From c325d88a5eb60fab8960513c83ba16340fefc733 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20G=C3=BCne=C5=9F?= Date: Wed, 17 Apr 2024 18:49:52 +0300 Subject: [PATCH] K8SPSMDB-780: Unsafe improvements (#1504) * K8SPSMDB-780: Unsafe flags These changes attempt to fix the overloaded `allowUnsafeConfigurations` flag. In previous implementation, `allowUnsafeConfigurations` wasn't just allow unsafe configuration but make everything unsafe by disabling TLS, allowing backups in unhealthy clusters, etc... without user's explicit intent. With these changes, we decouple those things from the unsafe flag and remove all implicit behaviors. We introduce a new section called `unsafeFlags`: ``` unsafeFlags: tls: false replsetSize: false mongosSize: false terminationGracePeriod: false backupIfUnhealthy: false ``` Starting from `v1.16.0`, `allowUnsafeConfigurations` is deprecated and won't have any affect. **TLS Mode** This decoupling required a special attention to the TLS configuration. Before these changes only way to disable TLS is setting `allowUnsafeConfigurations` to true. Now, we introduce a new field: ``` spec: tls: mode: disabled ``` This field accepts the following values: `disabled`, `allowTLS`, `preferTLS` and `requireTLS`. If user sets mode to `disabled`, the operator will throw an error: `TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check.` Since the use of TLS flags and reconciling TLS secrets depends on `tls.mode` field, we need to block users to set `net.tls.mode` in custom MongoDB configuration. If user sets a custom configuration like: ``` spec: replsets: - name: rs0 size: 3 configuration: | net: tls: mode: allowTLS ``` the operator will throw an error: `tlsMode must be set using spec.tls.mode`. * fix tests * fix tests * fix tests * fix tests * fix tests * fix pvc-resize * fix custom-replset-name * address review comments * fix cluster deletion * comment unsafe flags --- build/pbm-entry.sh | 10 +- build/ps-entry.sh | 177 +++++------ ...mdb.percona.com_perconaservermongodbs.yaml | 15 + deploy/bundle.yaml | 15 + deploy/cr-minimal.yaml | 4 +- deploy/cr.yaml | 11 +- deploy/crd.yaml | 15 + deploy/cw-bundle.yaml | 15 + ...ulset_arbiter-clusterip-rs0-arbiter-oc.yml | 1 + ...tefulset_arbiter-clusterip-rs0-arbiter.yml | 289 +++++++++--------- .../statefulset_arbiter-rs0-arbiter-oc.yml | 1 + .../statefulset_arbiter-rs0-arbiter.yml | 1 + .../arbiter/conf/arbiter-clusterip-rs0.yml | 2 +- e2e-tests/arbiter/conf/arbiter-rs0.yml | 2 +- .../custom-replset-name/conf/some-name.yml | 23 +- .../compare/statefulset_some-name-cfg-oc.yml | 3 + .../compare/statefulset_some-name-cfg.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + e2e-tests/data-sharded/conf/some-name.yml | 20 +- .../statefulset_my-cluster-name-cfg-oc.yml | 3 + .../statefulset_my-cluster-name-cfg.yml | 3 + .../statefulset_my-cluster-name-rs0-oc.yml | 3 + .../statefulset_my-cluster-name-rs0.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + ...ulset_some-name-rs0_restore_sharded-oc.yml | 1 + ...tefulset_some-name-rs0_restore_sharded.yml | 1 + ...et_some-name-rs0_restore-arbiter-nv-oc.yml | 1 + ...ulset_some-name-rs0_restore-arbiter-nv.yml | 1 + .../statefulset_some-name-rs0_restore-oc.yml | 1 + .../statefulset_some-name-rs0_restore.yml | 1 + .../statefulset_some-name-cfg-4-oc.yml | 3 + .../compare/statefulset_some-name-cfg-oc.yml | 3 + .../compare/statefulset_some-name-cfg.yml | 3 + .../statefulset_some-name-mongos-4-oc.yml | 1 + .../statefulset_some-name-mongos-oc.yml | 1 + ...statefulset_some-name-mongos-secret-oc.yml | 1 + .../statefulset_some-name-mongos-secret.yml | 1 + .../compare/statefulset_some-name-mongos.yml | 1 + .../statefulset_some-name-rs0-4-oc.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../compare/statefulset_some-name-rs1-oc.yml | 3 + .../compare/statefulset_some-name-rs1.yml | 3 + .../compare/statefulset_some-name-rs2-oc.yml | 3 + .../compare/statefulset_some-name-rs2.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../statefulset_some-name-cfg-4-oc.yml | 1 + .../compare/statefulset_some-name-cfg-oc.yml | 1 + .../compare/statefulset_some-name-cfg.yml | 1 + .../statefulset_some-name-mongos-4-oc.yml | 1 + .../statefulset_some-name-mongos-oc.yml | 1 + .../compare/statefulset_some-name-mongos.yml | 1 + .../statefulset_some-name-rs0-4-oc.yml | 1 + .../compare/statefulset_some-name-rs0-oc.yml | 1 + .../compare/statefulset_some-name-rs0.yml | 1 + .../statefulset_another-name-rs0-4-oc.yml | 2 +- .../statefulset_another-name-rs0-oc.yml | 2 +- .../compare/statefulset_another-name-rs0.yml | 2 +- .../compare/statefulset_some-name-rs0-oc.yml | 1 + .../compare/statefulset_some-name-rs0.yml | 1 + .../init-deploy/conf/another-name-rs0.yml | 5 +- ...statefulset_no-limits-rs0-increased-oc.yml | 1 + .../statefulset_no-limits-rs0-increased.yml | 1 + .../compare/statefulset_no-limits-rs0-oc.yml | 1 + .../compare/statefulset_no-limits-rs0.yml | 1 + ...no-requests-no-limits-rs0-increased-oc.yml | 1 + ...et_no-requests-no-limits-rs0-increased.yml | 1 + ...atefulset_no-requests-no-limits-rs0-oc.yml | 1 + .../statefulset_no-requests-no-limits-rs0.yml | 1 + ...atefulset_no-requests-rs0-increased-oc.yml | 1 + .../statefulset_no-requests-rs0-increased.yml | 1 + .../statefulset_no-requests-rs0-oc.yml | 1 + .../compare/statefulset_no-requests-rs0.yml | 1 + .../statefulset_liveness-rs0-changed-oc.yml | 3 + .../statefulset_liveness-rs0-changed.yml | 3 + .../compare/statefulset_liveness-rs0-oc.yml | 1 + .../compare/statefulset_liveness-rs0.yml | 1 + .../compare/statefulset_monitoring-cfg-oc.yml | 9 +- .../compare/statefulset_monitoring-cfg.yml | 9 +- .../statefulset_monitoring-mongos-oc.yml | 9 +- .../compare/statefulset_monitoring-mongos.yml | 9 +- .../statefulset_monitoring-rs0-no-pmm-oc.yml | 1 + .../statefulset_monitoring-rs0-no-pmm.yml | 1 + .../compare/statefulset_monitoring-rs0-oc.yml | 1 + .../compare/statefulset_monitoring-rs0.yml | 1 + .../monitoring-2-0/conf/monitoring-rs0.yml | 13 +- .../statefulset_nonvoting-rs0-nv-oc.yml | 1 + .../compare/statefulset_nonvoting-rs0-nv.yml | 1 + .../compare/statefulset_one-pod-rs0-oc.yml | 14 +- .../statefulset_one-pod-rs0-secret-oc.yml | 14 +- .../statefulset_one-pod-rs0-secret.yml | 14 +- .../compare/statefulset_one-pod-rs0.yml | 14 +- e2e-tests/one-pod/conf/one-pod-rs0.yml | 3 +- .../statefulset_some-name-cfg-4-oc.yml | 3 + .../compare/statefulset_some-name-cfg-oc.yml | 3 + .../compare/statefulset_some-name-cfg.yml | 3 + .../compare/statefulset_some-name-mongos.yml | 1 + .../statefulset_some-name-rs0-4-oc.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../statefulset_some-name-rs1-4-oc.yml | 3 + .../compare/statefulset_some-name-rs1-oc.yml | 3 + .../compare/statefulset_some-name-rs1.yml | 3 + .../statefulset_some-name-rs2-4-oc.yml | 3 + .../compare/statefulset_some-name-rs2-oc.yml | 3 + .../compare/statefulset_some-name-rs2.yml | 3 + .../statefulset_some-name-cfg-4-oc.yml | 3 + .../compare/statefulset_some-name-cfg-oc.yml | 3 + .../compare/statefulset_some-name-cfg.yml | 3 + .../statefulset_some-name-mongos-oc.yml | 1 + .../compare/statefulset_some-name-mongos.yml | 1 + .../statefulset_some-name-rs0-4-oc.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../statefulset_some-name-rs1-4-oc.yml | 3 + .../compare/statefulset_some-name-rs1-oc.yml | 3 + .../compare/statefulset_some-name-rs1.yml | 3 + .../statefulset_some-name-rs2-4-oc.yml | 3 + .../compare/statefulset_some-name-rs2-oc.yml | 3 + .../compare/statefulset_some-name-rs2.yml | 3 + .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 1 + .../conf/some-name-exposed.yml | 1 - .../recover-no-primary/conf/some-name.yml | 1 - .../compare/statefulset_some-name-rs0-oc.yml | 1 + .../compare/statefulset_some-name-rs0.yml | 1 + e2e-tests/scaling/run | 16 +- .../compare/statefulset_some-name-rs0-oc.yml | 3 + .../compare/statefulset_some-name-rs0.yml | 3 + .../statefulset_sec-context-rs0-changed.yml | 3 + .../compare/statefulset_sec-context-rs0.yml | 1 + .../compare/statefulset_cluster-ip-rs0-oc.yml | 3 + .../compare/statefulset_cluster-ip-rs0.yml | 3 + .../statefulset_local-balancer-rs0-oc.yml | 3 + .../statefulset_local-balancer-rs0.yml | 3 + .../compare/statefulset_node-port-rs0-oc.yml | 3 + .../compare/statefulset_node-port-rs0.yml | 3 + .../conf/external.yml | 4 +- .../serviceless-external-nodes/conf/main.yml | 10 +- ...tatefulset_smart-update-rs0-arbiter-oc.yml | 1 + .../statefulset_smart-update-rs0-arbiter.yml | 1 + .../statefulset_smart-update-rs0-oc.yml | 1 + .../compare/statefulset_smart-update-rs0.yml | 1 + .../smart-update/conf/smart-update-rs0.yml | 2 +- .../conf/some-name-3horizons.yml | 1 - .../conf/some-name-5horizons.yml | 1 - e2e-tests/split-horizon/conf/some-name.yml | 1 - .../compare/statefulset_emptydir-rs0-oc.yml | 1 + .../compare/statefulset_emptydir-rs0.yml | 1 + .../compare/statefulset_hostpath-rs0-oc.yml | 1 + .../compare/statefulset_hostpath-rs0.yml | 1 + .../statefulset_some-name-cfg-1160-oc.yml | 1 + .../statefulset_some-name-cfg-1160.yml | 1 + .../statefulset_some-name-rs0-1160-oc.yml | 1 + .../statefulset_some-name-rs0-1160.yml | 1 + .../statefulset_some-name-rs0-1140-oc.yml | 1 + .../statefulset_some-name-rs0-1160-oc.yml | 1 + .../statefulset_some-name-rs0-1160.yml | 1 + ...atefulset_version-service-exact-rs0-oc.yml | 1 + .../statefulset_version-service-exact-rs0.yml | 1 + ...tefulset_version-service-latest-rs0-oc.yml | 1 + ...statefulset_version-service-latest-rs0.yml | 1 + ...atefulset_version-service-major-rs0-oc.yml | 1 + .../statefulset_version-service-major-rs0.yml | 1 + ...set_version-service-recommended-rs0-oc.yml | 1 + ...fulset_version-service-recommended-rs0.yml | 1 + ...set_version-service-unreachable-rs0-oc.yml | 1 + ...fulset_version-service-unreachable-rs0.yml | 1 + e2e-tests/version-service/conf/crd.yaml | 15 + pkg/apis/psmdb/v1/psmdb_defaults.go | 115 +++++-- pkg/apis/psmdb/v1/psmdb_defaults_test.go | 2 +- pkg/apis/psmdb/v1/psmdb_types.go | 73 ++++- pkg/apis/psmdb/v1/zz_generated.deepcopy.go | 16 + .../perconaservermongodb/connections.go | 8 +- .../perconaservermongodb/connections_test.go | 2 +- pkg/controller/perconaservermongodb/mgo.go | 10 +- .../perconaservermongodb/psmdb_controller.go | 33 +- pkg/controller/perconaservermongodb/ssl.go | 6 +- .../perconaservermongodb/statefulset.go | 14 +- .../reconcile-statefulset/cfg-arbiter.yaml | 3 + .../reconcile-statefulset/cfg-mongod.yaml | 3 + .../reconcile-statefulset/cfg-nv.yaml | 3 + .../reconcile-statefulset/rs0-arbiter.yaml | 2 + .../reconcile-statefulset/rs0-mongod.yaml | 3 + .../reconcile-statefulset/rs0-nv.yaml | 3 + pkg/psmdb/backup/backup.go | 8 + pkg/psmdb/backup/pbm.go | 6 +- pkg/psmdb/client.go | 8 +- pkg/psmdb/container.go | 22 +- pkg/psmdb/mongos.go | 62 ++-- pkg/psmdb/pmm.go | 8 +- pkg/psmdb/statefulset.go | 36 ++- 195 files changed, 980 insertions(+), 486 deletions(-) diff --git a/build/pbm-entry.sh b/build/pbm-entry.sh index f4f7bd737a..e85e3eaef2 100755 --- a/build/pbm-entry.sh +++ b/build/pbm-entry.sh @@ -2,10 +2,12 @@ PBM_MONGODB_URI="mongodb://${PBM_AGENT_MONGODB_USERNAME}:${PBM_AGENT_MONGODB_PASSWORD}@localhost:${PBM_MONGODB_PORT}/?replicaSet=${PBM_MONGODB_REPLSET}" -MONGO_SSL_DIR=/etc/mongodb-ssl -if [[ -f "${MONGO_SSL_DIR}/tls.crt" ]] && [[ -f "${MONGO_SSL_DIR}/tls.key" ]]; then - PBM_MONGODB_URI="${PBM_MONGODB_URI}&tls=true&tlsCertificateKeyFile=%2Ftmp%2Ftls.pem&tlsCAFile=${MONGO_SSL_DIR}%2Fca.crt&tlsInsecure=true" - cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" > /tmp/tls.pem +if [[ -z ${PBM_AGENT_TLS_ENABLED} ]] || [[ ${PBM_AGENT_TLS_ENABLED} == "true" ]]; then + MONGO_SSL_DIR=/etc/mongodb-ssl + if [[ -f "${MONGO_SSL_DIR}/tls.crt" ]] && [[ -f "${MONGO_SSL_DIR}/tls.key" ]]; then + PBM_MONGODB_URI="${PBM_MONGODB_URI}&tls=true&tlsCertificateKeyFile=%2Ftmp%2Ftls.pem&tlsCAFile=${MONGO_SSL_DIR}%2Fca.crt&tlsInsecure=true" + cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem + fi fi export PBM_MONGODB_URI diff --git a/build/ps-entry.sh b/build/ps-entry.sh index 142e619faf..0e1f187505 100755 --- a/build/ps-entry.sh +++ b/build/ps-entry.sh @@ -1,5 +1,6 @@ #!/bin/bash set -Eeuo pipefail +set -o xtrace if [ "${1:0:1}" = '-' ]; then set -- mongod "$@" @@ -68,9 +69,9 @@ _mongod_hack_have_arg() { local arg for arg; do case "$arg" in - "$checkArg" | "$checkArg"=*) - return 0 - ;; + "$checkArg" | "$checkArg"=*) + return 0 + ;; esac done return 1 @@ -83,14 +84,14 @@ _mongod_hack_get_arg_val() { local arg="$1" shift case "$arg" in - "$checkArg") - echo "$1" - return 0 - ;; - "$checkArg"=*) - echo "${arg#"$checkArg"=}" - return 0 - ;; + "$checkArg") + echo "$1" + return 0 + ;; + "$checkArg"=*) + echo "${arg#"$checkArg"=}" + return 0 + ;; esac done return 1 @@ -131,14 +132,14 @@ _mongod_hack_ensure_no_arg_val() { local arg="$1" shift case "$arg" in - "$ensureNoArg") - shift # also skip the value - continue - ;; - "$ensureNoArg"=*) - # value is already included - continue - ;; + "$ensureNoArg") + shift # also skip the value + continue + ;; + "$ensureNoArg"=*) + # value is already included + continue + ;; esac mongodHackedArgs+=("$arg") done @@ -282,10 +283,10 @@ if [ "$originalArgOne" = 'mongod' ]; then # if we've got any /docker-entrypoint-initdb.d/* files to parse later, we should initdb for f in /docker-entrypoint-initdb.d/*; do case "$f" in - *.sh | *.js) # this should match the set of files we check for below - shouldPerformInitdb="$f" - break - ;; + *.sh | *.js) # this should match the set of files we check for below + shouldPerformInitdb="$f" + break + ;; esac done fi @@ -321,20 +322,6 @@ if [ "$originalArgOne" = 'mongod' ]; then _mongod_hack_ensure_no_arg_val --replSet "${mongodHackedArgs[@]}" fi - # "BadValue: need sslPEMKeyFile when SSL is enabled" vs "BadValue: need to enable SSL via the sslMode flag when using SSL configuration parameters" - tlsMode='disabled' - if _mongod_hack_have_arg '--tlsCertificateKeyFile' "${mongodHackedArgs[@]}"; then - tlsMode='preferTLS' - elif _mongod_hack_have_arg '--sslPEMKeyFile' "${mongodHackedArgs[@]}"; then - tlsMode='preferSSL' - fi - # 4.2 switched all configuration/flag names from "SSL" to "TLS" - if [ "$tlsMode" = 'preferTLS' ] || mongod --help 2>&1 | grep -q -- ' --tlsMode '; then - _mongod_hack_ensure_arg_val --tlsMode "$tlsMode" "${mongodHackedArgs[@]}" - else - _mongod_hack_ensure_arg_val --sslMode "$tlsMode" "${mongodHackedArgs[@]}" - fi - if stat "/proc/$$/fd/1" >/dev/null && [ -w "/proc/$$/fd/1" ]; then # https://github.com/mongodb/mongo/blob/38c0eb538d0fd390c6cb9ce9ae9894153f6e8ef5/src/mongo/db/initialize_server_global_state.cpp#L237-L251 # https://github.com/docker-library/mongo/issues/164#issuecomment-293965668 @@ -396,17 +383,17 @@ if [ "$originalArgOne" = 'mongod' ]; then echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in - *.sh) - echo "$0: running $f" - # shellcheck source=/dev/null - . "$f" - ;; - *.js) - echo "$0: running $f" - "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" - echo - ;; - *) echo "$0: ignoring $f" ;; + *.sh) + echo "$0: running $f" + # shellcheck source=/dev/null + . "$f" + ;; + *.js) + echo "$0: running $f" + "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" + echo + ;; + *) echo "$0: ignoring $f" ;; esac echo done @@ -422,76 +409,64 @@ fi if [[ $originalArgOne == mongo* ]]; then mongodHackedArgs=("$@") - MONGO_SSL_DIR=${MONGO_SSL_DIR:-/etc/mongodb-ssl} - CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - if [ -f /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ]; then - CA=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - fi - if [ -f "${MONGO_SSL_DIR}/ca.crt" ]; then - CA="${MONGO_SSL_DIR}/ca.crt" - fi - LDAP_SSL_DIR=${LDAP_SSL_DIR:-/etc/openldap/certs} - if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then - echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf - fi - if [ -f "${MONGO_SSL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_DIR}/tls.crt" ]; then - cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem - _mongod_hack_ensure_arg_val --sslPEMKeyFile /tmp/tls.pem "${mongodHackedArgs[@]}" - if [ -f "${CA}" ]; then - _mongod_hack_ensure_arg_val --sslCAFile "${CA}" "${mongodHackedArgs[@]}" - fi + + tlsMode="" + # if --tlsMode arg is present, get it + if _mongod_hack_have_arg --tlsMode "${mongodHackedArgs[@]}"; then + tlsMode="$(_mongod_hack_get_arg_val --tlsMode "${mongodHackedArgs[@]}")" fi - MONGO_SSL_INTERNAL_DIR=${MONGO_SSL_INTERNAL_DIR:-/etc/mongodb-ssl-internal} - if [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.crt" ]; then - cat "${MONGO_SSL_INTERNAL_DIR}/tls.key" "${MONGO_SSL_INTERNAL_DIR}/tls.crt" >/tmp/tls-internal.pem - _mongod_hack_ensure_arg_val --sslClusterFile /tmp/tls-internal.pem "${mongodHackedArgs[@]}" - if [ -f "${MONGO_SSL_INTERNAL_DIR}/ca.crt" ]; then - _mongod_hack_ensure_arg_val --sslClusterCAFile "${MONGO_SSL_INTERNAL_DIR}/ca.crt" "${mongodHackedArgs[@]}" - fi + + if [[ -z ${tlsMode} ]]; then + # if neither --tlsMode arg or net.tls.mode is present, set it to preferTLS + tlsMode="preferTLS" fi - # don't add --tlsMode if allowUnsafeConfigurations is true + # don't add --tlsMode if TLS is disabled if clusterAuthMode="$(_mongod_hack_get_arg_val --clusterAuthMode "${mongodHackedArgs[@]}")"; then if [[ ${clusterAuthMode} != "keyFile" ]]; then - tlsMode="preferSSL" - # if --config arg is present, try to get tlsMode from it - if _parse_config "${mongodHackedArgs[@]}"; then - tlsMode=$(jq -r '.net.tls.mode // "preferSSL"' "${jsonConfigFile}") - fi - _mongod_hack_ensure_arg_val --sslMode "${tlsMode}" "${mongodHackedArgs[@]}" + _mongod_hack_ensure_arg_val --tlsMode "${tlsMode}" "${mongodHackedArgs[@]}" + else + _mongod_hack_ensure_no_arg --sslAllowInvalidCertificates "${mongodHackedArgs[@]}" fi fi - if [ "$MONGODB_VERSION" != 'v4.0' ]; then - - _mongod_hack_rename_arg_save_val --sslMode --tlsMode "${mongodHackedArgs[@]}" - - if _mongod_hack_have_arg '--tlsMode' "${mongodHackedArgs[@]}"; then - tlsMode="none" - if _mongod_hack_have_arg 'allowSSL' "${mongodHackedArgs[@]}"; then - tlsMode='allowTLS' - elif _mongod_hack_have_arg 'preferSSL' "${mongodHackedArgs[@]}"; then - tlsMode='preferTLS' - elif _mongod_hack_have_arg 'requireSSL' "${mongodHackedArgs[@]}"; then - tlsMode='requireTLS' + if [[ ${tlsMode} != "disabled" ]]; then + MONGO_SSL_DIR=${MONGO_SSL_DIR:-/etc/mongodb-ssl} + CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + if [ -f /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ]; then + CA=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + fi + if [ -f "${MONGO_SSL_DIR}/ca.crt" ]; then + CA="${MONGO_SSL_DIR}/ca.crt" + fi + if [ -f "${MONGO_SSL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_DIR}/tls.crt" ]; then + cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem + _mongod_hack_ensure_arg_val --sslPEMKeyFile /tmp/tls.pem "${mongodHackedArgs[@]}" + if [ -f "${CA}" ]; then + _mongod_hack_ensure_arg_val --sslCAFile "${CA}" "${mongodHackedArgs[@]}" fi - - if [ "$tlsMode" != "none" ]; then - _mongod_hack_ensure_no_arg_val --tlsMode "${mongodHackedArgs[@]}" - _mongod_hack_ensure_arg_val --tlsMode "$tlsMode" "${mongodHackedArgs[@]}" + fi + MONGO_SSL_INTERNAL_DIR=${MONGO_SSL_INTERNAL_DIR:-/etc/mongodb-ssl-internal} + if [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.crt" ]; then + cat "${MONGO_SSL_INTERNAL_DIR}/tls.key" "${MONGO_SSL_INTERNAL_DIR}/tls.crt" >/tmp/tls-internal.pem + _mongod_hack_ensure_arg_val --sslClusterFile /tmp/tls-internal.pem "${mongodHackedArgs[@]}" + if [ -f "${MONGO_SSL_INTERNAL_DIR}/ca.crt" ]; then + _mongod_hack_ensure_arg_val --sslClusterCAFile "${MONGO_SSL_INTERNAL_DIR}/ca.crt" "${mongodHackedArgs[@]}" fi fi - _mongod_hack_rename_arg_save_val --sslPEMKeyFile --tlsCertificateKeyFile "${mongodHackedArgs[@]}" - if ! _mongod_hack_have_arg '--tlsMode' "${mongodHackedArgs[@]}"; then - if _mongod_hack_have_arg '--tlsCertificateKeyFile' "${mongodHackedArgs[@]}"; then - _mongod_hack_ensure_arg_val --tlsMode "preferTLS" "${mongodHackedArgs[@]}" - fi + LDAP_SSL_DIR=${LDAP_SSL_DIR:-/etc/openldap/certs} + if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then + echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf fi + fi + + if [ "$MONGODB_VERSION" != 'v4.0' ]; then _mongod_hack_rename_arg '--sslAllowInvalidCertificates' '--tlsAllowInvalidCertificates' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslAllowInvalidHostnames' '--tlsAllowInvalidHostnames' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslAllowConnectionsWithoutCertificates' '--tlsAllowConnectionsWithoutCertificates' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslFIPSMode' '--tlsFIPSMode' "${mongodHackedArgs[@]}" + _mongod_hack_rename_arg '--sslMode' '--tlsMode' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg_save_val --sslPEMKeyPassword --tlsCertificateKeyFilePassword "${mongodHackedArgs[@]}" _mongod_hack_rename_arg_save_val --sslClusterFile --tlsClusterFile "${mongodHackedArgs[@]}" diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index dcebb01630..257b51b4a2 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -17309,9 +17309,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index c7cff63b0b..ac9c00ba27 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/cr-minimal.yaml b/deploy/cr-minimal.yaml index 2545026a9a..a3f9f617da 100644 --- a/deploy/cr-minimal.yaml +++ b/deploy/cr-minimal.yaml @@ -5,7 +5,9 @@ metadata: spec: crVersion: 1.16.0 image: perconalab/percona-server-mongodb-operator:main-mongod6.0 - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true upgradeOptions: apply: disabled schedule: "0 2 * * *" diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 58379803b9..561d61926a 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -15,6 +15,7 @@ spec: image: perconalab/percona-server-mongodb-operator:main-mongod7.0 imagePullPolicy: Always # tls: +# mode: preferTLS # # 90 days in hours # certValidityDuration: 2160h # issuerConf: @@ -25,7 +26,12 @@ spec: # - name: private-registry-credentials # initImage: perconalab/percona-server-mongodb-operator:main # initContainerSecurityContext: {} - allowUnsafeConfigurations: false +# unsafeFlags: +# tls: false +# replsetSize: false +# mongosSize: false +# terminationGracePeriod: false +# backupIfUnhealthy: false updateStrategy: SmartUpdate # ignoreAnnotations: # - service.beta.kubernetes.io/aws-load-balancer-backend-protocol @@ -71,9 +77,6 @@ spec: # - host: 34.124.76.92 # # for more configuration fields refer to https://docs.mongodb.com/manual/reference/configuration-options/ # configuration: | -# net: -# tls: -# mode: preferTLS # operationProfiling: # mode: slowOp # systemLog: diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 8b7c6f9421..d2f6b5b233 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index fd866997cb..611df1567a 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml index 676337503a..49a02584c1 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml index 962ffddb17..cdc63e0df8 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml @@ -12,9 +12,9 @@ metadata: app.kubernetes.io/replset: rs0 name: arbiter-clusterip-rs0-arbiter ownerReferences: - - controller: true - kind: PerconaServerMongoDB - name: arbiter-clusterip + - controller: true + kind: PerconaServerMongoDB + name: arbiter-clusterip spec: podManagementPolicy: OrderedReady replicas: 1 @@ -42,117 +42,118 @@ spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/instance: arbiter-clusterip - app.kubernetes.io/managed-by: percona-server-mongodb-operator - app.kubernetes.io/name: percona-server-mongodb - app.kubernetes.io/part-of: percona-server-mongodb - app.kubernetes.io/replset: rs0 - topologyKey: kubernetes.io/hostname + - labelSelector: + matchLabels: + app.kubernetes.io/instance: arbiter-clusterip + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + topologyKey: kubernetes.io/hostname containers: - - args: - - --bind_ip_all - - --auth - - --dbpath=/data/db - - --port=27017 - - --replSet=rs0 - - --storageEngine=wiredTiger - - --relaxPermChecks - - --sslAllowInvalidCertificates - - --clusterAuthMode=x509 - - --enableEncryption - - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - - --quiet - command: - - /opt/percona/ps-entry.sh - env: - - name: SERVICE_NAME - value: arbiter-clusterip - - name: MONGODB_PORT - value: "27017" - - name: MONGODB_REPLSET - value: rs0 - envFrom: - - secretRef: - name: internal-arbiter-users - optional: false - imagePullPolicy: Always - livenessProbe: - exec: - command: - - /opt/percona/mongodb-healthcheck - - k8s - - liveness - - --startupDelaySeconds - - "7200" - failureThreshold: 4 - initialDelaySeconds: 60 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - name: mongod-arbiter - ports: - - containerPort: 27017 - name: mongodb - protocol: TCP - readinessProbe: - exec: - command: - - /opt/percona/mongodb-healthcheck - - k8s - - readiness - - --component - - mongod - failureThreshold: 8 - initialDelaySeconds: 10 - periodSeconds: 3 - successThreshold: 1 - timeoutSeconds: 2 - resources: {} - securityContext: - runAsNonRoot: true - runAsUser: 1001 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /data/db - name: mongod-data - - mountPath: /etc/mongodb-secrets - name: arbiter-clusterip-mongodb-keyfile - readOnly: true - - mountPath: /etc/mongodb-ssl - name: ssl - readOnly: true - - mountPath: /etc/mongodb-ssl-internal - name: ssl-internal - readOnly: true - - mountPath: /etc/mongodb-config - name: config - - mountPath: /opt/percona - name: bin - - mountPath: /etc/mongodb-encryption - name: arbiter-clusterip-mongodb-encryption-key - readOnly: true - - mountPath: /etc/users-secret - name: users-secret-file - workingDir: /data/db + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --config=/etc/mongodb-config/mongod.conf + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: arbiter-clusterip + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-arbiter-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod-arbiter + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: arbiter-clusterip-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/mongodb-config + name: config + - mountPath: /opt/percona + name: bin + - mountPath: /etc/mongodb-encryption + name: arbiter-clusterip-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db dnsPolicy: ClusterFirst initContainers: - - command: - - /init-entrypoint.sh - imagePullPolicy: Always - name: mongo-init - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /data/db - name: mongod-data - - mountPath: /opt/percona - name: bin + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin restartPolicy: Always schedulerName: default-scheduler securityContext: @@ -161,39 +162,39 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 60 volumes: - - name: arbiter-clusterip-mongodb-keyfile - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-mongodb-keyfile - - emptyDir: {} - name: bin - - configMap: - defaultMode: 420 - name: arbiter-clusterip-rs0-mongod - optional: true - name: config - - name: arbiter-clusterip-mongodb-encryption-key - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-mongodb-encryption-key - - name: ssl - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-ssl - - name: ssl-internal - secret: - defaultMode: 288 - optional: true - secretName: arbiter-clusterip-ssl-internal - - name: users-secret-file - secret: - defaultMode: 420 - secretName: internal-arbiter-users - - emptyDir: {} - name: mongod-data + - name: arbiter-clusterip-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-mongodb-keyfile + - emptyDir: {} + name: bin + - configMap: + defaultMode: 420 + name: arbiter-clusterip-rs0-mongod + optional: true + name: config + - name: arbiter-clusterip-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: arbiter-clusterip-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-arbiter-users + - emptyDir: {} + name: mongod-data updateStrategy: rollingUpdate: partition: 0 diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml index 8bac0090c8..f5978efa00 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml index 60b3cb3f45..3e706c57e4 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml b/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml index 431e6980dc..3300f95842 100644 --- a/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml +++ b/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml @@ -23,6 +23,6 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 secrets: users: some-users diff --git a/e2e-tests/arbiter/conf/arbiter-rs0.yml b/e2e-tests/arbiter/conf/arbiter-rs0.yml index 1cc6d859af..6a952e66c4 100644 --- a/e2e-tests/arbiter/conf/arbiter-rs0.yml +++ b/e2e-tests/arbiter/conf/arbiter-rs0.yml @@ -20,6 +20,6 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 secrets: users: some-users diff --git a/e2e-tests/custom-replset-name/conf/some-name.yml b/e2e-tests/custom-replset-name/conf/some-name.yml index 4ac3efb960..a84e91bd85 100644 --- a/e2e-tests/custom-replset-name/conf/some-name.yml +++ b/e2e-tests/custom-replset-name/conf/some-name.yml @@ -3,8 +3,7 @@ kind: PerconaServerMongoDB metadata: name: some-name spec: - crVersion: 1.14.0 - allowUnsafeConfigurations: true + crVersion: 1.16.0 backup: enabled: true image: percona/percona-backup-mongodb:2.0.4 @@ -40,10 +39,10 @@ spec: enabled: false replsets: - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -68,10 +67,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -96,10 +95,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -124,10 +123,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -156,7 +155,7 @@ spec: sharding: configsvrReplSet: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none configuration: | replication: replSetName: csReplSet @@ -182,7 +181,7 @@ spec: enabled: true mongos: affinity: - antiAffinityTopologyKey: kubernetes.io/hostname + antiAffinityTopologyKey: none expose: exposeType: LoadBalancer serviceAnnotations: diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml index 6d59f89241..b7b8b72f86 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml index 08a42645f9..6935997d8b 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -167,6 +168,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml index c8f78de3d4..851fb27e0d 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml index aee92d61d6..307da430d1 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true @@ -174,6 +175,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-sharded/conf/some-name.yml b/e2e-tests/data-sharded/conf/some-name.yml index 29570fda43..722828c1c6 100644 --- a/e2e-tests/data-sharded/conf/some-name.yml +++ b/e2e-tests/data-sharded/conf/some-name.yml @@ -6,16 +6,15 @@ spec: #platform: openshift image: imagePullPolicy: Always + + tls: + mode: requireTLS