diff --git a/build/pbm-entry.sh b/build/pbm-entry.sh index f4f7bd737a..e85e3eaef2 100755 --- a/build/pbm-entry.sh +++ b/build/pbm-entry.sh @@ -2,10 +2,12 @@ PBM_MONGODB_URI="mongodb://${PBM_AGENT_MONGODB_USERNAME}:${PBM_AGENT_MONGODB_PASSWORD}@localhost:${PBM_MONGODB_PORT}/?replicaSet=${PBM_MONGODB_REPLSET}" -MONGO_SSL_DIR=/etc/mongodb-ssl -if [[ -f "${MONGO_SSL_DIR}/tls.crt" ]] && [[ -f "${MONGO_SSL_DIR}/tls.key" ]]; then - PBM_MONGODB_URI="${PBM_MONGODB_URI}&tls=true&tlsCertificateKeyFile=%2Ftmp%2Ftls.pem&tlsCAFile=${MONGO_SSL_DIR}%2Fca.crt&tlsInsecure=true" - cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" > /tmp/tls.pem +if [[ -z ${PBM_AGENT_TLS_ENABLED} ]] || [[ ${PBM_AGENT_TLS_ENABLED} == "true" ]]; then + MONGO_SSL_DIR=/etc/mongodb-ssl + if [[ -f "${MONGO_SSL_DIR}/tls.crt" ]] && [[ -f "${MONGO_SSL_DIR}/tls.key" ]]; then + PBM_MONGODB_URI="${PBM_MONGODB_URI}&tls=true&tlsCertificateKeyFile=%2Ftmp%2Ftls.pem&tlsCAFile=${MONGO_SSL_DIR}%2Fca.crt&tlsInsecure=true" + cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem + fi fi export PBM_MONGODB_URI diff --git a/build/ps-entry.sh b/build/ps-entry.sh index 142e619faf..0e1f187505 100755 --- a/build/ps-entry.sh +++ b/build/ps-entry.sh @@ -1,5 +1,6 @@ #!/bin/bash set -Eeuo pipefail +set -o xtrace if [ "${1:0:1}" = '-' ]; then set -- mongod "$@" @@ -68,9 +69,9 @@ _mongod_hack_have_arg() { local arg for arg; do case "$arg" in - "$checkArg" | "$checkArg"=*) - return 0 - ;; + "$checkArg" | "$checkArg"=*) + return 0 + ;; esac done return 1 @@ -83,14 +84,14 @@ _mongod_hack_get_arg_val() { local arg="$1" shift case "$arg" in - "$checkArg") - echo "$1" - return 0 - ;; - "$checkArg"=*) - echo "${arg#"$checkArg"=}" - return 0 - ;; + "$checkArg") + echo "$1" + return 0 + ;; + "$checkArg"=*) + echo "${arg#"$checkArg"=}" + return 0 + ;; esac done return 1 @@ -131,14 +132,14 @@ _mongod_hack_ensure_no_arg_val() { local arg="$1" shift case "$arg" in - "$ensureNoArg") - shift # also skip the value - continue - ;; - "$ensureNoArg"=*) - # value is already included - continue - ;; + "$ensureNoArg") + shift # also skip the value + continue + ;; + "$ensureNoArg"=*) + # value is already included + continue + ;; esac mongodHackedArgs+=("$arg") done @@ -282,10 +283,10 @@ if [ "$originalArgOne" = 'mongod' ]; then # if we've got any /docker-entrypoint-initdb.d/* files to parse later, we should initdb for f in /docker-entrypoint-initdb.d/*; do case "$f" in - *.sh | *.js) # this should match the set of files we check for below - shouldPerformInitdb="$f" - break - ;; + *.sh | *.js) # this should match the set of files we check for below + shouldPerformInitdb="$f" + break + ;; esac done fi @@ -321,20 +322,6 @@ if [ "$originalArgOne" = 'mongod' ]; then _mongod_hack_ensure_no_arg_val --replSet "${mongodHackedArgs[@]}" fi - # "BadValue: need sslPEMKeyFile when SSL is enabled" vs "BadValue: need to enable SSL via the sslMode flag when using SSL configuration parameters" - tlsMode='disabled' - if _mongod_hack_have_arg '--tlsCertificateKeyFile' "${mongodHackedArgs[@]}"; then - tlsMode='preferTLS' - elif _mongod_hack_have_arg '--sslPEMKeyFile' "${mongodHackedArgs[@]}"; then - tlsMode='preferSSL' - fi - # 4.2 switched all configuration/flag names from "SSL" to "TLS" - if [ "$tlsMode" = 'preferTLS' ] || mongod --help 2>&1 | grep -q -- ' --tlsMode '; then - _mongod_hack_ensure_arg_val --tlsMode "$tlsMode" "${mongodHackedArgs[@]}" - else - _mongod_hack_ensure_arg_val --sslMode "$tlsMode" "${mongodHackedArgs[@]}" - fi - if stat "/proc/$$/fd/1" >/dev/null && [ -w "/proc/$$/fd/1" ]; then # https://github.com/mongodb/mongo/blob/38c0eb538d0fd390c6cb9ce9ae9894153f6e8ef5/src/mongo/db/initialize_server_global_state.cpp#L237-L251 # https://github.com/docker-library/mongo/issues/164#issuecomment-293965668 @@ -396,17 +383,17 @@ if [ "$originalArgOne" = 'mongod' ]; then echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in - *.sh) - echo "$0: running $f" - # shellcheck source=/dev/null - . "$f" - ;; - *.js) - echo "$0: running $f" - "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" - echo - ;; - *) echo "$0: ignoring $f" ;; + *.sh) + echo "$0: running $f" + # shellcheck source=/dev/null + . "$f" + ;; + *.js) + echo "$0: running $f" + "${mongo[@]}" "$MONGO_INITDB_DATABASE" "$f" + echo + ;; + *) echo "$0: ignoring $f" ;; esac echo done @@ -422,76 +409,64 @@ fi if [[ $originalArgOne == mongo* ]]; then mongodHackedArgs=("$@") - MONGO_SSL_DIR=${MONGO_SSL_DIR:-/etc/mongodb-ssl} - CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - if [ -f /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ]; then - CA=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - fi - if [ -f "${MONGO_SSL_DIR}/ca.crt" ]; then - CA="${MONGO_SSL_DIR}/ca.crt" - fi - LDAP_SSL_DIR=${LDAP_SSL_DIR:-/etc/openldap/certs} - if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then - echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf - fi - if [ -f "${MONGO_SSL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_DIR}/tls.crt" ]; then - cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem - _mongod_hack_ensure_arg_val --sslPEMKeyFile /tmp/tls.pem "${mongodHackedArgs[@]}" - if [ -f "${CA}" ]; then - _mongod_hack_ensure_arg_val --sslCAFile "${CA}" "${mongodHackedArgs[@]}" - fi + + tlsMode="" + # if --tlsMode arg is present, get it + if _mongod_hack_have_arg --tlsMode "${mongodHackedArgs[@]}"; then + tlsMode="$(_mongod_hack_get_arg_val --tlsMode "${mongodHackedArgs[@]}")" fi - MONGO_SSL_INTERNAL_DIR=${MONGO_SSL_INTERNAL_DIR:-/etc/mongodb-ssl-internal} - if [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.crt" ]; then - cat "${MONGO_SSL_INTERNAL_DIR}/tls.key" "${MONGO_SSL_INTERNAL_DIR}/tls.crt" >/tmp/tls-internal.pem - _mongod_hack_ensure_arg_val --sslClusterFile /tmp/tls-internal.pem "${mongodHackedArgs[@]}" - if [ -f "${MONGO_SSL_INTERNAL_DIR}/ca.crt" ]; then - _mongod_hack_ensure_arg_val --sslClusterCAFile "${MONGO_SSL_INTERNAL_DIR}/ca.crt" "${mongodHackedArgs[@]}" - fi + + if [[ -z ${tlsMode} ]]; then + # if neither --tlsMode arg or net.tls.mode is present, set it to preferTLS + tlsMode="preferTLS" fi - # don't add --tlsMode if allowUnsafeConfigurations is true + # don't add --tlsMode if TLS is disabled if clusterAuthMode="$(_mongod_hack_get_arg_val --clusterAuthMode "${mongodHackedArgs[@]}")"; then if [[ ${clusterAuthMode} != "keyFile" ]]; then - tlsMode="preferSSL" - # if --config arg is present, try to get tlsMode from it - if _parse_config "${mongodHackedArgs[@]}"; then - tlsMode=$(jq -r '.net.tls.mode // "preferSSL"' "${jsonConfigFile}") - fi - _mongod_hack_ensure_arg_val --sslMode "${tlsMode}" "${mongodHackedArgs[@]}" + _mongod_hack_ensure_arg_val --tlsMode "${tlsMode}" "${mongodHackedArgs[@]}" + else + _mongod_hack_ensure_no_arg --sslAllowInvalidCertificates "${mongodHackedArgs[@]}" fi fi - if [ "$MONGODB_VERSION" != 'v4.0' ]; then - - _mongod_hack_rename_arg_save_val --sslMode --tlsMode "${mongodHackedArgs[@]}" - - if _mongod_hack_have_arg '--tlsMode' "${mongodHackedArgs[@]}"; then - tlsMode="none" - if _mongod_hack_have_arg 'allowSSL' "${mongodHackedArgs[@]}"; then - tlsMode='allowTLS' - elif _mongod_hack_have_arg 'preferSSL' "${mongodHackedArgs[@]}"; then - tlsMode='preferTLS' - elif _mongod_hack_have_arg 'requireSSL' "${mongodHackedArgs[@]}"; then - tlsMode='requireTLS' + if [[ ${tlsMode} != "disabled" ]]; then + MONGO_SSL_DIR=${MONGO_SSL_DIR:-/etc/mongodb-ssl} + CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + if [ -f /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ]; then + CA=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + fi + if [ -f "${MONGO_SSL_DIR}/ca.crt" ]; then + CA="${MONGO_SSL_DIR}/ca.crt" + fi + if [ -f "${MONGO_SSL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_DIR}/tls.crt" ]; then + cat "${MONGO_SSL_DIR}/tls.key" "${MONGO_SSL_DIR}/tls.crt" >/tmp/tls.pem + _mongod_hack_ensure_arg_val --sslPEMKeyFile /tmp/tls.pem "${mongodHackedArgs[@]}" + if [ -f "${CA}" ]; then + _mongod_hack_ensure_arg_val --sslCAFile "${CA}" "${mongodHackedArgs[@]}" fi - - if [ "$tlsMode" != "none" ]; then - _mongod_hack_ensure_no_arg_val --tlsMode "${mongodHackedArgs[@]}" - _mongod_hack_ensure_arg_val --tlsMode "$tlsMode" "${mongodHackedArgs[@]}" + fi + MONGO_SSL_INTERNAL_DIR=${MONGO_SSL_INTERNAL_DIR:-/etc/mongodb-ssl-internal} + if [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.key" ] && [ -f "${MONGO_SSL_INTERNAL_DIR}/tls.crt" ]; then + cat "${MONGO_SSL_INTERNAL_DIR}/tls.key" "${MONGO_SSL_INTERNAL_DIR}/tls.crt" >/tmp/tls-internal.pem + _mongod_hack_ensure_arg_val --sslClusterFile /tmp/tls-internal.pem "${mongodHackedArgs[@]}" + if [ -f "${MONGO_SSL_INTERNAL_DIR}/ca.crt" ]; then + _mongod_hack_ensure_arg_val --sslClusterCAFile "${MONGO_SSL_INTERNAL_DIR}/ca.crt" "${mongodHackedArgs[@]}" fi fi - _mongod_hack_rename_arg_save_val --sslPEMKeyFile --tlsCertificateKeyFile "${mongodHackedArgs[@]}" - if ! _mongod_hack_have_arg '--tlsMode' "${mongodHackedArgs[@]}"; then - if _mongod_hack_have_arg '--tlsCertificateKeyFile' "${mongodHackedArgs[@]}"; then - _mongod_hack_ensure_arg_val --tlsMode "preferTLS" "${mongodHackedArgs[@]}" - fi + LDAP_SSL_DIR=${LDAP_SSL_DIR:-/etc/openldap/certs} + if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then + echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf fi + fi + + if [ "$MONGODB_VERSION" != 'v4.0' ]; then _mongod_hack_rename_arg '--sslAllowInvalidCertificates' '--tlsAllowInvalidCertificates' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslAllowInvalidHostnames' '--tlsAllowInvalidHostnames' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslAllowConnectionsWithoutCertificates' '--tlsAllowConnectionsWithoutCertificates' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg '--sslFIPSMode' '--tlsFIPSMode' "${mongodHackedArgs[@]}" + _mongod_hack_rename_arg '--sslMode' '--tlsMode' "${mongodHackedArgs[@]}" _mongod_hack_rename_arg_save_val --sslPEMKeyPassword --tlsCertificateKeyFilePassword "${mongodHackedArgs[@]}" _mongod_hack_rename_arg_save_val --sslClusterFile --tlsClusterFile "${mongodHackedArgs[@]}" diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index dcebb01630..257b51b4a2 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -17309,9 +17309,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index c7cff63b0b..ac9c00ba27 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/cr-minimal.yaml b/deploy/cr-minimal.yaml index 2545026a9a..a3f9f617da 100644 --- a/deploy/cr-minimal.yaml +++ b/deploy/cr-minimal.yaml @@ -5,7 +5,9 @@ metadata: spec: crVersion: 1.16.0 image: perconalab/percona-server-mongodb-operator:main-mongod6.0 - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true upgradeOptions: apply: disabled schedule: "0 2 * * *" diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 58379803b9..561d61926a 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -15,6 +15,7 @@ spec: image: perconalab/percona-server-mongodb-operator:main-mongod7.0 imagePullPolicy: Always # tls: +# mode: preferTLS # # 90 days in hours # certValidityDuration: 2160h # issuerConf: @@ -25,7 +26,12 @@ spec: # - name: private-registry-credentials # initImage: perconalab/percona-server-mongodb-operator:main # initContainerSecurityContext: {} - allowUnsafeConfigurations: false +# unsafeFlags: +# tls: false +# replsetSize: false +# mongosSize: false +# terminationGracePeriod: false +# backupIfUnhealthy: false updateStrategy: SmartUpdate # ignoreAnnotations: # - service.beta.kubernetes.io/aws-load-balancer-backend-protocol @@ -71,9 +77,6 @@ spec: # - host: 34.124.76.92 # # for more configuration fields refer to https://docs.mongodb.com/manual/reference/configuration-options/ # configuration: | -# net: -# tls: -# mode: preferTLS # operationProfiling: # mode: slowOp # systemLog: diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 8b7c6f9421..d2f6b5b233 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index fd866997cb..611df1567a 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml index 676337503a..49a02584c1 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter-oc.yml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml index 962ffddb17..cdc63e0df8 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-clusterip-rs0-arbiter.yml @@ -12,9 +12,9 @@ metadata: app.kubernetes.io/replset: rs0 name: arbiter-clusterip-rs0-arbiter ownerReferences: - - controller: true - kind: PerconaServerMongoDB - name: arbiter-clusterip + - controller: true + kind: PerconaServerMongoDB + name: arbiter-clusterip spec: podManagementPolicy: OrderedReady replicas: 1 @@ -42,117 +42,118 @@ spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/instance: arbiter-clusterip - app.kubernetes.io/managed-by: percona-server-mongodb-operator - app.kubernetes.io/name: percona-server-mongodb - app.kubernetes.io/part-of: percona-server-mongodb - app.kubernetes.io/replset: rs0 - topologyKey: kubernetes.io/hostname + - labelSelector: + matchLabels: + app.kubernetes.io/instance: arbiter-clusterip + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + topologyKey: kubernetes.io/hostname containers: - - args: - - --bind_ip_all - - --auth - - --dbpath=/data/db - - --port=27017 - - --replSet=rs0 - - --storageEngine=wiredTiger - - --relaxPermChecks - - --sslAllowInvalidCertificates - - --clusterAuthMode=x509 - - --enableEncryption - - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - - --quiet - command: - - /opt/percona/ps-entry.sh - env: - - name: SERVICE_NAME - value: arbiter-clusterip - - name: MONGODB_PORT - value: "27017" - - name: MONGODB_REPLSET - value: rs0 - envFrom: - - secretRef: - name: internal-arbiter-users - optional: false - imagePullPolicy: Always - livenessProbe: - exec: - command: - - /opt/percona/mongodb-healthcheck - - k8s - - liveness - - --startupDelaySeconds - - "7200" - failureThreshold: 4 - initialDelaySeconds: 60 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - name: mongod-arbiter - ports: - - containerPort: 27017 - name: mongodb - protocol: TCP - readinessProbe: - exec: - command: - - /opt/percona/mongodb-healthcheck - - k8s - - readiness - - --component - - mongod - failureThreshold: 8 - initialDelaySeconds: 10 - periodSeconds: 3 - successThreshold: 1 - timeoutSeconds: 2 - resources: {} - securityContext: - runAsNonRoot: true - runAsUser: 1001 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /data/db - name: mongod-data - - mountPath: /etc/mongodb-secrets - name: arbiter-clusterip-mongodb-keyfile - readOnly: true - - mountPath: /etc/mongodb-ssl - name: ssl - readOnly: true - - mountPath: /etc/mongodb-ssl-internal - name: ssl-internal - readOnly: true - - mountPath: /etc/mongodb-config - name: config - - mountPath: /opt/percona - name: bin - - mountPath: /etc/mongodb-encryption - name: arbiter-clusterip-mongodb-encryption-key - readOnly: true - - mountPath: /etc/users-secret - name: users-secret-file - workingDir: /data/db + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --config=/etc/mongodb-config/mongod.conf + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: arbiter-clusterip + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-arbiter-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod-arbiter + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: arbiter-clusterip-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/mongodb-config + name: config + - mountPath: /opt/percona + name: bin + - mountPath: /etc/mongodb-encryption + name: arbiter-clusterip-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db dnsPolicy: ClusterFirst initContainers: - - command: - - /init-entrypoint.sh - imagePullPolicy: Always - name: mongo-init - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /data/db - name: mongod-data - - mountPath: /opt/percona - name: bin + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin restartPolicy: Always schedulerName: default-scheduler securityContext: @@ -161,39 +162,39 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 60 volumes: - - name: arbiter-clusterip-mongodb-keyfile - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-mongodb-keyfile - - emptyDir: {} - name: bin - - configMap: - defaultMode: 420 - name: arbiter-clusterip-rs0-mongod - optional: true - name: config - - name: arbiter-clusterip-mongodb-encryption-key - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-mongodb-encryption-key - - name: ssl - secret: - defaultMode: 288 - optional: false - secretName: arbiter-clusterip-ssl - - name: ssl-internal - secret: - defaultMode: 288 - optional: true - secretName: arbiter-clusterip-ssl-internal - - name: users-secret-file - secret: - defaultMode: 420 - secretName: internal-arbiter-users - - emptyDir: {} - name: mongod-data + - name: arbiter-clusterip-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-mongodb-keyfile + - emptyDir: {} + name: bin + - configMap: + defaultMode: 420 + name: arbiter-clusterip-rs0-mongod + optional: true + name: config + - name: arbiter-clusterip-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: arbiter-clusterip-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: arbiter-clusterip-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-arbiter-users + - emptyDir: {} + name: mongod-data updateStrategy: rollingUpdate: partition: 0 diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml index 8bac0090c8..f5978efa00 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml index 60b3cb3f45..3e706c57e4 100644 --- a/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml +++ b/e2e-tests/arbiter/compare/statefulset_arbiter-rs0-arbiter.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml b/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml index 431e6980dc..3300f95842 100644 --- a/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml +++ b/e2e-tests/arbiter/conf/arbiter-clusterip-rs0.yml @@ -23,6 +23,6 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 secrets: users: some-users diff --git a/e2e-tests/arbiter/conf/arbiter-rs0.yml b/e2e-tests/arbiter/conf/arbiter-rs0.yml index 1cc6d859af..6a952e66c4 100644 --- a/e2e-tests/arbiter/conf/arbiter-rs0.yml +++ b/e2e-tests/arbiter/conf/arbiter-rs0.yml @@ -20,6 +20,6 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 secrets: users: some-users diff --git a/e2e-tests/custom-replset-name/conf/some-name.yml b/e2e-tests/custom-replset-name/conf/some-name.yml index 4ac3efb960..a84e91bd85 100644 --- a/e2e-tests/custom-replset-name/conf/some-name.yml +++ b/e2e-tests/custom-replset-name/conf/some-name.yml @@ -3,8 +3,7 @@ kind: PerconaServerMongoDB metadata: name: some-name spec: - crVersion: 1.14.0 - allowUnsafeConfigurations: true + crVersion: 1.16.0 backup: enabled: true image: percona/percona-backup-mongodb:2.0.4 @@ -40,10 +39,10 @@ spec: enabled: false replsets: - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -68,10 +67,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -96,10 +95,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -124,10 +123,10 @@ spec: storage: 2Gi storageClassName: standard-rwo - affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none arbiter: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none enabled: false size: 1 configuration: | @@ -156,7 +155,7 @@ spec: sharding: configsvrReplSet: affinity: - antiAffinityTopologyKey: topology.kubernetes.io/zone + antiAffinityTopologyKey: none configuration: | replication: replSetName: csReplSet @@ -182,7 +181,7 @@ spec: enabled: true mongos: affinity: - antiAffinityTopologyKey: kubernetes.io/hostname + antiAffinityTopologyKey: none expose: exposeType: LoadBalancer serviceAnnotations: diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml index 6d59f89241..b7b8b72f86 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml index 08a42645f9..6935997d8b 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-cfg.