diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index 6f197adcff..d21f60cf47 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -25423,8 +25423,6 @@ spec: type: string name: type: string - required: - - name type: object mode: type: string diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index 5b9ac149ac..f638be7438 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -26310,8 +26310,6 @@ spec: type: string name: type: string - required: - - name type: object mode: type: string @@ -26635,6 +26633,7 @@ rules: - cert-manager.io resources: - issuers + - clusterissuers - certificates - certificaterequests verbs: @@ -26741,3 +26740,5 @@ spec: value: "false" - name: MAX_CONCURRENT_RECONCILES value: "1" + - name: CERTMANAGER_NAMESPACE + value: "cert-manager" diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 64fc72478a..c70a3ebd81 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -26310,8 +26310,6 @@ spec: type: string name: type: string - required: - - name type: object mode: type: string diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index cc126dccb1..cdac28d91f 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -26310,8 +26310,6 @@ spec: type: string name: type: string - required: - - name type: object mode: type: string @@ -26662,6 +26660,7 @@ rules: - cert-manager.io resources: - issuers + - clusterissuers - certificates - certificaterequests verbs: diff --git a/deploy/cw-rbac.yaml b/deploy/cw-rbac.yaml index 4b04952167..2538fb2e07 100644 --- a/deploy/cw-rbac.yaml +++ b/deploy/cw-rbac.yaml @@ -133,6 +133,7 @@ rules: - cert-manager.io resources: - issuers + - clusterissuers - certificates - certificaterequests verbs: diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 359515d48e..119dc6cafd 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -60,3 +60,5 @@ spec: value: "false" - name: MAX_CONCURRENT_RECONCILES value: "1" + - name: CERTMANAGER_NAMESPACE + value: "cert-manager" diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index d71a7102ca..0d0b500823 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -106,6 +106,7 @@ rules: - cert-manager.io resources: - issuers + - clusterissuers - certificates - certificaterequests verbs: diff --git a/e2e-tests/functions b/e2e-tests/functions index 04b6b5f88b..3160c93d40 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -563,56 +563,56 @@ deploy_operator_gh_release() { } deploy_minio() { - local cert_secret="$1" - local service_name="${2:-minio-service}" - - desc "install MinIO: ${service_name}" - - # Cleanup old installation - helm uninstall "${service_name}" 2>/dev/null || : - helm repo remove minio 2>/dev/null || : - helm repo add minio https://charts.min.io/ - - local endpoint="http://${service_name}:9000" - local minio_args=( - --version $MINIO_VER - --set replicas=1 - --set mode=standalone - --set resources.requests.memory=256Mi - --set rootUser=rootuser - --set rootPassword=rootpass123 - --set "users[0].accessKey=some-access-key" - --set "users[0].secretKey=some-secret-key" - --set "users[0].policy=consoleAdmin" - --set service.type=ClusterIP - --set configPathmc=/tmp/ - --set securityContext.enabled=false - --set persistence.size=2G - --set fullnameOverride="${service_name}" - --set serviceAccount.create=true - --set serviceAccount.name="${service_name}-sa" - ) - - if [[ -n $cert_secret ]]; then - endpoint="https://${service_name}:9000" - minio_args+=( - --set tls.enabled=true - --set tls.certSecret="$cert_secret" - ) - fi - - retry 10 60 helm install "${service_name}" "${minio_args[@]}" minio/minio - - local MINIO_POD=$(kubectl_bin get pods --selector=release="${service_name}" -o 'jsonpath={.items[].metadata.name}') - wait_pod $MINIO_POD - - if [ -n "$OPERATOR_NS" ]; then - kubectl_bin create svc -n ${OPERATOR_NS} externalname "${service_name}" \ - --external-name="${service_name}.