sharding: enabled: true configsvrReplSet: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: none volumeSpec: @@ -26,10 +25,6 @@ spec: mongos: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: none expose: @@ -54,9 +49,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 @@ -96,9 +88,6 @@ spec: size: 4 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 @@ -139,9 +128,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml index b7ca2bdb69..d2b4a54067 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml index 3cd3266b56..a12630b6c2 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml index fbf3354dc5..198c7abe0f 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml index b383582c5d..18b7dbf1e4 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml index 592393323b..da0c8c96c4 100644 --- a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml +++ b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml index d1c58e81c3..7b9bd4007c 100644 --- a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml +++ b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml index d34afeb210..67124caaec 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml index 5354db15c4..89ca6ec396 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml index b10633627f..9725456cc9 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml index f3a2709d67..f5a3db62f8 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 13bd528127..3af5d4247e 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml index eee1006d14..8cdb41c8c2 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml index ca3a6efa08..468ac78982 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -188,6 +189,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml index dcce7ea2f7..ecd7fa2add 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml index f4c38fc9a8..c4d72dcb2e 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml index ca12f13c85..537a44c4ec 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml index b5076dc310..884903dcde 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml index d0a28f5b4e..5efe518ab8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 964c0ed044..ea31b859d8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml index dda8206eed..24ffe9ab28 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml index 19554d339f..0da2b27db3 100644 --- a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 047e6f97cf..654bc83396 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml index 0301ecece1..33319e5a49 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml index 9b61b451f9..3ae11fcc7e 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml index dcce7ea2f7..ecd7fa2add 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml index e77cc2e9c5..f1e5fec540 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml index d0a28f5b4e..5efe518ab8 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 15d59c2e35..a433f7736a 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml index e8c6e1405d..83a28c098a 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml index 2550a475bb..090128105b 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml index 26f0f64b0c..b1295156e3 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml index 5fc7e8e7e0..e54cd728ac 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml index 87c3efe0ec..9b037d3210 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml index f604f95d57..82ff6c2137 100644 --- a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/conf/another-name-rs0.yml b/e2e-tests/init-deploy/conf/another-name-rs0.yml index 54a51b1c1a..08ec9390d4 100644 --- a/e2e-tests/init-deploy/conf/another-name-rs0.yml +++ b/e2e-tests/init-deploy/conf/another-name-rs0.yml @@ -6,7 +6,10 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true + unsafeFlags: + tls: true + tls: + mode: disabled backup: enabled: false image: perconalab/percona-server-mongodb-operator:0.4.0-backup diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml index d57b291454..e95ca88989 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml index ccc9875c5a..e5c2da81ad 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml index a7f9e112f4..a4040bcb76 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml index 9b36cca74f..3469275b38 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml index bc65f0f506..3cf2d6073d 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml index 1d4503ef96..80856789ff 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml index bc65f0f506..3cf2d6073d 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml index 1d4503ef96..80856789ff 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml index 842586de3c..eb77e5baf8 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml index 8453fcedeb..735af1d1cf 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml index d6db02e161..88052b9118 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml index 87b3bcecc8..84d62e8f7e 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml index a064082c68..ed56332cbd 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -167,6 +168,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml index 089da6e52a..2b864fe03f 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -168,6 +169,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml index e0d7a49a86..424fe446b0 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml index e6fd371e68..8c5983717a 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml index 09cd9b8b36..dafd75cbca 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml @@ -62,11 +62,11 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - --quiet command: - /opt/percona/ps-entry.sh @@ -136,8 +136,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongodb-config - name: config - mountPath: /opt/percona name: bin - mountPath: /etc/mongodb-encryption @@ -304,11 +302,6 @@ spec: secretName: monitoring-mongodb-keyfile - emptyDir: {} name: bin - - configMap: - defaultMode: 420 - name: monitoring-cfg-mongod - optional: true - name: config - name: monitoring-mongodb-encryption-key secret: defaultMode: 288 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml index 8b9fe4a881..348a93a4cb 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml @@ -62,11 +62,11 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - --quiet command: - /opt/percona/ps-entry.sh @@ -137,8 +137,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongodb-config - name: config - mountPath: /opt/percona name: bin - mountPath: /etc/mongodb-encryption @@ -306,11 +304,6 @@ spec: secretName: monitoring-mongodb-keyfile - emptyDir: {} name: bin - - configMap: - defaultMode: 420 - name: monitoring-cfg-mongod - optional: true - name: config - name: monitoring-mongodb-encryption-key secret: defaultMode: 288 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml index ad3ef583ca..2bed21601e 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml @@ -57,7 +57,7 @@ spec: - cfg/monitoring-cfg-0.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-1.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-2.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 - - --config=/etc/mongos-config/mongos.conf + - --tlsMode=requireTLS command: - /opt/percona/ps-entry.sh env: @@ -139,8 +139,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongos-config - name: config - mountPath: /etc/users-secret name: users-secret-file readOnly: true @@ -325,11 +323,6 @@ spec: secret: defaultMode: 420 secretName: internal-monitoring-users - - configMap: - defaultMode: 420 - name: monitoring-mongos - optional: true - name: config - emptyDir: {} name: bin updateStrategy: diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml index 9e3c1fb6b6..00843d2602 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml @@ -57,7 +57,7 @@ spec: - cfg/monitoring-cfg-0.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-1.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-2.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 - - --config=/etc/mongos-config/mongos.conf + - --tlsMode=requireTLS command: - /opt/percona/ps-entry.sh env: @@ -140,8 +140,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongos-config - name: config - mountPath: /etc/users-secret name: users-secret-file readOnly: true @@ -327,11 +325,6 @@ spec: secret: defaultMode: 420 secretName: internal-monitoring-users - - configMap: - defaultMode: 420 - name: monitoring-mongos - optional: true - name: config - emptyDir: {} name: bin updateStrategy: diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml index 0a30e1b483..9dbedd9b3a 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml index 9552e93649..f114e457ee 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml index 6afc08c068..d96ea7e79c 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml index 514fbc3942..f9f0e46267 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml b/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml index 4a297c13e6..4b79401500 100644 --- a/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml +++ b/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml @@ -5,6 +5,8 @@ metadata: spec: #platform: openshift image: + tls: + mode: requireTLS replsets: - name: rs0 affinity: @@ -16,9 +18,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: all slowOpThresholdMs: 100 @@ -30,10 +29,6 @@ spec: enabled: true configsvrReplSet: size: 3 - configuration: | - net: - tls: - mode: requireTLS volumeSpec: persistentVolumeClaim: resources: @@ -42,10 +37,6 @@ spec: mongos: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: "kubernetes.io/hostname" podDisruptionBudget: diff --git a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml index abed5cf0c7..d7b82d3be4 100644 --- a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml +++ b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml index 735fe8acc6..64b5784ac3 100644 --- a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml +++ b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml index e1213d7bf3..38bf6d3d57 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -173,6 +179,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -231,7 +239,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml index a049e7656e..b99c291809 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -173,6 +179,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -231,7 +239,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml index ce6baca020..dc3169a016 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -174,6 +180,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -234,7 +242,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml index a25541d188..888e3e1b56 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -174,6 +180,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -234,7 +242,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/conf/one-pod-rs0.yml b/e2e-tests/one-pod/conf/one-pod-rs0.yml index f616943c3a..78d0f9bc95 100644 --- a/e2e-tests/one-pod/conf/one-pod-rs0.yml +++ b/e2e-tests/one-pod/conf/one-pod-rs0.yml @@ -6,7 +6,8 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true secrets: users: some-users pmm: diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml index 104fbd90b0..41d891a44e 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml index 104fbd90b0..41d891a44e 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml index e63c30682f..1704dd4295 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml index 6a7e58b829..4ac36e6cbc 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml index 8981c5242c..4682000eab 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml index 1505761460..baeff78d95 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml index f797da50fb..47f062d5cb 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -183,6 +184,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 13bd528127..3af5d4247e 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml index eee1006d14..8cdb41c8c2 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml index ca3a6efa08..468ac78982 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -188,6 +189,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml index 3ee7fedf14..f4199e2bf5 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml index 4ab05b32f5..33b74f15e2 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 964c0ed044..ea31b859d8 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml index dda8206eed..24ffe9ab28 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml index 1505761460..baeff78d95 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml index f797da50fb..47f062d5cb 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -183,6 +184,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml index 19554d339f..0da2b27db3 100644 --- a/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml b/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/recover-no-primary/conf/some-name-exposed.yml b/e2e-tests/recover-no-primary/conf/some-name-exposed.yml index ba85bebf9e..c91f9fb730 100644 --- a/e2e-tests/recover-no-primary/conf/some-name-exposed.yml +++ b/e2e-tests/recover-no-primary/conf/some-name-exposed.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:0.4.0-backup diff --git a/e2e-tests/recover-no-primary/conf/some-name.yml b/e2e-tests/recover-no-primary/conf/some-name.yml index 0a72109715..bf4f720d83 100644 --- a/e2e-tests/recover-no-primary/conf/some-name.yml +++ b/e2e-tests/recover-no-primary/conf/some-name.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml index f604f95d57..82ff6c2137 100644 --- a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/scaling/run b/e2e-tests/scaling/run index f4df06fa7b..9326a1e4eb 100755 --- a/e2e-tests/scaling/run +++ b/e2e-tests/scaling/run @@ -66,12 +66,12 @@ kubectl_bin delete pvc --all sleep 30 -desc 'check scaling on exposed cluster with unsafe config' -cat_config "$conf_dir/$cluster.yml" \ - | yq eval '.spec.allowUnsafeConfigurations=true' \ - | yq eval '.spec.replsets[0].expose.enabled=true' \ - | yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' \ - | kubectl_bin apply -f - +desc 'check scaling on exposed cluster' +cat_config "$conf_dir/$cluster.yml" | + yq eval '.spec.unsafeFlags.replsetSize=true' | + yq eval '.spec.replsets[0].expose.enabled=true' | + yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | + kubectl_bin apply -f - wait_for_running $cluster 3 desc 'check data consistency: write data, read from all' @@ -88,9 +88,7 @@ compare_mongo_cmd "find" "myApp:myPass@$cluster-2.$cluster.$namespace" desc 'scale up from 3 to 1' kubectl_bin patch psmdb ${cluster%%-rs0} \ --type='json' \ - -p='[ - {"op": "replace", "path": "/spec/replsets/0/size", "value": 1} - ]' + -p='[{"op": "replace", "path": "/spec/replsets/0/size", "value": 1}]' desc 'check if Pod deleted' wait_for_delete pod/$cluster-1 wait_for_delete pod/$cluster-2 diff --git a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml index c5e21ecaa1..4c2b4ef8a4 100644 --- a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: diff --git a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml index cc0d6f3684..945ec3743c 100644 --- a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml b/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml index 9e25c24821..83f217fa8c 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml b/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml index a79f9edc42..418cd9bcd9 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml index dc7a9134c4..c8cbb6ac4f 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml index d7bee4bd8e..df36e2eee6 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml index 2eaf4d700c..673b027cff 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml index 18f7c35e60..976052c5c0 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml index 84e251fb18..0092629b13 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml index 787d584a59..ecbfd0f053 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/serviceless-external-nodes/conf/external.yml b/e2e-tests/serviceless-external-nodes/conf/external.yml index f1316139d6..d010398c6f 100644 --- a/e2e-tests/serviceless-external-nodes/conf/external.yml +++ b/e2e-tests/serviceless-external-nodes/conf/external.yml @@ -4,7 +4,9 @@ metadata: name: mydb spec: unmanaged: true - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true clusterServiceDNSMode: "Internal" image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index 6d42e8255d..6b07bdc59e 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -3,7 +3,9 @@ kind: PerconaServerMongoDB metadata: name: mydb spec: - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true clusterServiceDNSMode: "Internal" image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always @@ -64,9 +66,6 @@ spec: requests: storage: 3Gi configuration: | - net: - tls: - mode: preferTLS operationProfiling: mode: slowOp arbiter: @@ -104,9 +103,6 @@ spec: requests: storage: 3Gi configuration: | - net: - tls: - mode: preferTLS operationProfiling: mode: slowOp diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml index d0497f3542..f05093ad79 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml index ae11f2e553..65a54de870 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml index 08d7cdc779..4d246b4fb3 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml index 8338b2eb24..c393cc0e7e 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/conf/smart-update-rs0.yml b/e2e-tests/smart-update/conf/smart-update-rs0.yml index 4df627a95e..29a37477fd 100644 --- a/e2e-tests/smart-update/conf/smart-update-rs0.yml +++ b/e2e-tests/smart-update/conf/smart-update-rs0.yml @@ -25,7 +25,7 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 configuration: | operationProfiling: mode: slowOp diff --git a/e2e-tests/split-horizon/conf/some-name-3horizons.yml b/e2e-tests/split-horizon/conf/some-name-3horizons.yml index 576765d9a3..461feb2056 100644 --- a/e2e-tests/split-horizon/conf/some-name-3horizons.yml +++ b/e2e-tests/split-horizon/conf/some-name-3horizons.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/split-horizon/conf/some-name-5horizons.yml b/e2e-tests/split-horizon/conf/some-name-5horizons.yml index 9aac047d35..bccd0892fd 100644 --- a/e2e-tests/split-horizon/conf/some-name-5horizons.yml +++ b/e2e-tests/split-horizon/conf/some-name-5horizons.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/split-horizon/conf/some-name.yml b/e2e-tests/split-horizon/conf/some-name.yml index 725d3ccbb8..a0eb8d83f7 100644 --- a/e2e-tests/split-horizon/conf/some-name.yml +++ b/e2e-tests/split-horizon/conf/some-name.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml b/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml index 553ac00f5b..d7a93ecab0 100644 --- a/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml +++ b/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml b/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml index eeb87f0c91..d784e9cd61 100644 --- a/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml +++ b/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml b/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml index 53c3873c48..87d9fab66f 100644 --- a/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml +++ b/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml b/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml index b7b4c5528d..bb99c0780f 100644 --- a/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml +++ b/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml index 11d71a0265..15e67406e5 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml index c259acc2ad..b46ac4a2cd 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml index 91a63bcf6d..f099c7adb4 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml index 7ab9f1ae65..e214903219 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml index 53a9df1a93..ce66079a2a 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml index 81463027c5..e4143b394a 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml index 646ad6fc00..e404c58870 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml index 5d40acd9c5..4bd991796b 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml index abc5beecef..50c7b60aad 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml index 1b325c871e..e8a642be34 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml index 