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -167,6 +168,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml index c8f78de3d4..851fb27e0d 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml index aee92d61d6..307da430d1 100644 --- a/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/data-at-rest-encryption/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true @@ -174,6 +175,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/data-sharded/conf/some-name.yml b/e2e-tests/data-sharded/conf/some-name.yml index 29570fda43..722828c1c6 100644 --- a/e2e-tests/data-sharded/conf/some-name.yml +++ b/e2e-tests/data-sharded/conf/some-name.yml @@ -6,16 +6,15 @@ spec: #platform: openshift image: imagePullPolicy: Always + + tls: + mode: requireTLS sharding: enabled: true configsvrReplSet: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: none volumeSpec: @@ -26,10 +25,6 @@ spec: mongos: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: none expose: @@ -54,9 +49,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 @@ -96,9 +88,6 @@ spec: size: 4 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 @@ -139,9 +128,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: slowOp slowOpThresholdMs: 100 diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml index b7ca2bdb69..d2b4a54067 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml index 3cd3266b56..a12630b6c2 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-cfg.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml index fbf3354dc5..198c7abe0f 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml index b383582c5d..18b7dbf1e4 100644 --- a/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml +++ b/e2e-tests/default-cr/compare/statefulset_my-cluster-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup-eks-credentials/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml index 592393323b..da0c8c96c4 100644 --- a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml +++ b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml index d1c58e81c3..7b9bd4007c 100644 --- a/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml +++ b/e2e-tests/demand-backup-physical-sharded/compare/statefulset_some-name-rs0_restore_sharded.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml index d34afeb210..67124caaec 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml index 5354db15c4..89ca6ec396 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-arbiter-nv.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml index b10633627f..9725456cc9 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore-oc.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml index f3a2709d67..f5a3db62f8 100644 --- a/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml +++ b/e2e-tests/demand-backup-physical/compare/statefulset_some-name-rs0_restore.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 13bd528127..3af5d4247e 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml index eee1006d14..8cdb41c8c2 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml index ca3a6efa08..468ac78982 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -188,6 +189,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml index dcce7ea2f7..ecd7fa2add 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-4-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml index f4c38fc9a8..c4d72dcb2e 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml index ca12f13c85..537a44c4ec 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml index b5076dc310..884903dcde 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos-secret.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml index d0a28f5b4e..5efe518ab8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 964c0ed044..ea31b859d8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml index dda8206eed..24ffe9ab28 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/demand-backup-sharded/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml index 19554d339f..0da2b27db3 100644 --- a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/demand-backup/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 047e6f97cf..654bc83396 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml index 0301ecece1..33319e5a49 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml index 9b61b451f9..3ae11fcc7e 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml index dcce7ea2f7..ecd7fa2add 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-4-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml index e77cc2e9c5..f1e5fec540 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml index d0a28f5b4e..5efe518ab8 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --config=/etc/mongos-config/mongos.conf command: - /opt/percona/ps-entry.sh diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 15d59c2e35..a433f7736a 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml index e8c6e1405d..83a28c098a 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml index 2550a475bb..090128105b 100644 --- a/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/expose-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml index 26f0f64b0c..b1295156e3 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml index 5fc7e8e7e0..e54cd728ac 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml index 87c3efe0ec..9b037d3210 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml @@ -48,9 +48,9 @@ spec: - --replSet=rs0 - --storageEngine=wiredTiger - --relaxPermChecks - - --sslAllowInvalidCertificates - --clusterAuthMode=keyFile - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml index f604f95d57..82ff6c2137 100644 --- a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/init-deploy/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/init-deploy/conf/another-name-rs0.yml b/e2e-tests/init-deploy/conf/another-name-rs0.yml index 54a51b1c1a..08ec9390d4 100644 --- a/e2e-tests/init-deploy/conf/another-name-rs0.yml +++ b/e2e-tests/init-deploy/conf/another-name-rs0.yml @@ -6,7 +6,10 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true + unsafeFlags: + tls: true + tls: + mode: disabled backup: enabled: false image: perconalab/percona-server-mongodb-operator:0.4.0-backup diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml index d57b291454..e95ca88989 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml index ccc9875c5a..e5c2da81ad 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml index a7f9e112f4..a4040bcb76 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml b/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml index 9b36cca74f..3469275b38 100644 --- a/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-limits-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml index bc65f0f506..3cf2d6073d 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml index 1d4503ef96..80856789ff 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml index bc65f0f506..3cf2d6073d 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml index 1d4503ef96..80856789ff 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-no-limits-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml index 842586de3c..eb77e5baf8 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml index 8453fcedeb..735af1d1cf 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-increased.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml index d6db02e161..88052b9118 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml b/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml index 87b3bcecc8..84d62e8f7e 100644 --- a/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml +++ b/e2e-tests/limits/compare/statefulset_no-requests-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml index a064082c68..ed56332cbd 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -167,6 +168,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml index 089da6e52a..2b864fe03f 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-changed.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -168,6 +169,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml index e0d7a49a86..424fe446b0 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml b/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml index e6fd371e68..8c5983717a 100644 --- a/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml +++ b/e2e-tests/liveness/compare/statefulset_liveness-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml index 09cd9b8b36..dafd75cbca 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg-oc.yml @@ -62,11 +62,11 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - --quiet command: - /opt/percona/ps-entry.sh @@ -136,8 +136,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongodb-config - name: config - mountPath: /opt/percona name: bin - mountPath: /etc/mongodb-encryption @@ -304,11 +302,6 @@ spec: secretName: monitoring-mongodb-keyfile - emptyDir: {} name: bin - - configMap: - defaultMode: 420 - name: monitoring-cfg-mongod - optional: true - name: config - name: monitoring-mongodb-encryption-key secret: defaultMode: 288 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml index 8b9fe4a881..348a93a4cb 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-cfg.yml @@ -62,11 +62,11 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true - - --config=/etc/mongodb-config/mongod.conf - --quiet command: - /opt/percona/ps-entry.sh @@ -137,8 +137,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongodb-config - name: config - mountPath: /opt/percona name: bin - mountPath: /etc/mongodb-encryption @@ -306,11 +304,6 @@ spec: secretName: monitoring-mongodb-keyfile - emptyDir: {} name: bin - - configMap: - defaultMode: 420 - name: monitoring-cfg-mongod - optional: true - name: config - name: monitoring-mongodb-encryption-key secret: defaultMode: 288 diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml index ad3ef583ca..2bed21601e 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos-oc.yml @@ -57,7 +57,7 @@ spec: - cfg/monitoring-cfg-0.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-1.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-2.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 - - --config=/etc/mongos-config/mongos.conf + - --tlsMode=requireTLS command: - /opt/percona/ps-entry.sh env: @@ -139,8 +139,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongos-config - name: config - mountPath: /etc/users-secret name: users-secret-file readOnly: true @@ -325,11 +323,6 @@ spec: secret: defaultMode: 420 secretName: internal-monitoring-users - - configMap: - defaultMode: 420 - name: monitoring-mongos - optional: true - name: config - emptyDir: {} name: bin updateStrategy: diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml index 9e3c1fb6b6..00843d2602 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-mongos.yml @@ -57,7 +57,7 @@ spec: - cfg/monitoring-cfg-0.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-1.