K8SPSMDB-813: Fail TLS configuration if provided certificates do not exist

[t-yrka]

CHANGE DESCRIPTION

Problem:
Short explanation of the problem.

Healthcheck runs without TLS appropriately configured (when it is enabled).

Cause:
Short explanation of the root cause of the issue if applicable.

Invalid TLS configuration is silently dropped.

Solution:
Short explanation of the solution we are providing with this PR.

Fail the healthcheck when TLS configuration is provided, but is invalid.

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are the manifests (crd/bundle) regenerated if needed?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported MongoDB version?
• Does the change support oldest and newest supported Kubernetes version?

[CLAassistant]

All committers have signed the CLA.

[hors]

@egegunes, maybe we need to do it only for cr >= 1.15?

[egegunes]

is it correct? before we were adding ssl flags if UnsafeConf is false but with these changes we'll add flags if crVersion is < 1.15 no matter unsafe flag value

[pooknull]

Before the PR, we had this code without any checks:

 Command: []string{
				"/data/db/mongodb-healthcheck",
				"k8s",
				"liveness",
				"--ssl", "--sslInsecure",
				"--sslCAFile", "/etc/mongodb-ssl/ca.crt",
				"--sslPEMKeyFile", "/tmp/tls.pem",
			},

We should add these flags to crs with < 1.15.0 versions to maintain the old behavior

[egegunes]

we seem to changed the behavior, with these we'll add these flags to probe command for all clusters <1.15

[pooknull]

We should check for unsafe option only for clusters with >=1.15.0 version to maintain the old behavior for older cluster versions.

It seems that you checked the diff of only my changes, and not those of the entire pull request.

[JNKPercona]

Test name	Status
arbiter	passed
balancer	passed
custom-replset-name	passed
cross-site-sharded	passed
data-at-rest-encryption	passed
data-sharded	passed
demand-backup	passed
demand-backup-eks-credentials	passed
demand-backup-physical	passed
demand-backup-physical-sharded	passed
demand-backup-sharded	passed
expose-sharded	passed
ignore-labels-annotations	passed
init-deploy	passed
finalizer	passed
limits	passed
liveness	passed
mongod-major-upgrade	passed
mongod-major-upgrade-sharded	passed
monitoring-2-0	passed
multi-cluster-service	passed
non-voting	passed
one-pod	passed
operator-self-healing-chaos	passed
pitr	passed
pitr-sharded	passed
pitr-physical	passed
recover-no-primary	passed
rs-shard-migration	passed
scaling	passed
scheduled-backup	passed
security-context	passed
self-healing-chaos	passed
service-per-pod	passed
serviceless-external-nodes	passed
smart-update	passed
split-horizon	passed
storage	passed
tls-issue-cert-manager	passed
upgrade	passed
upgrade-consistency	passed
upgrade-consistency-sharded	passed
upgrade-sharded	passed
users	passed
version-service	passed
We run 45 out of 45

commit: 7d8974c
image: perconalab/percona-server-mongodb-operator:PR-1254-7d8974c6

[hors]

@t-yrka Thank you for your contribution