K8SPSMDB-780: Unsafe improvements #1504
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Comment on lines
+72
to
+73
| "$checkArg" | "$checkArg"=*) | ||
| return 0 | ||
| ;; |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| "$checkArg" | "$checkArg"=*) | |
| return 0 | |
| ;; | |
| "$checkArg" | "$checkArg"=*) | |
| return 0 | |
| ;; |
Comment on lines
+87
to
+93
| "$checkArg") | ||
| echo "$1" | ||
| return 0 | ||
| ;; | ||
| "$checkArg"=*) | ||
| echo "${arg#"$checkArg"=}" | ||
| return 0 | ||
| ;; |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| "$checkArg") | |
| echo "$1" | |
| return 0 | |
| ;; | |
| "$checkArg"=*) | |
| echo "${arg#"$checkArg"=}" | |
| return 0 | |
| ;; | |
| "$checkArg") | |
| echo "$1" | |
| return 0 | |
| ;; | |
| "$checkArg"=*) | |
| echo "${arg#"$checkArg"=}" | |
| return 0 | |
| ;; |
Comment on lines
+135
to
+141
| "$ensureNoArg") | ||
| shift # also skip the value | ||
| continue | ||
| ;; | ||
| "$ensureNoArg"=*) | ||
| # value is already included | ||
| continue | ||
| ;; |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| "$ensureNoArg") | |
| shift # also skip the value | |
| continue | |
| ;; | |
| "$ensureNoArg"=*) | |
| # value is already included | |
| continue | |
| ;; | |
| "$ensureNoArg") | |
| shift # also skip the value | |
| continue | |
| ;; | |
| "$ensureNoArg"=*) | |
| # value is already included | |
| continue | |
| ;; |
Comment on lines
+286
to
+288
| *.sh | *.js) # this should match the set of files we check for below | ||
| shouldPerformInitdb="$f" | ||
| break | ||
| ;; |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| *.sh | *.js) # this should match the set of files we check for below | |
| shouldPerformInitdb="$f" | |
| break | |
| ;; | |
| *.sh | *.js) # this should match the set of files we check for below | |
| shouldPerformInitdb="$f" | |
| break | |
| ;; |
Comment on lines
+386
to
+395
| *.sh) | ||
| echo "$0: running $f" | ||
| # shellcheck source=/dev/null | ||
| . "$f" | ||
| ;; | ||
| *.js) | ||
| echo "$0: running $f" | ||
| "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" | ||
| echo | ||
| ;; | ||
| *) echo "$0: ignoring $f" ;; |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| *.sh) | |
| echo "$0: running $f" | |
| # shellcheck source=/dev/null | |
| . "$f" | |
| ;; | |
| *.js) | |
| echo "$0: running $f" | |
| "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" | |
| echo | |
| ;; | |
| *) echo "$0: ignoring $f" ;; | |
| *.sh) | |
| echo "$0: running $f" | |
| # shellcheck source=/dev/null | |
| . "$f" | |
| ;; | |
| *.js) | |
| echo "$0: running $f" | |
| "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" | |
| echo | |
| ;; | |
| *) echo "$0: ignoring $f" ;; |
egegunes
force-pushed
the
K8SPSMDB-780
branch
2 times, most recently
from
10ecc42 to
52ddcce
Compare
These changes attempt to fix the overloaded `allowUnsafeConfigurations`
flag.
In previous implementation, `allowUnsafeConfigurations` wasn't just
allow unsafe configuration but make everything unsafe by disabling TLS,
allowing backups in unhealthy clusters, etc... without user's explicit
intent.
With these changes, we decouple those things from the unsafe flag and
remove all implicit behaviors. We introduce a new section called
`unsafeFlags`:
```
unsafeFlags:
tls: false
replsetSize: false
mongosSize: false
terminationGracePeriod: false
backupIfUnhealthy: false
```
Starting from `v1.16.0`, `allowUnsafeConfigurations` is deprecated and
won't have any affect.
**TLS Mode**
This decoupling required a special attention to the TLS configuration.
Before these changes only way to disable TLS is setting
`allowUnsafeConfigurations` to true. Now, we introduce a new field:
```
spec:
tls:
mode: disabled
```
This field accepts the following values: `disabled`, `allowTLS`,
`preferTLS` and `requireTLS`.