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017,monitoring-cfg-2.monitoring-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 - - --config=/etc/mongos-config/mongos.conf + - --tlsMode=requireTLS command: - /opt/percona/ps-entry.sh env: @@ -140,8 +140,6 @@ spec: - mountPath: /etc/mongodb-ssl-internal name: ssl-internal readOnly: true - - mountPath: /etc/mongos-config - name: config - mountPath: /etc/users-secret name: users-secret-file readOnly: true @@ -327,11 +325,6 @@ spec: secret: defaultMode: 420 secretName: internal-monitoring-users - - configMap: - defaultMode: 420 - name: monitoring-mongos - optional: true - name: config - emptyDir: {} name: bin updateStrategy: diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml index 0a30e1b483..9dbedd9b3a 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml index 9552e93649..f114e457ee 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-no-pmm.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml index 6afc08c068..d96ea7e79c 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml index 514fbc3942..f9f0e46267 100644 --- a/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml +++ b/e2e-tests/monitoring-2-0/compare/statefulset_monitoring-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=requireTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml b/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml index 4a297c13e6..4b79401500 100644 --- a/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml +++ b/e2e-tests/monitoring-2-0/conf/monitoring-rs0.yml @@ -5,6 +5,8 @@ metadata: spec: #platform: openshift image: + tls: + mode: requireTLS replsets: - name: rs0 affinity: @@ -16,9 +18,6 @@ spec: storage: 1Gi size: 3 configuration: | - net: - tls: - mode: requireTLS operationProfiling: mode: all slowOpThresholdMs: 100 @@ -30,10 +29,6 @@ spec: enabled: true configsvrReplSet: size: 3 - configuration: | - net: - tls: - mode: requireTLS volumeSpec: persistentVolumeClaim: resources: @@ -42,10 +37,6 @@ spec: mongos: size: 3 - configuration: | - net: - tls: - mode: requireTLS affinity: antiAffinityTopologyKey: "kubernetes.io/hostname" podDisruptionBudget: diff --git a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml index abed5cf0c7..d7b82d3be4 100644 --- a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml +++ b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml index 735fe8acc6..64b5784ac3 100644 --- a/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml +++ b/e2e-tests/non-voting/compare/statefulset_nonvoting-rs0-nv.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml index e1213d7bf3..38bf6d3d57 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -173,6 +179,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -231,7 +239,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml index a049e7656e..b99c291809 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -173,6 +179,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -231,7 +239,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml index ce6baca020..dc3169a016 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -174,6 +180,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -234,7 +242,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml index a25541d188..888e3e1b56 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml @@ -61,8 +61,8 @@ spec: - --storageEngine=wiredTiger - --relaxPermChecks - --sslAllowInvalidCertificates - - --clusterAuthMode=keyFile - - --keyFile=/etc/mongodb-secrets/mongodb-key + - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --wiredTigerCacheSizeGB=0.25 - --wiredTigerIndexPrefixCompression=true - --config=/etc/mongodb-config/mongod.conf @@ -86,6 +86,12 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 @@ -174,6 +180,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} @@ -234,7 +242,7 @@ spec: - name: ssl secret: defaultMode: 288 - optional: true + optional: false secretName: one-pod-ssl - name: ssl-internal secret: diff --git a/e2e-tests/one-pod/conf/one-pod-rs0.yml b/e2e-tests/one-pod/conf/one-pod-rs0.yml index f616943c3a..78d0f9bc95 100644 --- a/e2e-tests/one-pod/conf/one-pod-rs0.yml +++ b/e2e-tests/one-pod/conf/one-pod-rs0.yml @@ -6,7 +6,8 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true secrets: users: some-users pmm: diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml index 104fbd90b0..41d891a44e 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml index 104fbd90b0..41d891a44e 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml index e63c30682f..1704dd4295 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml index 6a7e58b829..4ac36e6cbc 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml index 8981c5242c..4682000eab 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml index 1505761460..baeff78d95 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml index f797da50fb..47f062d5cb 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -183,6 +184,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/pitr-physical/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml index 13bd528127..3af5d4247e 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-4-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml index eee1006d14..8cdb41c8c2 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -187,6 +188,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml index ca3a6efa08..468ac78982 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-cfg.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -188,6 +189,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml index 3ee7fedf14..f4199e2bf5 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos-oc.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml index 4ab05b32f5..33b74f15e2 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-mongos.yml @@ -57,6 +57,7 @@ spec: - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 - --relaxPermChecks - --clusterAuthMode=x509 + - --tlsMode=preferTLS command: - /opt/percona/ps-entry.sh env: diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml index 964c0ed044..ea31b859d8 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml index 08be495657..198b29fa59 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml index dda8206eed..24ffe9ab28 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml index 95cffc086e..84bd8fea48 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -175,6 +176,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml index 1505761460..baeff78d95 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml index 7ce30320dc..4d7284b8e5 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs1.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -176,6 +177,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml index 8e16766b46..ad1563ceee 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-4-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -185,6 +186,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml index f797da50fb..47f062d5cb 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -183,6 +184,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml index e720b81583..2245d41cf8 100644 --- a/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml +++ b/e2e-tests/pitr-sharded/compare/statefulset_some-name-rs2.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -186,6 +187,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml index 19554d339f..0da2b27db3 100644 --- a/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/pitr/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml b/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml index d07c53bda1..7d0ed280db 100644 --- a/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pitr/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml b/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/pvc-resize/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/recover-no-primary/conf/some-name-exposed.yml b/e2e-tests/recover-no-primary/conf/some-name-exposed.yml index ba85bebf9e..c91f9fb730 100644 --- a/e2e-tests/recover-no-primary/conf/some-name-exposed.yml +++ b/e2e-tests/recover-no-primary/conf/some-name-exposed.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:0.4.0-backup diff --git a/e2e-tests/recover-no-primary/conf/some-name.yml b/e2e-tests/recover-no-primary/conf/some-name.yml index 0a72109715..bf4f720d83 100644 --- a/e2e-tests/recover-no-primary/conf/some-name.yml +++ b/e2e-tests/recover-no-primary/conf/some-name.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml index f604f95d57..82ff6c2137 100644 --- a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml index b6be680007..c4eed0aa8b 100644 --- a/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/rs-shard-migration/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/scaling/run b/e2e-tests/scaling/run index f4df06fa7b..9326a1e4eb 100755 --- a/e2e-tests/scaling/run +++ b/e2e-tests/scaling/run @@ -66,12 +66,12 @@ kubectl_bin delete pvc --all sleep 30 -desc 'check scaling on exposed cluster with unsafe config' -cat_config "$conf_dir/$cluster.yml" \ - | yq eval '.spec.allowUnsafeConfigurations=true' \ - | yq eval '.spec.replsets[0].expose.enabled=true' \ - | yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' \ - | kubectl_bin apply -f - +desc 'check scaling on exposed cluster' +cat_config "$conf_dir/$cluster.yml" | + yq eval '.spec.unsafeFlags.replsetSize=true' | + yq eval '.spec.replsets[0].expose.enabled=true' | + yq eval '.spec.replsets[0].expose.exposeType="ClusterIP"' | + kubectl_bin apply -f - wait_for_running $cluster 3 desc 'check data consistency: write data, read from all' @@ -88,9 +88,7 @@ compare_mongo_cmd "find" "myApp:myPass@$cluster-2.$cluster.$namespace" desc 'scale up from 3 to 1' kubectl_bin patch psmdb ${cluster%%-rs0} \ --type='json' \ - -p='[ - {"op": "replace", "path": "/spec/replsets/0/size", "value": 1} - ]' + -p='[{"op": "replace", "path": "/spec/replsets/0/size", "value": 1}]' desc 'check if Pod deleted' wait_for_delete pod/$cluster-1 wait_for_delete pod/$cluster-2 diff --git a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml index c5e21ecaa1..4c2b4ef8a4 100644 --- a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml +++ b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -172,6 +173,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: diff --git a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml index cc0d6f3684..945ec3743c 100644 --- a/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml +++ b/e2e-tests/scheduled-backup/compare/statefulset_some-name-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml b/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml index 9e25c24821..83f217fa8c 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-rs0-changed.