Merge remote-tracking branch 'origin/main' into dev/refactor

percona · Mar 26, 2024 · 636aa82 · 636aa82
2 parents 9268e0e + 08e1672
commit 636aa82
Show file tree

Hide file tree

Showing 50 changed files with 1,296 additions and 70 deletions.
diff --git a/Makefile b/Makefile
@@ -67,7 +67,7 @@ endef
 
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.11.1)
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0)
 
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.

diff --git a/build/ps-entry.sh b/build/ps-entry.sh
@@ -430,6 +430,10 @@ if [[ $originalArgOne == mongo* ]]; then
 	if [ -f "${MONGO_SSL_DIR}/ca.crt" ]; then
 		CA="${MONGO_SSL_DIR}/ca.crt"
 	fi
+	LDAP_SSL_DIR=${LDAP_SSL_DIR:-/etc/openldap/certs}
+	if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then
+		echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf
+	fi
 	if [ -f "${MONGO_SSL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_DIR}/tls.crt" ]; then
 		cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem
 		_mongod_hack_ensure_arg_val --sslPEMKeyFile /tmp/tls.pem "${mongodHackedArgs[@]}"

diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbbackups.psmdb.percona.com
 spec:
   group: psmdb.percona.com

diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbrestores.psmdb.percona.com
 spec:
   group: psmdb.percona.com

diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbs.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -7636,6 +7635,8 @@ spec:
                 properties:
                   encryptionKey:
                     type: string
+                  ldapSecret:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
@@ -17234,6 +17235,17 @@ spec:
                 properties:
                   certValidityDuration:
                     type: string
+                  issuerConf:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               unmanaged:
                 type: boolean

diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbbackups.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -160,8 +159,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbrestores.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -319,8 +317,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbs.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -8271,6 +8268,8 @@ spec:
                 properties:
                   encryptionKey:
                     type: string
+                  ldapSecret:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
@@ -17869,6 +17868,17 @@ spec:
                 properties:
                   certValidityDuration:
                     type: string
+                  issuerConf:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               unmanaged:
                 type: boolean

diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -17,6 +17,10 @@ spec:
 #  tls:
 #    # 90 days in hours
 #    certValidityDuration: 2160h
+#    issuerConf:
+#      name: special-selfsigned-issuer
+#      kind: ClusterIssuer
+#      group: cert-manager.io
 #  imagePullSecrets:
 #    - name: private-registry-credentials
 #  initImage: perconalab/percona-server-mongodb-operator:main
@@ -39,6 +43,7 @@ spec:
     users: my-cluster-name-secrets
     encryptionKey: my-cluster-name-mongodb-encryption-key
 #    vault: my-cluster-name-vault
+#    ldapSecret: my-ldap-secret
   pmm:
     enabled: false
     image: perconalab/pmm-client:dev-latest

diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbbackups.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -160,8 +159,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbrestores.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -319,8 +317,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbs.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -8271,6 +8268,8 @@ spec:
                 properties:
                   encryptionKey:
                     type: string
+                  ldapSecret:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
@@ -17869,6 +17868,17 @@ spec:
                 properties:
                   certValidityDuration:
                     type: string
+                  issuerConf:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               unmanaged:
                 type: boolean

diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbbackups.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -160,8 +159,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbrestores.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -319,8 +317,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: perconaservermongodbs.psmdb.percona.com
 spec:
   group: psmdb.percona.com
@@ -8271,6 +8268,8 @@ spec:
                 properties:
                   encryptionKey:
                     type: string
+                  ldapSecret:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
@@ -17869,6 +17868,17 @@ spec:
                 properties:
                   certValidityDuration:
                     type: string
+                  issuerConf:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               unmanaged:
                 type: boolean

diff --git a/e2e-tests/arbiter/run b/e2e-tests/arbiter/run
@@ -70,8 +70,8 @@ check_cr_config() {
 }
 
 main() {
-	deploy_cert_manager
 	create_infra $namespace
+	deploy_cert_manager
 
 	desc 'create secrets and start client'
 	kubectl_bin apply \

diff --git a/e2e-tests/data-sharded/run b/e2e-tests/data-sharded/run
@@ -35,8 +35,8 @@ main() {
 		MONGO_VER=$(echo -n "${IMAGE_MONGOD}" | $sed -r 's/.*:([0-9]+\.[0-9]+).*$/\1/')
 	fi
 