If user sets mode to `disabled`, the operator will throw an error: `TLS
must be enabled. Set spec.unsafeFlags.tls to true to disable this
check.`
Since the use of TLS flags and reconciling TLS secrets depends on
`tls.mode` field, we need to block users to set `net.tls.mode` in custom
MongoDB configuration. If user sets a custom configuration like:
```
spec:
replsets:
- name: rs0
size: 3
configuration: |
net:
tls:
mode: allowTLS
```
the operator will throw an error: `tlsMode must be set using spec.tls.mode`.
pull-request-size
bot
added
size/XXL
e2e-tests/scaling/run
Outdated
Comment on lines
70
to
73
| cat_config "$conf_dir/$cluster.yml" | | ||
| yq eval '.spec.replsets[0].expose.enabled=true' | | ||
| yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | | ||
| kubectl_bin apply -f - |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| cat_config "$conf_dir/$cluster.yml" | | |
| yq eval '.spec.replsets[0].expose.enabled=true' | | |
| yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | | |
| kubectl_bin apply -f - | |
| cat_config "$conf_dir/$cluster.yml" \ | |
| | yq eval '.spec.replsets[0].expose.enabled=true' \ | |
| | yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' \ | |
| | kubectl_bin apply -f - |
Comment on lines
+70
to
+74
| cat_config "$conf_dir/$cluster.yml" | | ||
| yq eval '.spec.unsafeFlags.replsetSize=true' | | ||
| yq eval '.spec.replsets[0].expose.enabled=true' | | ||
| yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | | ||
| kubectl_bin apply -f - |
There was a problem hiding this comment.
[shfmt] reported by reviewdog 🐶
Suggested change
| cat_config "$conf_dir/$cluster.yml" | | |
| yq eval '.spec.unsafeFlags.replsetSize=true' | | |
| yq eval '.spec.replsets[0].expose.enabled=true' | | |
| yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | | |
| kubectl_bin apply -f - | |
| cat_config "$conf_dir/$cluster.yml" \ | |
| | yq eval '.spec.unsafeFlags.replsetSize=true' \ | |
| | yq eval '.spec.replsets[0].expose.enabled=true' \ | |
| | yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' \ | |
| | kubectl_bin apply -f - |
egegunes
requested review from
tplavcic,
nmarukovich,
ptankov,
hors,
inelpandzic and
pooknull
as code owners
pooknull
reviewed
Apr 16, 2024
pkg/psmdb/container.go
Outdated
| } else { | ||
| args = append(args, "--clusterAuthMode=x509") | ||
| } | ||
| } else if (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) { |
There was a problem hiding this comment.
What do you think about creating a cr.UnsafeTLSDisabled() method to replace this long condition check?
pkg/psmdb/pmm.go
Outdated
Comment on lines
300
to
302
| if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { | ||
| if cr.CompareVersion("1.13.0") >= 0 { |
There was a problem hiding this comment.
good catch, we need to check if tls enabled there: 6badccf
inelpandzic
reviewed
Apr 17, 2024
| @@ -226,7 +226,7 @@ func TestSetSafeDefault(t *testing.T) { | |||
| cr := &api.PerconaServerMongoDB{ | |||
| ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"}, | |||
| Spec: api.PerconaServerMongoDBSpec{ | |||
| CRVersion: version.Version, | |||
| CRVersion: "1.15.0", | |||
There was a problem hiding this comment.
I think we should add or update this unit tests to cover these new unsafe flags for 1.16.0.
hors
reviewed
Apr 17, 2024
There was a problem hiding this comment.
@egegunes I think we need to comment it by default https://github.com/percona/percona-server-mongodb-operator/pull/1504/files#diff-66e2e64739b6c9fbb1f1f10431f083ab8ab642cf5049f8033e0bcae5afd1ea1aR29-R34
commit: 660460a |
hors
approved these changes
Apr 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CHANGE DESCRIPTION
These changes attempt to fix the overloaded
allowUnsafeConfigurationsflag.
In previous implementation,
allowUnsafeConfigurationswasn't justallow unsafe configuration but make everything unsafe by disabling TLS,
allowing backups in unhealthy clusters, etc... without user's explicit
intent.
With these changes, we decouple those things from the unsafe flag and
remove all implicit behaviors. We introduce a new section called
unsafeFlags:Starting from
v1.16.0,allowUnsafeConfigurationsis deprecated andwon't have any affect.
TLS Mode
This decoupling required a special attention to the TLS configuration.
Before these changes only way to disable TLS is setting
allowUnsafeConfigurationsto true. Now, we introduce a new field:This field accepts the following values:
disabled,allowTLS,preferTLSandrequireTLS.If user sets mode to
disabled, the operator will throw an error:TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check.Since the use of TLS flags and reconciling TLS secrets depends on
tls.modefield, we need to block users to setnet.tls.modein customMongoDB configuration. If user sets a custom configuration like:
the operator will throw an error:
tlsMode must be set using spec.tls.mode.CHECKLIST
Jira
Needs Doc) and QA (Needs QA)?Tests
compare/*-oc.yml)?Config/Logging/Testability