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 @@ -173,6 +174,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml b/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml index a79f9edc42..418cd9bcd9 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-rs0.yml @@ -51,6 +51,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml index dc7a9134c4..c8cbb6ac4f 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml index d7bee4bd8e..df36e2eee6 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_cluster-ip-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml index 2eaf4d700c..673b027cff 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml index 18f7c35e60..976052c5c0 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_local-balancer-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml index 84e251fb18..0092629b13 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -165,6 +166,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml index 787d584a59..ecbfd0f053 100644 --- a/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml +++ b/e2e-tests/service-per-pod/compare/statefulset_node-port-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true @@ -166,6 +167,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" imagePullPolicy: Always name: backup-agent resources: {} diff --git a/e2e-tests/serviceless-external-nodes/conf/external.yml b/e2e-tests/serviceless-external-nodes/conf/external.yml index f1316139d6..d010398c6f 100644 --- a/e2e-tests/serviceless-external-nodes/conf/external.yml +++ b/e2e-tests/serviceless-external-nodes/conf/external.yml @@ -4,7 +4,9 @@ metadata: name: mydb spec: unmanaged: true - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true clusterServiceDNSMode: "Internal" image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always diff --git a/e2e-tests/serviceless-external-nodes/conf/main.yml b/e2e-tests/serviceless-external-nodes/conf/main.yml index 6d42e8255d..6b07bdc59e 100644 --- a/e2e-tests/serviceless-external-nodes/conf/main.yml +++ b/e2e-tests/serviceless-external-nodes/conf/main.yml @@ -3,7 +3,9 @@ kind: PerconaServerMongoDB metadata: name: mydb spec: - allowUnsafeConfigurations: true + unsafeFlags: + replsetSize: true + mongosSize: true clusterServiceDNSMode: "Internal" image: percona/percona-server-mongodb:6.0.4-3 imagePullPolicy: Always @@ -64,9 +66,6 @@ spec: requests: storage: 3Gi configuration: | - net: - tls: - mode: preferTLS operationProfiling: mode: slowOp arbiter: @@ -104,9 +103,6 @@ spec: requests: storage: 3Gi configuration: | - net: - tls: - mode: preferTLS operationProfiling: mode: slowOp diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml index d0497f3542..f05093ad79 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml index ae11f2e553..65a54de870 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-arbiter.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml index 08d7cdc779..4d246b4fb3 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml index 8338b2eb24..c393cc0e7e 100644 --- a/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml +++ b/e2e-tests/smart-update/compare/statefulset_smart-update-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/smart-update/conf/smart-update-rs0.yml b/e2e-tests/smart-update/conf/smart-update-rs0.yml index 4df627a95e..29a37477fd 100644 --- a/e2e-tests/smart-update/conf/smart-update-rs0.yml +++ b/e2e-tests/smart-update/conf/smart-update-rs0.yml @@ -25,7 +25,7 @@ spec: resources: requests: storage: 1Gi - size: 2 + size: 4 configuration: | operationProfiling: mode: slowOp diff --git a/e2e-tests/split-horizon/conf/some-name-3horizons.yml b/e2e-tests/split-horizon/conf/some-name-3horizons.yml index 576765d9a3..461feb2056 100644 --- a/e2e-tests/split-horizon/conf/some-name-3horizons.yml +++ b/e2e-tests/split-horizon/conf/some-name-3horizons.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/split-horizon/conf/some-name-5horizons.yml b/e2e-tests/split-horizon/conf/some-name-5horizons.yml index 9aac047d35..bccd0892fd 100644 --- a/e2e-tests/split-horizon/conf/some-name-5horizons.yml +++ b/e2e-tests/split-horizon/conf/some-name-5horizons.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/split-horizon/conf/some-name.yml b/e2e-tests/split-horizon/conf/some-name.yml index 725d3ccbb8..a0eb8d83f7 100644 --- a/e2e-tests/split-horizon/conf/some-name.yml +++ b/e2e-tests/split-horizon/conf/some-name.yml @@ -6,7 +6,6 @@ spec: #platform: openshift image: imagePullPolicy: Always - allowUnsafeConfigurations: true backup: enabled: false image: perconalab/percona-server-mongodb-operator:main-backup diff --git a/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml b/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml index 553ac00f5b..d7a93ecab0 100644 --- a/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml +++ b/e2e-tests/storage/compare/statefulset_emptydir-rs0-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml b/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml index eeb87f0c91..d784e9cd61 100644 --- a/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml +++ b/e2e-tests/storage/compare/statefulset_emptydir-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml b/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml index 53c3873c48..87d9fab66f 100644 --- a/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml +++ b/e2e-tests/storage/compare/statefulset_hostpath-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml b/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml index b7b4c5528d..bb99c0780f 100644 --- a/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml +++ b/e2e-tests/storage/compare/statefulset_hostpath-rs0.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerIndexPrefixCompression=true diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml index 11d71a0265..15e67406e5 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml index c259acc2ad..b46ac4a2cd 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-cfg-1160.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml index 91a63bcf6d..f099c7adb4 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160-oc.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml index 7ab9f1ae65..e214903219 100644 --- a/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml +++ b/e2e-tests/upgrade-consistency-sharded-tls/compare/statefulset_some-name-rs0-1160.yml @@ -62,6 +62,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml index 53a9df1a93..ce66079a2a 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1140-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml index 81463027c5..e4143b394a 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml index 646ad6fc00..e404c58870 100644 --- a/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml +++ b/e2e-tests/upgrade-consistency/compare/statefulset_some-name-rs0-1160.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml index 5d40acd9c5..4bd991796b 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml index abc5beecef..50c7b60aad 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-exact-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml index 1b325c871e..e8a642be34 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml index 3b728a010b..5da8e5d7e6 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-latest-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml index 396a8fa477..33bdc328f2 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml index 86dae7c4e6..334b972a99 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-major-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml index 65e8594be9..dd20eb40f8 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml index b05b17418c..3e8489f9b0 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-recommended-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml index dde22f367c..74dbf45cf8 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0-oc.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml index abec7e3da1..eb556f2366 100644 --- a/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml +++ b/e2e-tests/version-service/compare/statefulset_version-service-unreachable-rs0.yml @@ -50,6 +50,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key - --wiredTigerCacheSizeGB=0.25 diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 8b7c6f9421..d2f6b5b233 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -17982,9 +17982,24 @@ spec: required: - name type: object + mode: + type: string type: object unmanaged: type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object updateStrategy: type: string upgradeOptions: diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index 1be45f8e6e..b7b4200a9a 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -90,6 +90,14 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log } } + if cr.Spec.TLS.Mode == "" { + cr.Spec.TLS.Mode = TLSModePrefer + } + + if !cr.TLSEnabled() && !cr.Spec.Unsafe.TLS { + return errors.New("TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check") + } + if len(cr.Spec.Replsets) == 0 { cr.Spec.Replsets = []*ReplsetSpec{ { @@ -134,13 +142,16 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log return errors.New("mongos should be specified") } - if !cr.Spec.Pause && cr.DeletionTimestamp == nil { - if !cr.Spec.UnsafeConf && cr.Spec.Sharding.Mongos.Size < minSafeMongosSize { - log.Info("Safe config set, updating mongos size", - "oldSize", cr.Spec.Sharding.Mongos.Size, "newSize", minSafeMongosSize) - cr.Spec.Sharding.Mongos.Size = minSafeMongosSize + if cr.CompareVersion("1.16.0") < 0 { + if !cr.Spec.Pause && cr.DeletionTimestamp == nil { + if !cr.Spec.UnsafeConf && cr.Spec.Sharding.Mongos.Size < minSafeMongosSize { + log.Info("Safe config