-	deploy_cert_manager
 	create_infra "$namespace"
+	deploy_cert_manager
 
 	desc 'create secrets and start client'
 	kubectl_bin apply -f "$conf_dir/secrets.yml"

diff --git a/e2e-tests/init-deploy/compare/clusterMonitor-50.json b/e2e-tests/init-deploy/compare/clusterMonitor-50.json
@@ -50,6 +50,15 @@
           "indexStats"
         ]
       },
+      {
+        "resource": {
+          "db": "admin",
+          "collection": "system.version"
+        },
+        "actions": [
+          "find"
+        ]
+      },
       {
         "resource": {
           "db": "config",

diff --git a/e2e-tests/init-deploy/compare/clusterMonitor-60.json b/e2e-tests/init-deploy/compare/clusterMonitor-60.json
@@ -50,6 +50,15 @@
           "indexStats"
         ]
       },
+      {
+        "resource": {
+          "db": "admin",
+          "collection": "system.version"
+        },
+        "actions": [
+          "find"
+        ]
+      },
       {
         "resource": {
           "db": "config",

diff --git a/e2e-tests/init-deploy/compare/clusterMonitor.json b/e2e-tests/init-deploy/compare/clusterMonitor.json
@@ -34,6 +34,15 @@
           "find"
         ]
       },
+      {
+        "resource": {
+          "db": "admin",
+          "collection": "system.version"
+        },
+        "actions": [
+          "find"
+        ]
+      },
       {
         "resource": {
           "db": "config",

diff --git a/e2e-tests/ldap-tls/compare/authInfo.json b/e2e-tests/ldap-tls/compare/authInfo.json
@@ -0,0 +1,38 @@
+{
+  "authenticatedUsers": [
+    {
+      "user": "percona",
+      "db": "$external"
+    }
+  ],
+  "authenticatedUserRoles": [
+    {
+      "role": "backup",
+      "db": "admin"
+    },
+    {
+      "role": "clusterMonitor",
+      "db": "admin"
+    },
+    {
+      "role": "cn=admin,ou=perconadba,dc=ldap,dc=local",
+      "db": "admin"
+    },
+    {
+      "role": "dbAdminAnyDatabase",
+      "db": "admin"
+    },
+    {
+      "role": "readAnyDatabase",
+      "db": "admin"
+    },
+    {
+      "role": "readWriteAnyDatabase",
+      "db": "admin"
+    },
+    {
+      "role": "restore",
+      "db": "admin"
+    }
+  ]
+}
diff --git a/e2e-tests/ldap-tls/conf/mongod.conf b/e2e-tests/ldap-tls/conf/mongod.conf
@@ -0,0 +1,13 @@
+security:
+  authorization: enabled
+  ldap:
+    authz:
+      queryTemplate: dc=ldap,dc=local??sub?(&(objectClass=groupOfUniqueNames)(uniqueMember={USER}))
+    bind:
+      queryUser: "cn=readonly,dc=ldap,dc=local"
+      queryPassword: "readonlypass"
+    servers: servers
+    transportSecurity: tls
+    userToDNMapping: '[{"match":"(.+)","ldapQuery":"OU=perconadba,DC=ldap,DC=local??sub?(uid={0})"}]'
+setParameter:
+  authenticationMechanisms: PLAIN,SCRAM-SHA-1
diff --git a/e2e-tests/ldap-tls/conf/mongos.conf b/e2e-tests/ldap-tls/conf/mongos.conf
@@ -0,0 +1,10 @@
+security:
+  ldap:
+    bind:
+      queryUser: "cn=readonly,dc=ldap,dc=local"
+      queryPassword: "readonlypass"
+    servers: servers
+    transportSecurity: tls
+    userToDNMapping: '[{"match":"(.+)","ldapQuery":"OU=perconadba,DC=ldap,DC=local??sub?(uid={0})"}]'
+setParameter:
+  authenticationMechanisms: PLAIN,SCRAM-SHA-1