbv1.MongoDB, set appsv1.StatefulSet, log *zap.SugaredLogger, caFilePath string, agentCertSecretSelector corev1.SecretKeySelector, prometheusCertHash string, isRecovering bool) workflow.Status { +func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, conn om.Connection, membersNumberBefore int, rs *mdbv1.MongoDB, set appsv1.StatefulSet, log *zap.SugaredLogger, caFilePath, tlsCertPath, internalClusterCertPath string, agentCertSecretSelector corev1.SecretKeySelector, prometheusCertHash string, isRecovering bool) workflow.Status { log.Debug("Entering UpdateOMDeployments") // Only "concrete" RS members should be observed // - if scaling down, let's observe only members that will remain after scale-down operation @@ -427,7 +440,7 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c // If current operation is to Disable TLS, then we should the current members of the Replica Set, // this is, do not scale them up or down util TLS disabling has completed. - shouldLockMembers, err := updateOmDeploymentDisableTLSConfiguration(conn, r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, membersNumberBefore, rs, set, log, caFilePath) + shouldLockMembers, err := updateOmDeploymentDisableTLSConfiguration(conn, r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, membersNumberBefore, rs, set, log, caFilePath, tlsCertPath) if err != nil && !isRecovering { return workflow.Failed(err) } @@ -441,15 +454,10 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c updatedMembers = int(*set.Spec.Replicas) } - replicaSet := replicaset.BuildFromStatefulSetWithReplicas(r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, set, rs.GetSpec(), updatedMembers, rs.CalculateFeatureCompatibilityVersion()) + replicaSet := replicaset.BuildFromStatefulSetWithReplicas(r.imageUrls[mcoConstruct.MongodbImageEnv], r.forceEnterprise, set, rs.GetSpec(), updatedMembers, rs.CalculateFeatureCompatibilityVersion(), tlsCertPath) processNames := replicaSet.GetProcessNames() - internalClusterPath := "" - if hash := set.Annotations[util.InternalCertAnnotationKey]; hash != "" { - internalClusterPath = fmt.Sprintf("%s%s", util.InternalClusterAuthMountPath, hash) - } - - status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, processNames, rs, agentCertSecretSelector, caFilePath, internalClusterPath, isRecovering, log) + status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, processNames, rs, agentCertSecretSelector, caFilePath, internalClusterCertPath, isRecovering, log) if !status.IsOK() && !isRecovering { return status } @@ -469,7 +477,7 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c err = conn.ReadUpdateDeployment( func(d om.Deployment) error { - return ReconcileReplicaSetAC(ctx, d, rs.Spec.DbCommonSpec, lastRsConfig.ToMap(), rs.Name, replicaSet, caFilePath, internalClusterPath, &p, log) + return ReconcileReplicaSetAC(ctx, d, rs.Spec.DbCommonSpec, lastRsConfig.ToMap(), rs.Name, replicaSet, caFilePath, internalClusterCertPath, &p, log) }, log, ) @@ -510,7 +518,7 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c // updateOmDeploymentDisableTLSConfiguration checks if TLS configuration needs // to be disabled. In which case it will disable it and inform to the calling // function. -func updateOmDeploymentDisableTLSConfiguration(conn om.Connection, mongoDBImage string, forceEnterprise bool, membersNumberBefore int, rs *mdbv1.MongoDB, set appsv1.StatefulSet, log *zap.SugaredLogger, caFilePath string) (bool, error) { +func updateOmDeploymentDisableTLSConfiguration(conn om.Connection, mongoDBImage string, forceEnterprise bool, membersNumberBefore int, rs *mdbv1.MongoDB, set appsv1.StatefulSet, log *zap.SugaredLogger, caFilePath, tlsCertPath string) (bool, error) { tlsConfigWasDisabled := false err := conn.ReadUpdateDeployment( @@ -524,7 +532,7 @@ func updateOmDeploymentDisableTLSConfiguration(conn om.Connection, mongoDBImage // configure as many agents/Pods as we currently have, no more (in case // there's a scale up change at the same time). - replicaSet := replicaset.BuildFromStatefulSetWithReplicas(mongoDBImage, forceEnterprise, set, rs.GetSpec(), membersNumberBefore, rs.CalculateFeatureCompatibilityVersion()) + replicaSet := replicaset.BuildFromStatefulSetWithReplicas(mongoDBImage, forceEnterprise, set, rs.GetSpec(), membersNumberBefore, rs.CalculateFeatureCompatibilityVersion(), tlsCertPath) lastConfig, err := rs.GetLastAdditionalMongodConfigByType(mdbv1.ReplicaSetConfig) if err != nil { diff --git a/controllers/operator/mongodbreplicaset_controller_test.go b/controllers/operator/mongodbreplicaset_controller_test.go index f6aea38c8..e85e7050d 100644 --- a/controllers/operator/mongodbreplicaset_controller_test.go +++ b/controllers/operator/mongodbreplicaset_controller_test.go @@ -400,22 +400,22 @@ func TestUpdateDeploymentTLSConfiguration(t *testing.T) { stsNoTLS := construct.DatabaseStatefulSet(*rsNoTLS, construct.ReplicaSetOptions(construct.GetPodEnvOptions()), zap.S()) // TLS Disabled -> TLS Disabled - shouldLockMembers, err := updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentNoTLS), "fake-mongoDBImage", false, 3, rsNoTLS, stsNoTLS, zap.S(), util.CAFilePathInContainer) + shouldLockMembers, err := updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentNoTLS), "fake-mongoDBImage", false, 3, rsNoTLS, stsNoTLS, zap.S(), util.CAFilePathInContainer, "") assert.NoError(t, err) assert.False(t, shouldLockMembers) // TLS Disabled -> TLS Enabled - shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentNoTLS), "fake-mongoDBImage", false, 3, rsWithTLS, stsWithTLS, zap.S(), util.CAFilePathInContainer) + shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentNoTLS), "fake-mongoDBImage", false, 3, rsWithTLS, stsWithTLS, zap.S(), util.CAFilePathInContainer, "") assert.NoError(t, err) assert.False(t, shouldLockMembers) // TLS Enabled -> TLS Enabled - shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentWithTLS), "fake-mongoDBImage", false, 3, rsWithTLS, stsWithTLS, zap.S(), util.CAFilePathInContainer) + shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentWithTLS), "fake-mongoDBImage", false, 3, rsWithTLS, stsWithTLS, zap.S(), util.CAFilePathInContainer, "") assert.NoError(t, err) assert.False(t, shouldLockMembers) // TLS Enabled -> TLS Disabled - shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentWithTLS), "fake-mongoDBImage", false, 3, rsNoTLS, stsNoTLS, zap.S(), util.CAFilePathInContainer) + shouldLockMembers, err = updateOmDeploymentDisableTLSConfiguration(om.NewMockedOmConnection(deploymentWithTLS), "fake-mongoDBImage", false, 3, rsNoTLS, stsNoTLS, zap.S(), util.CAFilePathInContainer, "") assert.NoError(t, err) assert.True(t, shouldLockMembers) } diff --git a/pkg/util/constants.go b/pkg/util/constants.go index c649eda4e..443ae925c 100644 --- a/pkg/util/constants.go +++ b/pkg/util/constants.go @@ -281,10 +281,6 @@ const ( TLSCertMountPath = PvcMmsHomeMountPath + "/tls" TLSCaMountPath = PvcMmsHomeMountPath + "/tls/ca" - // TODO: remove this from here and move it to the certs package - // This currently creates an import cycle - InternalCertAnnotationKey = "internalCertHash" - // Annotation keys used by the operator LastAchievedSpec = "mongodb.com/v1.lastSuccessfulConfiguration" LastAchievedRsMemberIds = "mongodb.com/v1.lastAchievedRsMemberIds"