set, updating mongos size", + "oldSize", cr.Spec.Sharding.Mongos.Size, "newSize", minSafeMongosSize) + cr.Spec.Sharding.Mongos.Size = minSafeMongosSize + } } } + if cr.CompareVersion("1.15.0") >= 0 { var fsgroup *int64 if platform == version.PlatformKubernetes { @@ -191,8 +202,7 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", @@ -236,8 +246,7 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", @@ -271,7 +280,9 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log cr.Spec.Sharding.Mongos.ReadinessProbe.FailureThreshold = 3 } - cr.Spec.Sharding.Mongos.reconcileOpts(cr) + if err := cr.Spec.Sharding.Mongos.reconcileOpts(cr); err != nil { + return errors.Wrap(err, "reconcile mongos options") + } if err := cr.Spec.Sharding.Mongos.Configuration.SetDefaults(); err != nil { return errors.Wrap(err, "failed to set configuration defaults") @@ -364,15 +375,12 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log Command: []string{"mongodb-healthcheck", "k8s", "liveness"}, } - if cr.CompareVersion("1.6.0") >= 0 { - replset.LivenessProbe.Probe.Exec.Command[0] = "/data/db/mongodb-healthcheck" - if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || - cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { - replset.LivenessProbe.Probe.Exec.Command = append(replset.LivenessProbe.Probe.Exec.Command, - "--ssl", "--sslInsecure", - "--sslCAFile", "/etc/mongodb-ssl/ca.crt", - "--sslPEMKeyFile", "/tmp/tls.pem") - } + replset.LivenessProbe.Probe.Exec.Command[0] = "/data/db/mongodb-healthcheck" + if cr.TLSEnabled() { + replset.LivenessProbe.Probe.Exec.Command = append(replset.LivenessProbe.Probe.Exec.Command, + "--ssl", "--sslInsecure", + "--sslCAFile", "/etc/mongodb-ssl/ca.crt", + "--sslPEMKeyFile", "/tmp/tls.pem") } if cr.CompareVersion("1.4.0") >= 0 && !replset.LivenessProbe.CommandHas(startupDelaySecondsFlag) { @@ -568,13 +576,23 @@ func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerM rs.Expose.ExposeType = corev1.ServiceTypeClusterIP } - rs.MultiAZ.reconcileOpts(cr) + if err := rs.MultiAZ.reconcileOpts(cr); err != nil { + return errors.Wrapf(err, "reconcile multiAZ options for replset %s", rs.Name) + } if rs.Arbiter.Enabled { - rs.Arbiter.MultiAZ.reconcileOpts(cr) + if err := rs.Arbiter.MultiAZ.reconcileOpts(cr); err != nil { + return errors.Wrapf(err, "reconcile multiAZ options for arbiter in replset %s", rs.Name) + } + } + + if cr.CompareVersion("1.16.0") >= 0 && cr.DeletionTimestamp == nil && !cr.Spec.Pause { + if err := rs.checkSafeDefaults(cr.Spec.Unsafe); err != nil { + return errors.Wrap(err, "check safe defaults") + } } - if !cr.Spec.UnsafeConf && (cr.DeletionTimestamp == nil && !cr.Spec.Pause) { + if cr.CompareVersion("1.16.0") < 0 && !cr.Spec.UnsafeConf && (cr.DeletionTimestamp == nil && !cr.Spec.Pause) { rs.setSafeDefaults(log) } @@ -661,7 +679,7 @@ func (nv *NonVotingSpec) SetDefaults(cr *PerconaServerMongoDB, rs *ReplsetSpec) Command: []string{"/data/db/mongodb-healthcheck", "k8s", "liveness"}, } - if !cr.Spec.UnsafeConf || cr.CompareVersion("1.15.0") < 0 { + if cr.TLSEnabled() { nv.LivenessProbe.Probe.ProbeHandler.Exec.Command = append( nv.LivenessProbe.Probe.ProbeHandler.Exec.Command, "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", "--sslPEMKeyFile", "/tmp/tls.pem", @@ -762,19 +780,66 @@ func (rs *ReplsetSpec) setSafeDefaults(log logr.Logger) { } } -func (m *MultiAZ) reconcileOpts(cr *PerconaServerMongoDB) { +func (rs *ReplsetSpec) checkSafeDefaults(unsafe UnsafeFlags) error { + if !unsafe.ReplsetSize { + if rs.Arbiter.Enabled { + if rs.Arbiter.Size != 1 { + return errors.New("arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + if rs.Size < minSafeReplicasetSizeWithArbiter { + return errors.Errorf("replset size must be at least %d with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check", minSafeReplicasetSizeWithArbiter) + } + if rs.Size%2 != 0 { + return errors.New("arbiter must disabled due to odd replset size. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + } else { + if rs.Size < 2 { + return errors.Errorf("replset size must be at least %d. Set spec.unsafeFlags.replsetSize to true to disable this check", defaultMongodSize) + } + if rs.Size%2 == 0 { + return errors.New("replset size must be odd. Set spec.unsafeFlags.replsetSize to true to disable this check") + } + } + } + + mode, err := rs.Configuration.GetTLSMode() + if err != nil { + return errors.Wrap(err, "get tls mode") + } + + if mode != "" { + return errors.New("tlsMode must be set using spec.tls.mode") + } + + return nil +} + +func (m *MultiAZ) reconcileOpts(cr *PerconaServerMongoDB) error { m.reconcileAffinityOpts(cr) m.reconcileTopologySpreadConstraints(cr) if cr.CompareVersion("1.15.0") >= 0 { - if m.TerminationGracePeriodSeconds == nil || (!cr.Spec.UnsafeConf && *m.TerminationGracePeriodSeconds < 30) { + if m.TerminationGracePeriodSeconds == nil { + m.TerminationGracePeriodSeconds = new(int64) + *m.TerminationGracePeriodSeconds = 60 + } + } + if cr.CompareVersion("1.15.0") == 0 { + if !cr.Spec.UnsafeConf && *m.TerminationGracePeriodSeconds < 30 { m.TerminationGracePeriodSeconds = new(int64) *m.TerminationGracePeriodSeconds = 60 } } + if cr.CompareVersion("1.16.0") >= 0 { + if *m.TerminationGracePeriodSeconds < 30 && !cr.Spec.Unsafe.TerminationGracePeriod { + return errors.New("terminationGracePeriodSeconds must be at least 30 seconds for safe configuration. Set spec.unsafeFlags.terminationGracePeriod to true to disable this check") + } + } if m.PodDisruptionBudget == nil { defaultMaxUnavailable := intstr.FromInt(1) m.PodDisruptionBudget = &PodDisruptionBudgetSpec{MaxUnavailable: &defaultMaxUnavailable} } + + return nil } var affinityValidTopologyKeys = map[string]struct{}{ diff --git a/pkg/apis/psmdb/v1/psmdb_defaults_test.go b/pkg/apis/psmdb/v1/psmdb_defaults_test.go index 2f350a326c..00410a2411 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults_test.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults_test.go @@ -226,7 +226,7 @@ func TestSetSafeDefault(t *testing.T) { cr := &api.PerconaServerMongoDB{ ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"}, Spec: api.PerconaServerMongoDBSpec{ - CRVersion: version.Version, + CRVersion: "1.15.0", Replsets: []*api.ReplsetSpec{{Name: "rs0", Size: 3}, {Name: "rs1", Size: 3}}, Sharding: api.Sharding{Enabled: true, Mongos: &api.MongosSpec{Size: 3}}, }, diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index b2f5133a91..ebfe042673 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -73,6 +73,7 @@ type PerconaServerMongoDBSpec struct { Image string `json:"image"` ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` UnsafeConf bool `json:"allowUnsafeConfigurations,omitempty"` + Unsafe UnsafeFlags `json:"unsafeFlags,omitempty"` IgnoreLabels []string `json:"ignoreLabels,omitempty"` IgnoreAnnotations []string `json:"ignoreAnnotations,omitempty"` Replsets []*ReplsetSpec `json:"replsets,omitempty"` @@ -92,7 +93,25 @@ type PerconaServerMongoDBSpec struct { TLS *TLSSpec `json:"tls,omitempty"` } +type UnsafeFlags struct { + TLS bool `json:"tls,omitempty"` + ReplsetSize bool `json:"replsetSize,omitempty"` + MongosSize bool `json:"mongosSize,omitempty"` + TerminationGracePeriod bool `json:"terminationGracePeriod,omitempty"` + BackupIfUnhealthy bool `json:"backupIfUnhealthy,omitempty"` +} + +type TLSMode string + +const ( + TLSModeDisabled TLSMode = "disabled" + TLSModeAllow TLSMode = "allowTLS" + TLSModePrefer TLSMode = "preferTLS" + TLSModeRequire TLSMode = "requireTLS" +) + type TLSSpec struct { + Mode TLSMode `json:"mode,omitempty"` CertValidityDuration metav1.Duration `json:"certValidityDuration,omitempty"` IssuerConf *cmmeta.ObjectReference `json:"issuerConf,omitempty"` } @@ -423,6 +442,35 @@ func (conf MongoConfiguration) GetOptions(name string) (map[interface{}]interfac return options, nil } +func (conf MongoConfiguration) GetTLSMode() (string, error) { + m, err := conf.GetOptions("net") + if err != nil || m == nil { + return "", err + } + + tls, ok := m["tls"] + if !ok { + return "", nil + } + + tlsMap, ok := tls.(map[any]any) + if !ok { + return "", errors.New("tls configuration is invalid") + } + + tlsMode, ok := tlsMap["mode"] + if !ok { + return "", nil + } + + mode, ok := tlsMode.(string) + if !ok { + return "", errors.Errorf("can't cast %s to string", mode) + } + + return mode, nil +} + // IsEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field func (conf MongoConfiguration) IsEncryptionEnabled() (*bool, error) { m, err := conf.GetOptions("security") @@ -1038,10 +1086,14 @@ func (cr *PerconaServerMongoDB) CanBackup(ctx context.Context) error { return nil } - if !cr.Spec.UnsafeConf { + if cr.CompareVersion("1.15.0") <= 0 && !cr.Spec.UnsafeConf { return errors.Errorf("allowUnsafeConfigurations must be true to run backup on cluster with status %s", cr.Status.State) } + if cr.CompareVersion("1.16.0") >= 0 && !cr.Spec.Unsafe.BackupIfUnhealthy { + return errors.Errorf("spec.unsafeFlags.backupIfUnhealthy must be true to run backup on cluster with status %s", cr.Status.State) + } + for rsName, rs := range cr.Status.Replsets { if rs.Ready < int32(1) { return errors.New(rsName + " has no ready nodes") @@ -1136,6 +1188,25 @@ func (cr *PerconaServerMongoDB) GetOrderedFinalizers() []string { return orderedFinalizers } +func (cr *PerconaServerMongoDB) TLSEnabled() bool { + if cr.CompareVersion("1.16.0") < 0 { + return !cr.Spec.UnsafeConf + } + + switch cr.Spec.TLS.Mode { + case TLSModeDisabled: + return false + case TLSModeAllow, TLSModePrefer, TLSModeRequire: + return true + default: + return true + } +} + +func (cr *PerconaServerMongoDB) UnsafeTLSDisabled() bool { + return (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) +} + const ( AnnotationResyncPBM = "percona.com/resync-pbm" AnnotationPVCResizeInProgress = "percona.com/pvc-resize-in-progress" diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go index 92ddd2a707..bb20b14515 100644 --- a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go @@ -1213,6 +1213,7 @@ func (in *PerconaServerMongoDBSpec) DeepCopyInto(out *PerconaServerMongoDBSpec) *out = make([]corev1.LocalObjectReference, len(*in)) copy(*out, *in) } + out.Unsafe = in.Unsafe if in.IgnoreLabels != nil { in, out := &in.IgnoreLabels, &out.IgnoreLabels *out = make([]string, len(*in)) @@ -1613,6 +1614,21 @@ func (in *TLSSpec) DeepCopy() *TLSSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UnsafeFlags) DeepCopyInto(out *UnsafeFlags) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnsafeFlags. +func (in *UnsafeFlags) DeepCopy() *UnsafeFlags { + if in == nil { + return nil + } + out := new(UnsafeFlags) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UpgradeOptions) DeepCopyInto(out *UpgradeOptions) { *out = *in diff --git a/pkg/controller/perconaservermongodb/connections.go b/pkg/controller/perconaservermongodb/connections.go index 4522583a13..76d1d7d779 100644 --- a/pkg/controller/perconaservermongodb/connections.go +++ b/pkg/controller/perconaservermongodb/connections.go @@ -15,7 +15,7 @@ import ( type MongoClientProvider interface { Mongo(ctx context.Context, cr *api.PerconaServerMongoDB, rs api.ReplsetSpec, role api.UserRole) (mongo.Client, error) Mongos(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole) (mongo.Client, error) - Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) + Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) } func (r *ReconcilePerconaServerMongoDB) MongoClientProvider() MongoClientProvider { @@ -47,13 +47,13 @@ func (p *mongoClientProvider) Mongos(ctx context.Context, cr *api.PerconaServerM return psmdb.MongosClient(ctx, p.k8sclient, cr, c) } -func (p *mongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) { +func (p *mongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) { c, err := getInternalCredentials(ctx, p.k8sclient, cr, role) if err != nil { return nil, errors.Wrap(err, "failed to get credentials") } - return psmdb.StandaloneClient(ctx, p.k8sclient, cr, c, host) + return psmdb.StandaloneClient(ctx, p.k8sclient, cr, c, host, tlsEnabled) } func (r *ReconcilePerconaServerMongoDB) mongoClientWithRole(ctx context.Context, cr *api.PerconaServerMongoDB, rs api.ReplsetSpec, role api.UserRole) (mongo.Client, error) { @@ -69,5 +69,5 @@ func (r *ReconcilePerconaServerMongoDB) standaloneClientWithRole(ctx context.Con if err != nil { return nil, errors.Wrap(err, "failed to get mongo host") } - return r.MongoClientProvider().Standalone(ctx, cr, role, host) + return r.MongoClientProvider().Standalone(ctx, cr, role, host, cr.TLSEnabled()) } diff --git a/pkg/controller/perconaservermongodb/connections_test.go b/pkg/controller/perconaservermongodb/connections_test.go index 10ac5177dd..d5bfd60433 100644 --- a/pkg/controller/perconaservermongodb/connections_test.go +++ b/pkg/controller/perconaservermongodb/connections_test.go @@ -377,7 +377,7 @@ func (g *fakeMongoClientProvider) Mongos(ctx context.Context, cr *api.PerconaSer fakeClient := mongoFake.NewClient() return &fakeMongoClient{pods: g.pods, cr: g.cr, connectionCount: g.connectionCount, Client: fakeClient}, nil } -func (g *fakeMongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string) (mongo.Client, error) { +func (g *fakeMongoClientProvider) Standalone(ctx context.Context, cr *api.PerconaServerMongoDB, role api.UserRole, host string, tlsEnabled bool) (mongo.Client, error) { *g.connectionCount++ fakeClient := mongoFake.NewClient() diff --git a/pkg/controller/perconaservermongodb/mgo.go b/pkg/controller/perconaservermongodb/mgo.go index d32733ab66..872468ab62 100644 --- a/pkg/controller/perconaservermongodb/mgo.go +++ b/pkg/controller/perconaservermongodb/mgo.go @@ -237,7 +237,13 @@ func (r *ReconcilePerconaServerMongoDB) reconcileCluster(ctx context.Context, cr func (r *ReconcilePerconaServerMongoDB) updateConfigMembers(ctx context.Context, cli mongo.Client, cr *api.PerconaServerMongoDB, rs *api.ReplsetSpec) (int, error) { log := logf.FromContext(ctx) // Primary with a Secondary and an Arbiter (PSA) - unsafePSA := cr.Spec.UnsafeConf && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + unsafePSA := false + + if cr.CompareVersion("1.15.0") <= 0 { + unsafePSA = cr.Spec.UnsafeConf && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + } else { + unsafePSA = cr.Spec.Unsafe.ReplsetSize && rs.Arbiter.Enabled && rs.Arbiter.Size == 1 && !rs.NonVoting.Enabled && rs.Size == 2 + } pods, err := psmdb.GetRSPods(ctx, r.client, cr, rs.Name) if err != nil { @@ -583,7 +589,7 @@ func (r *ReconcilePerconaServerMongoDB) handleReplsetInit(ctx context.Context, c mongoCmd = "mongo" } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { mongoCmd += " --tls --tlsCertificateKeyFile /tmp/tls.pem --tlsAllowInvalidCertificates --tlsCAFile /etc/mongodb-ssl/ca.crt" } diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go index 176e281244..311e81c3ef 100644 --- a/pkg/controller/perconaservermongodb/psmdb_controller.go +++ b/pkg/controller/perconaservermongodb/psmdb_controller.go @@ -350,12 +350,10 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r } } - if !cr.Spec.UnsafeConf { - err = r.reconsileSSL(ctx, cr) - if err != nil { - err = errors.Errorf(`TLS secrets handler: "%v". Please create your TLS secret `+cr.Spec.Secrets.SSL+` manually or setup cert-manager correctly`, err) - return reconcile.Result{}, err - } + err = r.reconcileSSL(ctx, cr) + if err != nil { + err = errors.Errorf(`TLS secrets handler: "%v". Please create your TLS secret `+cr.Spec.Secrets.SSL+` manually or setup cert-manager correctly`, err) + return reconcile.Result{}, err } internalKey := psmdb.InternalKey(cr) @@ -1180,16 +1178,18 @@ func (r *ReconcilePerconaServerMongoDB) reconcileMongosStatefulset(ctx context.C return errors.Wrapf(err, "create template spec for mongos") } - sslAnn, err := r.sslAnnotation(ctx, cr) - if err != nil { - return errors.Wrap(err, "failed to get ssl annotations") - } - if templateSpec.Annotations == nil { - templateSpec.Annotations = make(map[string]string) - } + if cr.TLSEnabled() { + sslAnn, err := r.sslAnnotation(ctx, cr) + if err != nil { + return errors.Wrap(err, "failed to get ssl annotations") + } + if templateSpec.Annotations == nil { + templateSpec.Annotations = make(map[string]string) + } - for k, v := range sslAnn { - templateSpec.Annotations[k] = v + for k, v := range sslAnn { + templateSpec.Annotations[k] = v + } } secret := new(corev1.Secret) @@ -1348,9 +1348,6 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a } func (r *ReconcilePerconaServerMongoDB) getTLSHash(ctx context.Context, cr *api.PerconaServerMongoDB, secretName string) (string, error) { - if cr.Spec.UnsafeConf { - return "", nil - } secretObj := corev1.Secret{} err := r.client.Get(ctx, types.NamespacedName{ diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index 3a647773ca..6232b85954 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -14,7 +14,11 @@ import ( "github.com/percona/percona-server-mongodb-operator/pkg/psmdb/tls" ) -func (r *ReconcilePerconaServerMongoDB) reconsileSSL(ctx context.Context, cr *api.PerconaServerMongoDB) error { +func (r *ReconcilePerconaServerMongoDB) reconcileSSL(ctx context.Context, cr *api.PerconaServerMongoDB) error { + if !cr.TLSEnabled() { + return nil + } + secretObj := corev1.Secret{} secretInternalObj := corev1.Secret{} errSecret := r.client.Get(ctx, diff --git a/pkg/controller/perconaservermongodb/statefulset.go b/pkg/controller/perconaservermongodb/statefulset.go index 768decd3a8..54fbfea3f0 100644 --- a/pkg/controller/perconaservermongodb/statefulset.go +++ b/pkg/controller/perconaservermongodb/statefulset.go @@ -114,12 +114,14 @@ func (r *ReconcilePerconaServerMongoDB) getStatefulsetFromReplset(ctx context.Co sfs.Labels = sfsSpec.Template.Labels sfs.Spec = sfsSpec - sslAnn, err := r.sslAnnotation(ctx, cr) - if err != nil { - return nil, errors.Wrap(err, "failed to get ssl annotations") - } - for k, v := range sslAnn { - sfsSpec.Template.Annotations[k] = v + if cr.TLSEnabled() { + sslAnn, err := r.sslAnnotation(ctx, cr) + if err != nil { + return nil, errors.Wrap(err, "failed to get ssl annotations") + } + for k, v := range sslAnn { + sfsSpec.Template.Annotations[k] = v + } } return sfs, nil diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-arbiter.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-mongod.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml index 61ee0960c5..a9d9da30d0 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/cfg-nv.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --configsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml index f28e2657bc..def9845aaf 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-arbiter.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -129,6 +130,7 @@ spec: securityContext: runAsNonRoot: true runAsUser: 1001 + topologySpreadConstraints: null volumeMounts: - mountPath: /data/db name: mongod-data diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml index 084cd6a559..3827372650 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-mongod.