3b728a010b..5da8e5d7e6 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml index 396a8fa477..33bdc328f2 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml index 86dae7c4e6..334b972a99 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml index 65e8594be9..dd20eb40f8 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml index b05b17418c..3e8489f9b0 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml index dde22f367c..74dbf45cf8 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml index abec7e3da1..eb556f2366 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 8b7c6f9421..d2f6b5b233 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index 1be45f8e6e..b7b4200a9a 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -90,6 +90,14 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log } } + if cr.Spec.TLS.Mode == "" { + cr.Spec.TLS.Mode = TLSModePrefer + } + + if !cr.TLSEnabled() && !cr.Spec.Unsafe.TLS { + return errors.New("TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check") + } + if len(cr.Spec.Replsets) == 0 { cr.Spec.Replsets = []*ReplsetSpec{ { @@ -134,13 +142,16 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log return errors.New("mongos should be specified") } - if !cr.Spec.Pause && cr.DeletionTimestamp == nil { - if !cr.Spec.UnsafeConf && cr.Spec.Sharding.Mongos.Size < minSafeMongosSize { - log.Info("Safe config set, updating mongos size", - "oldSize", cr.Spec.Sharding.Mongos.Size, "newSize", minSafeMongosSize) - cr.Spec.Sharding.Mongos.Size = minSafeMongosSize + if cr.CompareVersion("1.16.0") < 0 { + if !cr.Spec.Pause && cr.DeletionTimestamp == nil { + if !cr.Spec.UnsafeConf && cr.Spec.Sharding.Mongos.Size < minSafeMongosSize { + log.Info("Safe config set, updating mongos size", + "oldSize", cr.Spec.Sharding.Mongos.Size, "newSize", minSafeMongosSize) + cr.Spec.Sharding.Mongos.Size = minSafeMongosSize + } } } + if cr.CompareVersion("1.15.0") >= 0 { var fsgroup *int64 if platform == version.PlatformKubernetes { @@ -191,8 +202,7 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", @@ -236,8 +246,7 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", @@ -271,7 +280,9 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log cr.Spec.Sharding.Mongos.ReadinessProbe.FailureThreshold = 3 } - cr.Spec.Sharding.Mongos.reconcileOpts(cr) + if err := cr.Spec.Sharding.Mongos.reconcileOpts(cr); err != nil { + return errors.Wrap(err, "reconcile mongos options") + } if err := cr.Spec.Sharding.Mongos.Configuration.SetDefaults(); err != nil { return errors.Wrap(err, "failed to set configuration defaults") @@ -364,15 +375,12 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log Command: []string{"mongodb-healthcheck", "k8s", "liveness"}, } - if cr.CompareVersion("1.6.0") >= 0 { - replset.LivenessProbe.Probe.Exec.Command[0] = "/data/db/mongodb-healthcheck" - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { - replset.LivenessProbe.Probe.Exec.Command = append(replset.LivenessProbe.Probe.Exec.Command, - "--ssl", "--sslInsecure", - "--sslCAFile", "/etc/mongodb-ssl/ca.crt", - "--sslPEMKeyFile", "/tmp/tls.pem") - } + replset.LivenessProbe.Probe.Exec.Command[0] = "/data/db/mongodb-healthcheck" + if cr.TLSEnabled() { + replset.LivenessProbe.Probe.Exec.Command = append(replset.LivenessProbe.Probe.Exec.Command, + "--ssl", "--sslInsecure", + "--sslCAFile", "/etc/mongodb-ssl/ca.crt", + "--sslPEMKeyFile", "/tmp/tls.pem") } if cr.CompareVersion("1.4.0") >= 0 && !replset.LivenessProbe.CommandHas(startupDelaySecondsFlag) { @@ -568,13 +576,23 @@ func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerM rs.Expose.ExposeType = corev1.ServiceTypeClusterIP } - rs.MultiAZ.reconcileOpts(cr) + if err := rs.MultiAZ.reconcileOpts(cr); err != nil { + return errors.Wrapf(err, "reconcile multiAZ options for replset %s", rs.Name) + } if rs.Arbiter.Enabled { - rs.Arbiter.MultiAZ.reconcileOpts(cr) + if err := rs.Arbiter.MultiAZ.reconcileOpts(cr); err != nil { + return errors.Wrapf(err, "reconcile multiAZ options for arbiter in replset %s", rs.Name) + } + } + + if cr.CompareVersion("1.16.0") >= 0 && cr.DeletionTimestamp == nil && !cr.Spec.Pause { + if err := rs.checkSafeDefaults(cr.Spec.Unsafe); err != nil { + return errors.Wrap(err, "check safe defaults") + } } - if !cr.Spec.UnsafeConf && (cr.DeletionTimestamp == nil && !cr.Spec.Pause) { + if cr.CompareVersion("1.16.0") < 0 && !cr.Spec.UnsafeConf && (cr.DeletionTimestamp == nil && !cr.Spec.Pause) { rs.setSafeDefaults(log) } @@ -661,7 +679,7 @@ func (nv *NonVotingSpec) SetDefaults(cr *PerconaServerMongoDB, rs *ReplsetSpec) Command: []string{"/data/db/mongodb-healthcheck", "k8s", "liveness"}, } - if !cr.Spec.UnsafeConf || cr.CompareVersion("1.15.0") < 0 { + if cr.TLSEnabled() { nv.LivenessProbe.Probe.ProbeHandler.Exec.Command = append( nv.LivenessProbe.Probe.ProbeHandler.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", "--sslPEMKeyFile", "/tmp/tls.pem", @@ -762,19 +780,66 @@ func (rs *ReplsetSpec) setSafeDefaults(log logr.Logger) { } } -func (m *MultiAZ) reconcileOpts(cr *PerconaServerMongoDB) { +func (rs *ReplsetSpec) checkSafeDefaults(unsafe UnsafeFlags) error { + if !unsafe.ReplsetSize { + if rs.Arbiter.Enabled { + if rs.Arbiter.Size != 1 { + return errors.New("arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + if rs.Size < minSafeReplicasetSizeWithArbiter { + return errors.Errorf("replset size must be at least %d with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check", minSafeReplicasetSizeWithArbiter) + } + if rs.Size%2 != 0 { + return errors.New("arbiter must disabled due to odd replset size. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + } else { + if rs.Size < 2 { + return errors.Errorf("replset size must be at least %d. Set spec.unsafeFlags.replsetSize to true to disable this check", defaultMongodSize) + } + if rs.Size%2 == 0 { + return errors.New("replset size must be odd. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + } + } + + mode, err := rs.Configuration.GetTLSMode() + if err != nil { + return errors.Wrap(err, "get tls mode") + } + + if mode != "" { + return errors.New("tlsMode must be set using spec.tls.mode") + } + + return nil +} + +func (m *MultiAZ) reconcileOpts(cr *PerconaServerMongoDB) error { m.reconcileAffinityOpts(cr) m.reconcileTopologySpreadConstraints(cr) if cr.CompareVersion("1.15.0") >= 0 { - if m.TerminationGracePeriodSeconds == nil || (!cr.Spec.UnsafeConf && *m.TerminationGracePeriodSeconds < 30) { + if m.TerminationGracePeriodSeconds == nil { + m.TerminationGracePeriodSeconds = new(int64) + *m.TerminationGracePeriodSeconds = 60 + } + } + if cr.CompareVersion("1.15.0") == 0 { + if !cr.Spec.UnsafeConf && *m.TerminationGracePeriodSeconds < 30 { m.TerminationGracePeriodSeconds = new(int64) *m.TerminationGracePeriodSeconds = 60 } } + if cr.CompareVersion("1.16.0") >= 0 { + if *m.TerminationGracePeriodSeconds < 30 && !cr.Spec.Unsafe.TerminationGracePeriod { + return errors.New("terminationGracePeriodSeconds must be at least 30 seconds for safe configuration. Set spec.unsafeFlags.terminationGracePeriod to true to disable this check") + } + } if m.PodDisruptionBudget == nil { defaultMaxUnavailable := intstr.FromInt(1) m.PodDisruptionBudget = &PodDisruptionBudgetSpec{MaxUnavailable: &defaultMaxUnavailable} } + + return nil } var affinityValidTopologyKeys = map[string]struct{}{ diff --git a/pkg/apis/psmdb/v1/psmdb_defaults_test.go b/pkg/apis/psmdb/v1/psmdb_defaults_test.go index 2f350a326c..00410a2411 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults_test.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults_test.go @@ -226,7 +226,7 @@ func TestSetSafeDefault(t *testing.T) { cr := &api.PerconaServerMongoDB{ ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"}, Spec: api.PerconaServerMongoDBSpec{ - CRVersion: version.Version, + CRVersion: "1.15.0", Replsets: []*api.ReplsetSpec{{Name: "rs0", Size: 3}, {Name: "rs1", Size: 3}}, Sharding: api.Sharding{Enabled: true, Mongos: &api.MongosSpec{Size: 3}}, }, diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index b2f5133a91..ebfe042673 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -73,6 +73,7 @@ type PerconaServerMongoDBSpec struct { Image string `json:"image"` ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` UnsafeConf bool `json:"allowUnsafeConfigurations,omitempty"` + Unsafe UnsafeFlags `json:"unsafeFlags,omitempty"` IgnoreLabels []string `json:"ignoreLabels,omitempty"` IgnoreAnnotations []string `json:"ignoreAnnotations,omitempty"` Replsets []*ReplsetSpec `json:"replsets,omitempty"` @@ -92,7 +93,25 @@ type PerconaServerMongoDBSpec struct { TLS *TLSSpec `json:"tls,omitempty"` } +type UnsafeFlags struct { + TLS bool `json:"tls,omitempty"` + ReplsetSize bool `json:"replsetSize,omitempty"` + MongosSize bool `json:"mongosSize,omitempty"` + TerminationGracePeriod bool `json:"terminationGracePeriod,omitempty"` + BackupIfUnhealthy bool `json:"backupIfUnhealthy,omitempty"` +} + +type TLSMode string + +const ( + TLSModeDisabled TLSMode = "disabled" + TLSModeAllow TLSMode = "allowTLS" + TLSModePrefer TLSMode = "preferTLS" + TLSModeRequire TLSMode = "requireTLS" +) + type TLSSpec struct { + Mode TLSMode `json:"mode,omitempty"` CertValidityDuration metav1.Duration `json:"certValidityDuration,omitempty"` IssuerConf *cmmeta.ObjectReference `json:"issuerConf,omitempty"` } @@ -423,6 +442,35 @@ func (conf MongoConfiguration) GetOptions(name string) (map[interface{}]interfac return options, nil } +func (conf MongoConfiguration) GetTLSMode() (string, error) { + m, err := conf.GetOptions("net") + if err != nil || m == nil { + return "", err + } + + tls, ok := m["tls"] + if !ok { + return "", nil + } + + tlsMap, ok := tls.(map[any]any) + if !ok { + return "", errors.New("tls configuration is invalid") + } + + tlsMode, ok := tlsMap["mode"] + if !ok { + return "", nil + } + + mode, ok := tlsMode.