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -182,6 +183,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml index 544f493eb5..00e3260dd9 100644 --- a/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml +++ b/pkg/controller/perconaservermongodb/testdata/reconcile-statefulset/rs0-nv.yaml @@ -61,6 +61,7 @@ spec: - --relaxPermChecks - --sslAllowInvalidCertificates - --clusterAuthMode=x509 + - --tlsMode=preferTLS - --shardsvr - --enableEncryption - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key @@ -181,6 +182,8 @@ spec: fieldPath: metadata.name - name: PBM_MONGODB_URI value: mongodb://$(PBM_AGENT_MONGODB_USERNAME):$(PBM_AGENT_MONGODB_PASSWORD)@$(POD_NAME) + - name: PBM_AGENT_TLS_ENABLED + value: "true" image: perconalab/percona-server-mongodb-operator:main-backup imagePullPolicy: Always name: backup-agent diff --git a/pkg/psmdb/backup/backup.go b/pkg/psmdb/backup/backup.go index 44d0fec75a..6e95dc0937 100644 --- a/pkg/psmdb/backup/backup.go +++ b/pkg/psmdb/backup/backup.go @@ -2,6 +2,7 @@ package backup import ( "context" + "strings" "github.com/pkg/errors" client "sigs.k8s.io/controller-runtime/pkg/client" @@ -43,6 +44,10 @@ func NewRestoreJob(cr *api.PerconaServerMongoDBRestore) Job { return j } +func IsPBMNotConfiguredError(err error) bool { + return strings.Contains(err.Error(), "mongo: no documents in result") +} + // HasActiveJobs returns true if there are running backups or restores // in given cluster and namespace func HasActiveJobs(ctx context.Context, newPBMFunc NewPBMFunc, cl client.Client, cluster *api.PerconaServerMongoDB, current Job, allowLock ...LockHeaderPredicate) (bool, error) { @@ -97,6 +102,9 @@ func HasActiveJobs(ctx context.Context, newPBMFunc NewPBMFunc, cl client.Client, pbm, err := newPBMFunc(ctx, cl, cluster) if err != nil { + if IsPBMNotConfiguredError(err) { + return false, nil + } return false, errors.Wrap(err, "getting PBM object") } defer pbm.Close(ctx) diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go index ceeacd86f5..c91e56fda1 100644 --- a/pkg/psmdb/backup/pbm.go +++ b/pkg/psmdb/backup/pbm.go @@ -84,7 +84,7 @@ type PBM interface { Node(ctx context.Context) (string, error) } -func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, addrs []string) (string, error) { +func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, addrs []string, tlsEnabled bool) (string, error) { usersSecretName := api.UserSecretName(cr) scr, err := getSecret(ctx, k8sclient, cr.Namespace, usersSecretName) if err != nil { @@ -97,7 +97,7 @@ func getMongoUri(ctx context.Context, k8sclient client.Client, cr *api.PerconaSe strings.Join(addrs, ","), ) - if cr.Spec.UnsafeConf { + if !tlsEnabled { return murl, nil } @@ -163,7 +163,7 @@ func NewPBM(ctx context.Context, c client.Client, cluster *api.PerconaServerMong return nil, errors.Wrap(err, "get replset addrs") } - murl, err := getMongoUri(ctx, c, cluster, addrs) + murl, err := getMongoUri(ctx, c, cluster, addrs, cluster.TLSEnabled()) if err != nil { return nil, errors.Wrap(err, "get mongo uri") } diff --git a/pkg/psmdb/client.go b/pkg/psmdb/client.go index 6be6fe3ed0..31b4959045 100644 --- a/pkg/psmdb/client.go +++ b/pkg/psmdb/client.go @@ -50,7 +50,7 @@ func MongoClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaSe Password: c.Password, } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") @@ -73,7 +73,7 @@ func MongosClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaS Password: c.Password, } - if !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") @@ -85,7 +85,7 @@ func MongosClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaS return mongo.Dial(&conf) } -func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, c Credentials, host string) (mongo.Client, error) { +func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.PerconaServerMongoDB, c Credentials, host string, tlsEnabled bool) (mongo.Client, error) { conf := mongo.Config{ Hosts: []string{host}, Username: c.Username, @@ -93,7 +93,7 @@ func StandaloneClient(ctx context.Context, k8sclient client.Client, cr *api.Perc Direct: true, } - if !cr.Spec.UnsafeConf { + if tlsEnabled { tlsCfg, err := tls.Config(ctx, k8sclient, cr) if err != nil { return nil, errors.Wrap(err, "failed to get TLS config") diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 5fe925fcf6..d32fd24718 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -181,7 +181,6 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--replSet=" + replset.Name, "--storageEngine=" + string(replset.Storage.Engine), "--relaxPermChecks", - "--sslAllowInvalidCertificates", } name, err := replset.CustomReplsetName() @@ -189,16 +188,25 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args[4] = "--replSet=" + name } - if cr.Spec.UnsafeConf { + if cr.TLSEnabled() { + args = append(args, "--sslAllowInvalidCertificates") + if cr.Spec.TLS.Mode == api.TLSModeAllow { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+mongodSecretsDir+"/mongodb-key", + ) + } else { + args = append(args, "--clusterAuthMode=x509") + } + } else if cr.UnsafeTLSDisabled() { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) - } else { - if cr.CompareVersion("1.12.0") <= 0 { - args = append(args, "--sslMode=preferSSL") - } - args = append(args, "--clusterAuthMode=x509") + } + + if cr.CompareVersion("1.16.0") >= 0 { + args = append(args, "--tlsMode="+string(cr.Spec.TLS.Mode)) } // sharding diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index a07d1bd10c..4e9b9e1b69 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -174,12 +174,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan Name: "mongos", Image: cr.Spec.Image, ImagePullPolicy: cr.Spec.ImagePullPolicy, - Args: mongosContainerArgs( - cr, - cr.Spec.Sharding.Mongos.Resources, - useConfigFile, - cfgInstances, - ), + Args: mongosContainerArgs(cr, useConfigFile, cfgInstances), Ports: []corev1.ContainerPort{ { Name: mongosPortName, @@ -232,7 +227,7 @@ func mongosContainer(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstan return container, nil } -func mongosContainerArgs(cr *api.PerconaServerMongoDB, resources corev1.ResourceRequirements, useConfigFile bool, cfgInstances []string) []string { +func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgInstances []string) []string { msSpec := cr.Spec.Sharding.Mongos cfgRs := cr.Spec.Sharding.ConfigsvrReplSet @@ -259,16 +254,19 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, resources corev1.Resource ) } - if cr.Spec.UnsafeConf { + if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) + } else if (cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Unsafe.TLS) || (cr.CompareVersion("1.16.0") < 0 && cr.Spec.UnsafeConf) { args = append(args, "--clusterAuthMode=keyFile", "--keyFile="+mongodSecretsDir+"/mongodb-key", ) - } else { - if cr.CompareVersion("1.12.0") <= 0 { - args = append(args, "--sslMode=preferSSL") - } - args = append(args, "--clusterAuthMode=x509") + } + + if cr.CompareVersion("1.16.0") >= 0 { + args = append(args, "--tlsMode="+string(cr.Spec.TLS.Mode)) } if msSpec.SetParameter != nil { @@ -306,7 +304,7 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: cr.Spec.Secrets.SSL, - Optional: &cr.Spec.UnsafeConf, + Optional: &fvar, DefaultMode: &secretFileMode, }, }, @@ -371,25 +369,29 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core }) } - if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.Secrets.LDAPSecret != "" { - volumes = append(volumes, []corev1.Volume{ - { - Name: LDAPTLSVolClaimName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cr.Spec.Secrets.LDAPSecret, - Optional: &tvar, - DefaultMode: &secretFileMode, + if cr.CompareVersion("1.16.0") >= 0 { + if cr.Spec.Secrets.LDAPSecret != "" { + volumes = append(volumes, []corev1.Volume{ + { + Name: LDAPTLSVolClaimName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cr.Spec.Secrets.LDAPSecret, + Optional: &tvar, + DefaultMode: &secretFileMode, + }, }, }, - }, - { - Name: LDAPConfVolClaimName, - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, + { + Name: LDAPConfVolClaimName, + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, }, - }, - }...) + }...) + } + + volumes[1].VolumeSource.Secret.Optional = &cr.Spec.Unsafe.TLS } return volumes diff --git a/pkg/psmdb/pmm.go b/pkg/psmdb/pmm.go index ce5144df82..cd8921cfe0 100644 --- a/pkg/psmdb/pmm.go +++ b/pkg/psmdb/pmm.go @@ -170,7 +170,7 @@ func PMMContainer(cr *api.PerconaServerMongoDB, secret *corev1.Secret, customAdm pmm.Env = append(pmm.Env, pmmAgentEnvs(spec, secret, customLogin, customAdminParams)...) } - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.CompareVersion("1.13.0") >= 0 { pmm.VolumeMounts = []corev1.VolumeMount{ { Name: "ssl", @@ -293,11 +293,13 @@ func pmmAgentEnvs(spec api.PMMSpec, secret *corev1.Secret, customLogin bool, cus } func PMMAgentScript(cr *api.PerconaServerMongoDB) []corev1.EnvVar { + // handle disabled TLS + pmmServerArgs := "$(PMM_ADMIN_CUSTOM_PARAMS) --skip-connection-check --metrics-mode=push " pmmServerArgs += " --username=$(DB_USER) --password=$(DB_PASSWORD) --cluster=$(CLUSTER_NAME) " pmmServerArgs += "--service-name=$(PMM_AGENT_SETUP_NODE_NAME) --host=$(DB_HOST) --port=$(DB_PORT)" - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { tlsParams := []string{ "--tls", "--tls-skip-verify", @@ -314,7 +316,7 @@ func PMMAgentScript(cr *api.PerconaServerMongoDB) []corev1.EnvVar { pmmAnnotate := "pmm-admin annotate --service-name=$(PMM_AGENT_SETUP_NODE_NAME) 'Service restarted'" prerunScript := pmmWait + "\n" + pmmAddService + "\n" + pmmAnnotate - if cr.CompareVersion("1.13.0") >= 0 && !cr.Spec.UnsafeConf { + if cr.TLSEnabled() { prepareTLS := fmt.Sprintf("cat %[1]s/tls.key %[1]s/tls.crt > /tmp/tls.pem;", SSLDir) prerunScript = prepareTLS + "\n" + prerunScript } diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go index 27c2306b5b..ab8fbc1072 100644 --- a/pkg/psmdb/statefulset.go +++ b/pkg/psmdb/statefulset.go @@ -169,19 +169,24 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap volumeClaimTemplates := []corev1.PersistentVolumeClaim{} + sslVolume := corev1.Volume{ + Name: "ssl", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cr.Spec.Secrets.SSL, + Optional: &cr.Spec.UnsafeConf, + DefaultMode: &secretFileMode, + }, + }, + } + if cr.CompareVersion("1.16.0") >= 0 { + sslVolume.VolumeSource.Secret.Optional = &cr.Spec.Unsafe.TLS + } + // add TLS/SSL Volume t := true volumes = append(volumes, - corev1.Volume{ - Name: "ssl", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cr.Spec.Secrets.SSL, - Optional: &cr.Spec.UnsafeConf, - DefaultMode: &secretFileMode, - }, - }, - }, + sslVolume, corev1.Volume{ Name: "ssl-internal", VolumeSource: corev1.VolumeSource{ @@ -253,7 +258,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap if name, err := replset.CustomReplsetName(); err == nil { rsName = name } - containers = append(containers, backupAgentContainer(cr, rsName)) + containers = append(containers, backupAgentContainer(cr, rsName, cr.TLSEnabled())) } pmmC := AddPMMContainer(ctx, cr, usersSecret, cr.Spec.PMM.MongodParams) @@ -319,7 +324,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap const agentContainerName = "backup-agent" // backupAgentContainer creates the container object for a backup agent -func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string) corev1.Container { +func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string, tlsEnabled bool) corev1.Container { fvar := false usersSecretName := api.UserSecretName(cr) @@ -424,6 +429,13 @@ func backupAgentContainer(cr *api.PerconaServerMongoDB, replsetName string) core }...) } + if cr.CompareVersion("1.16.0") >= 0 { + c.Env = append(c.Env, corev1.EnvVar{ + Name: "PBM_AGENT_TLS_ENABLED", + Value: strconv.FormatBool(tlsEnabled), + }) + } + return c }