(string) + if !ok { + return "", errors.Errorf("can't cast %s to string", mode) + } + + return mode, nil +} + // IsEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field func (conf MongoConfiguration) IsEncryptionEnabled() (*bool, error) { m, err := conf.GetOptions("security") @@ -1038,10 +1086,14 @@ func (cr *PerconaServerMongoDB) CanBackup(ctx context.Context) error { return nil } - if !cr.Spec.UnsafeConf { + if cr.CompareVersion("1.15.0") <= 0 && !cr.Spec.UnsafeConf { return errors.Errorf("allowUnsafeConfigurations must be true to run backup on cluster with status %s", cr.Status.State) } + if cr.CompareVersion("1.16.0") >= 0 && !cr.Spec.Unsafe.BackupIfUnhealthy { + return errors.Errorf("spec.unsafeFlags.backupIfUnhealthy must be true to run backup on cluster with status %s", cr.Status.State) + } + for rsName, rs := range cr.Status.Replsets { if rs.Ready < int32(1) { return errors.New(rsName + " has no ready nodes") @@ -1136,6 +1188,25 @@ func (cr *PerconaServerMongoDB) GetOrderedFinalizers() []string { return orderedFinalizers } +func (cr *PerconaServerMongoDB) TLSEnabled() bool { + if cr.CompareVersion("1.16.0") < 0 { + return !cr.Spec.UnsafeConf + } + + switch cr.Spec.TLS.Mode { + case TLSModeDisabled: + return false + case TLSModeAllow, TLSModePrefer, TLSModeRequire: + return true + default: + return true + } +} + +func (cr *PerconaServerMongoDB) UnsafeTLSDisabled() bool { + return (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) +} + const ( AnnotationResyncPBM = "percona.com/resync-pbm" AnnotationPVCResizeInProgress = "percona.com/pvc-resize-in-progress" diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go index 92ddd2a707..bb20b14515 100644 --- a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go @@ -1213,6 +1213,7 @@ func (in *PerconaServerMongoDBSpec) DeepCopyInto(out *PerconaServerMongoDBSpec) *out = make([]corev1.LocalObjectReference, len(*in)) copy(*out, *in) } + out.Unsafe = in.Unsafe if in.IgnoreLabels != nil { in, out := &in.IgnoreLabels, &out.IgnoreLabels *out = make([]string, len(*in)) @@ -1613,6 +1614,21 @@ func (in *TLSSpec) DeepCopy() *TLSSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UnsafeFlags) DeepCopyInto(out *UnsafeFlags) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsafeFlags. +func (in *UnsafeFlags) DeepCopy() *UnsafeFlags { + if in == nil { + return nil + } + out := new(UnsafeFlags) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UpgradeOptions) DeepCopyInto(out *UpgradeOptions) { *out = *in diff --git a/pkg/controller/perconaservermongodb/connections.go b/pkg/controller/perconaservermongodb/connections.go index 4522583a13..76d1d7d779 100644 --- a/pkg/controller/perconaservermongodb/connections.go +++ b/pkg/controller/perconaservermongodb/connections.go @@ -15,7 +15,7 @@ import ( type MongoClientProvider interface { Mongo(ctx context.Context, cr *api.PerconaServerMongoDB, rs api.ReplsetSpec, role api.UserRole) (mongo.Client, error) Mongos(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole) (mongo.Client, error) - Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) + Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) } func (r *ReconcilePerconaServerMongoDB) MongoClientProvider() MongoClientProvider { @@ -47,13 +47,13 @@ func (p *mongoClientProvider) Mongos(ctx context.Context, cr *api.PerconaServerM return psmdb.MongosClient(ctx, p.k8sclient, cr, c) } -func (p *mongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) { +func (p *mongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) { c, err := getInternalCredentials(ctx, p.k8sclient, cr, role) if err != nil { return nil, errors.Wrap(err, "failed to get credentials") } - return psmdb.StandaloneClient(ctx, p.k8sclient, cr, c, host) + return psmdb.StandaloneClient(ctx, p.k8sclient, cr, c, host, tlsEnabled) } func (r *ReconcilePerconaServerMongoDB) mongoClientWithRole(ctx context.Context, cr *api.PerconaServerMongoDB, rs api.ReplsetSpec, role api.UserRole) (mongo.Client, error) { @@ -69,5 +69,5 @@ func (r *ReconcilePerconaServerMongoDB) standaloneClientWithRole(ctx context.Con if err != nil { return nil, errors.Wrap(err, "failed to get mongo host") } - return r.MongoClientProvider().Standalone(ctx, cr, role, host) + return r.MongoClientProvider().Standalone(ctx, cr, role, host, cr.TLSEnabled()) } diff --git a/pkg/controller/perconaservermongodb/connections_test.go b/pkg/controller/perconaservermongodb/connections_test.go index 10ac5177dd..d5bfd60433 100644 --- a/pkg/controller/perconaservermongodb/connections_test.go +++ b/pkg/controller/perconaservermongodb/connections_test.go @@ -377,7 +377,7 @@ func (g *fakeMongoClientProvider) Mongos(ctx context.Context, cr *api.PerconaSer fakeClient := mongoFake.NewClient() return &fakeMongoClient{pods: g.pods, cr: g.cr, connectionCount: g.connectionCount, Client: fakeClient}, nil } -func (g *fakeMongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) { +func (g *fakeMongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) { *g.connectionCount++ fakeClient := mongoFake.NewClient() diff --git a/pkg/controller/perconaservermongodb/mgo.go b/pkg/controller/perconaservermongodb/mgo.go index d32733ab66..872468ab62 100644 --- a/pkg/controller/perconaservermongodb/mgo.go +++ b/pkg/controller/perconaservermongodb/mgo.go @@ -237,7 +237,13 @@ func (r *ReconcilePerconaServerMongoDB) reconcileCluster(ctx context.Context, cr func (r *ReconcilePerconaServerMongoDB) updateConfigMembers(ctx context.Context, cli mongo.Client, cr *api.PerconaServerMongoDB, rs *api.ReplsetSpec) (int, error) { log := logf.FromContext(ctx) // Primary with a Secondary and an Arbiter (PSA) - unsafePSA := cr.Spec.UnsafeConf && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + unsafePSA := false + + if cr.CompareVersion("1.15.0") <= 0 { + unsafePSA = cr.Spec.UnsafeConf && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + } else { + unsafePSA = cr.Spec.Unsafe.ReplsetSize && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + } pods, err := psmdb.GetRSPods(ctx, r.client, cr, rs.Name) if err != nil { @@ -583,7 +589,7 @@ func (r *ReconcilePerconaServerMongoDB) handleReplsetInit(ctx context.Context, c mongoCmd = "mongo" } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { mongoCmd += " --tls --tlsCertificateKeyFile /tmp/tls.pem --tlsAllowInvalidCertificates --tlsCAFile /etc/mongodb-ssl/ca.crt" } diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go index 176e281244..311e81c3ef 100644 --- a/pkg/controller/perconaservermongodb/psmdb_controller.go +++ b/pkg/controller/perconaservermongodb/psmdb_controller.go @@ -350,12 +350,10 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r } } - if !cr.Spec.UnsafeConf { - err = r.reconsileSSL(ctx, cr) - if err != nil { - err = errors.Errorf(`TLS secrets handler: "%v". Please create your TLS secret `+cr.Spec.Secrets.SSL+` manually or setup cert-manager correctly`, err) - return reconcile.Result{}, err - } + err = r.reconcileSSL(ctx, cr) + if err != nil { + err = errors.Errorf(`TLS secrets handler: "%v". Please create your TLS secret `+cr.Spec.Secrets.SSL+` manually or setup cert-manager correctly`, err) + return reconcile.Result{}, err } internalKey := psmdb.InternalKey(cr) @@ -1180,16 +1178,18 @@ func (r *ReconcilePerconaServerMongoDB) reconcileMongosStatefulset(ctx context.C return errors.Wrapf(err, "create template spec for mongos") } - sslAnn, err := r.sslAnnotation(ctx, cr) - if err != nil { - return errors.Wrap(err, "failed to get ssl annotations") - } - if templateSpec.Annotations == nil { - templateSpec.Annotations = make(map[string]string) - } + if cr.TLSEnabled() { + sslAnn, err := r.sslAnnotation(ctx, cr) + if err != nil { + return errors.Wrap(err, "failed to get ssl annotations") + } + if templateSpec.Annotations == nil { + templateSpec.Annotations = make(map[string]string) + } - for k, v := range sslAnn { - templateSpec.Annotations[k] = v + for k, v := range sslAnn { + templateSpec.Annotations[k] = v + } } secret := new(corev1.Secret) @@ -1348,9 +1348,6 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a } func (r *ReconcilePerconaServerMongoDB) getTLSHash(ctx context.Context, cr *api.PerconaServerMongoDB, secretName string) (string, error) { - if cr.Spec.UnsafeConf { - return "", nil - } secretObj := corev1.Secret{} err := r.client.Get(ctx, types.NamespacedName{ diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index 3a647773ca..6232b85954 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -14,7 +14,11 @@ import ( "github.com/percona/percona-server-mongodb-operator/pkg/psmdb/tls" ) -func (r *ReconcilePerconaServerMongoDB) reconsileSSL(ctx context.Context, cr *api.PerconaServerMongoDB) error { +func (r *ReconcilePerconaServerMongoDB) reconcileSSL(ctx context.Context, cr *api.PerconaServerMongoDB) error { + if !cr.TLSEnabled() { + return nil + } + secretObj := corev1.Secret{} secretInternalObj := corev1.Secret{} errSecret := r.client.Get(ctx, diff --git a/pkg/controller/perconaservermongodb/statefulset.go b/pkg/controller/perconaservermongodb/statefulset.go index 768decd3a8..54fbfea3f0 100644 --- a/pkg/controller/perconaservermongodb/statefulset.go +++ b/pkg/controller/perconaservermongodb/statefulset.go @@ -114,12 +114,14 @@ func (r *ReconcilePerconaServerMongoDB) getStatefulsetFromReplset(ctx context.Co sfs.Labels = sfsSpec.Template.Labels sfs.Spec = sfsSpec - sslAnn, err := r.sslAnnotation(ctx, cr) - if err != nil { - return nil, errors.Wrap(err, "failed to get ssl annotations") - } - for k, v := range sslAnn { - sfsSpec.Template.Annotations[k] = v + if cr.TLSEnabled() { + sslAnn, err := r.sslAnnotation(ctx, cr) + if err != nil { + return nil, errors.Wrap(err, "failed to get ssl annotations") + } + for k, v := range sslAnn { + sfsSpec.Template.Annotations[k] = v + } } return sfs, nil diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml index f28e2657bc..def9845aaf 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -129,6 +130,7 @@ spec: securityContext: runAsNonRoot: true runAsUser: 1001 + topologySpreadConstraints: null volumeMounts: - mountPath: /data/db name: mongod-data diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml index 084cd6a559..3827372650 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml index 544f493eb5..00e3260dd9 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -181,6 +182,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/psmdb/backup/backup.go b/pkg/psmdb/backup/backup.go index 44d0fec75a..6e95dc0937 100644 --- a/pkg/psmdb/backup/backup.go +++ b/pkg/psmdb/backup/backup.go @@ -2,6 +2,7 @@ package backup import ( "context" + "strings" "github.com/pkg/errors" client "sigs.k8s.io/controller-runtime/pkg/client" @@ -43,6 +44,10 @@ func NewRestoreJob(cr *api.PerconaServerMongoDBRestore) Job { return j } +func IsPBMNotConfiguredError(err error) bool { + return strings.Contains(err.Error(), "mongo: no documents in result") +} + // HasActiveJobs returns true if there are running backups or restores // in given cluster and namespace func HasActiveJobs(ctx context.Context, newPBMFunc NewPBMFunc, cl client.Client, cluster *api.PerconaServerMongoDB, current Job, allowLock ...LockHeaderPredicate) (bool, error) { @@ -97,6 +102,9 @@ func HasActiveJobs(ctx context.Context, newPBMFunc NewPBMFunc, cl client.Client, pbm, err := newPBMFunc(ctx, cl, cluster) if err != nil { + if IsPBMNotConfiguredError(err) { + return false, nil + } return false, errors.Wrap(err, "getting PBM object") } defer pbm.Close(ctx) diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go index ceeacd86f5..c91e56fda1 100644 --- a/pkg/psmdb/backup/pbm.go +++ b/pkg/psmdb/backup/pbm.go @@ -84,7 +84,7 @@ type PBM interface { Node(ctx context.Context) (string, error) } -func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, addrs []string) (string, error) { +func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, addrs []string, tlsEnabled bool) (string, error) { usersSecretName := api.UserSecretName(cr) scr, err := getSecret(ctx, k8sclient, cr.Namespace, usersSecretName) if err != nil { @@ -97,7 +97,7 @@ func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaSe strings.Join(addrs, ","), ) - if cr.Spec.UnsafeConf { + if !tlsEnabled { return murl, nil } @@ -163,7 +163,7 @@ func NewPBM(ctx context.Context, c client.Client, cluster *api.PerconaServerMong return nil, errors.Wrap(err, "get replset addrs") } - murl, err := getMongoUri(ctx, c, cluster, addrs) + murl, err := getMongoUri(ctx, c, cluster, addrs, cluster.TLSEnabled()) if err != nil { return nil, errors.Wrap(err, "get mongo uri") } diff --git a/pkg/psmdb/client.go b/pkg/psmdb/client.go index 6be6fe3ed0..31b4959045 100644 --- a/pkg/psmdb/client.go +++ b/pkg/psmdb/client.go @@ -50,7 +50,7 @@ func MongoClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaSe Password: c.Password, } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") @@ -73,7 +73,7 @@ func MongosClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaS Password: c.Password, } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") @@ -85,7 +85,7 @@ func MongosClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaS return mongo.Dial(&conf) } -func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, c Credentials, host string) (mongo.Client, error) { +func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, c Credentials, host string, tlsEnabled bool) (mongo.Client, error) { conf := mongo.Config{ Hosts: []string{host}, Username: c.Username, @@ -93,7 +93,7 @@ func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.Perc Direct: true, } - if !cr.Spec.UnsafeConf { + if tlsEnabled { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 5fe925fcf6..d32fd24718 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -181,7 +181,6 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--replSet=" + replset.Name, "--storageEngine=" + string(replset.Storage.Engine), "--relaxPermChecks", - "--sslAllowInvalidCertificates", } name, err := replset.CustomReplsetName() @@ -189,16 +188,25 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args[4] = "--replSet=" + name } - if cr.Spec.UnsafeConf { + if cr.TLSEnabled() { + args = append(args, "--sslAllowInvalidCertificates") + if cr.Spec.TLS.Mode == api.TLSModeAllow { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+mongodSecretsDir+"/mongodb-key", + ) + } else { + args = append(args, "--clusterAuthMode=x509") + } + } else if cr.UnsafeTLSDisabled() { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) - } else { - if cr.CompareVersion("1.12.0") <= 0 { - args = append(args, "--sslMode=preferSSL") - } - args = append(args, "--clusterAuthMode=x509") + } + + if cr.CompareVersion("1.16.0") >= 0 { + args = append(args, "--tlsMode="+string(cr.Spec.TLS.Mode)) } // sharding diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index a07d1bd10c..4e9b9e1b69 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -174,12 +174,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan Name: "mongos", Image: cr.Spec.Image, ImagePullPolicy: cr.Spec.ImagePullPolicy, - Args: mongosContainerArgs( - cr, - cr.Spec.Sharding.Mongos.Resources, - useConfigFile, - cfgInstances, - ), + Args: mongosContainerArgs(cr, useConfigFile, cfgInstances), Ports: []corev1.ContainerPort{ { Name: mongosPortName, @@ -232,7 +227,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan return container, nil } -func mongosContainerArgs(cr *api.PerconaServerMongoDB, resources corev1.ResourceRequirements, useConfigFile bool, cfgInstances []string) []string { +func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstances []string) []string { msSpec := cr.Spec.Sharding.Mongos cfgRs := cr.Spec.Sharding.ConfigsvrReplSet @@ -259,16 +254,19 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, resources corev1.Resource ) } - if cr.Spec.UnsafeConf { + if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) + } else if (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) - } else { - if cr.CompareVersion("1.12.0") <= 0 { - args = append(args, "--sslMode=preferSSL") - } - args = append(args, "--clusterAuthMode=x509") + } + + if cr.CompareVersion("1.16.0") >= 0 { + args = append(args, "--tlsMode="+string(cr.Spec.TLS.Mode)) } if msSpec.SetParameter != nil { @@ -306,7 +304,7 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: cr.Spec.Secrets.SSL, - Optional: &cr.Spec.UnsafeConf, + Optional: &fvar, DefaultMode: &secretFileMode, }, }, @@ -371,25 +369,29 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core }) } - if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Secrets.LDAPSecret != "" { - volumes = append(volumes, []corev1.Volume{ - { - Name: LDAPTLSVolClaimName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cr.Spec.Secrets.LDAPSecret, - Optional: &tvar, - DefaultMode: &secretFileMode, + if cr.CompareVersion("1.16.0") >= 0 { + if cr.Spec.Secrets.LDAPSecret != "" { + volumes = append(volumes, []corev1.Volume{ + { + Name: LDAPTLSVolClaimName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cr.Spec.Secrets.LDAPSecret, + Optional: &tvar, + DefaultMode: &secretFileMode, + }, }, }, - }, - { - Name: LDAPConfVolClaimName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, + { + Name: LDAPConfVolClaimName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, }, - }, - }...) + }...) + } + + volumes[1].VolumeSource.Secret.Optional = &cr.Spec.Unsafe.TLS } return volumes diff --git a/pkg/psmdb/pmm.go b/pkg/psmdb/pmm.go index ce5144df82..cd8921cfe0 100644 --- a/pkg/psmdb/pmm.go +++ b/pkg/psmdb/pmm.go @@ -170,7 +170,7 @@ func PMMContainer(cr *api.PerconaServerMongoDB, secret *corev1.Secret, customAdm pmm.Env = append(pmm.Env, pmmAgentEnvs(spec, secret, customLogin, customAdminParams)...) } - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.CompareVersion("1.13.0") >= 0 { pmm.VolumeMounts = []corev1.VolumeMount{ { Name: "ssl", @@ -293,11 +293,13 @@ func pmmAgentEnvs(spec api.PMMSpec, secret *corev1.Secret, customLogin bool, cus } func PMMAgentScript(cr *api.PerconaServerMongoDB) []corev1.EnvVar { + // handle disabled TLS + pmmServerArgs := "$(PMM_ADMIN_CUSTOM_PARAMS) --skip-connection-check --metrics-mode=push " pmmServerArgs += " --username=$(DB_USER) --password=$(DB_PASSWORD) --cluster=$(CLUSTER_NAME) " pmmServerArgs += "--service-name=$(PMM_AGENT_SETUP_NODE_NAME) --host=$(DB_HOST) --port=$(DB_PORT)" - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsParams := []string{ "--tls", "--tls-skip-verify", @@ -314,7 +316,7 @@ func PMMAgentScript(cr *api.PerconaServerMongoDB) []corev1.EnvVar { pmmAnnotate := "pmm-admin annotate --service-name=$(PMM_AGENT_SETUP_NODE_NAME) 'Service restarted'" prerunScript := pmmWait + "\n" + pmmAddService + "\n" + pmmAnnotate - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { prepareTLS := fmt.Sprintf("cat %[1]s/tls.key %[1]s/tls.crt > /tmp/tls.pem;", SSLDir) prerunScript = prepareTLS + "\n" + prerunScript } diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go index 27c2306b5b..ab8fbc1072 100644 --- a/pkg/psmdb/statefulset.go +++ b/pkg/psmdb/statefulset.go @@ -169,19 +169,24 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap volumeClaimTemplates := []corev1.PersistentVolumeClaim{} + sslVolume := corev1.Volume{ + Name: "ssl", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cr.Spec.Secrets.SSL, + Optional: &cr.Spec.UnsafeConf, + DefaultMode: &secretFileMode, + }, + }, + } + if cr.CompareVersion("1.16.0") >= 0 { + sslVolume.VolumeSource.Secret.Optional = &cr.Spec.Unsafe.TLS + } + // add TLS/SSL Volume t := true volumes = append(volumes, - corev1.Volume{ - Name: "ssl", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cr.Spec.Secrets.SSL, - Optional: &cr.Spec.UnsafeConf, - DefaultMode: &secretFileMode, - }, - }, - }, + sslVolume, corev1.Volume{ Name: "ssl-internal", VolumeSource: corev1.VolumeSource{ @@ -253,7 +258,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap if name, err := replset.CustomReplsetName(); err == nil { rsName = name } - containers = append(containers, backupAgentContainer(cr, rsName)) + containers = append(containers, backupAgentContainer(cr, rsName, cr.TLSEnabled())) } pmmC := AddPMMContainer(ctx, cr, usersSecret, cr.Spec.PMM.MongodParams) @@ -319,7 +324,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap const agentContainerName = "backup-agent" // backupAgentContainer creates the container object for a backup agent -func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string) corev1.Container { +func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string, tlsEnabled bool) corev1.Container { fvar := false usersSecretName := api.UserSecretName(cr) @@ -424,6 +429,13 @@ func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string) core }...) } + if cr.CompareVersion("1.16.0") >= 0 { + c.Env = append(c.Env, corev1.EnvVar{ + Name: "PBM_AGENT_TLS_ENABLED", + Value: strconv.FormatBool(tlsEnabled), + }) + } + return c }