${namespace}.svc.cluster.local" \ - --tcp="9000" 2>/dev/null || : - fi - - create_minio_bucket operator-testing $endpoint + local cert_secret="$1" + local service_name="${2:-minio-service}" + + desc "install MinIO: ${service_name}" + + # Cleanup old installation + helm uninstall "${service_name}" 2>/dev/null || : + helm repo remove minio 2>/dev/null || : + helm repo add minio https://charts.min.io/ + + local endpoint="http://${service_name}:9000" + local minio_args=( + --version $MINIO_VER + --set replicas=1 + --set mode=standalone + --set resources.requests.memory=256Mi + --set rootUser=rootuser + --set rootPassword=rootpass123 + --set "users[0].accessKey=some-access-key" + --set "users[0].secretKey=some-secret-key" + --set "users[0].policy=consoleAdmin" + --set service.type=ClusterIP + --set configPathmc=/tmp/ + --set securityContext.enabled=false + --set persistence.size=2G + --set fullnameOverride="${service_name}" + --set serviceAccount.create=true + --set serviceAccount.name="${service_name}-sa" + ) + + if [[ -n $cert_secret ]]; then + endpoint="https://${service_name}:9000" + minio_args+=( + --set tls.enabled=true + --set tls.certSecret="$cert_secret" + ) + fi + + retry 10 60 helm install "${service_name}" "${minio_args[@]}" minio/minio + + local MINIO_POD=$(kubectl_bin get pods --selector=release="${service_name}" -o 'jsonpath={.items[].metadata.name}') + wait_pod $MINIO_POD + + if [ -n "$OPERATOR_NS" ]; then + kubectl_bin create svc -n ${OPERATOR_NS} externalname "${service_name}" \ + --external-name="${service_name}.${namespace}.svc.cluster.local" \ + --tcp="9000" 2>/dev/null || : + fi + + create_minio_bucket operator-testing $endpoint } create_minio_bucket() { @@ -1272,6 +1272,8 @@ run_pumba() { deploy_cert_manager() { desc 'deploy cert manager' + kubectl_bin -n cert-manager delete clusterissuer --all || : + kubectl_bin -n cert-manager delete certificate --all || : kubectl_bin create namespace cert-manager || : kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || : kubectl_bin apply -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null diff --git a/e2e-tests/run-distro.csv b/e2e-tests/run-distro.csv index fa60334b38..26d24447eb 100644 --- a/e2e-tests/run-distro.csv +++ b/e2e-tests/run-distro.csv @@ -47,6 +47,7 @@ replset-remapping-sharded rs-shard-migration scaling split-horizon +tls-clusterissuer-cert-manager tls-issue-cert-manager upgrade upgrade-sharded diff --git a/e2e-tests/run-pr.csv b/e2e-tests/run-pr.csv index e2cc4ef93e..024d561cde 100644 --- a/e2e-tests/run-pr.csv +++ b/e2e-tests/run-pr.csv @@ -77,6 +77,7 @@ smart-update split-horizon stable-resource-version storage +tls-clusterissuer-cert-manager tls-issue-cert-manager unsafe-psa upgrade diff --git a/e2e-tests/run-release.csv b/e2e-tests/run-release.csv index 87cc8a8b22..41a93cc6d4 100644 --- a/e2e-tests/run-release.csv +++ b/e2e-tests/run-release.csv @@ -77,6 +77,7 @@ smart-update split-horizon stable-resource-version storage +tls-clusterissuer-cert-manager tls-issue-cert-manager unsafe-psa upgrade diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-custom.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-custom.yml new file mode 100644 index 0000000000..a4e07374fe --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-custom.yml @@ -0,0 +1,44 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + some-random-annotation: "true" + generation: 1 + name: some-name-ssl +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-psmdb-issuer + secretName: some-name-ssl + subject: + organizations: + - CUSTOM diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal-custom.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal-custom.yml new file mode 100644 index 0000000000..1328727aae --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal-custom.yml @@ -0,0 +1,44 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + some-random-annotation: "true" + generation: 1 + name: some-name-ssl-internal +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-psmdb-issuer + secretName: some-name-ssl-internal + subject: + organizations: + - CUSTOM diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal.yml new file mode 100644 index 0000000000..045c07d599 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal.yml @@ -0,0 +1,53 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-ssl-internal + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-NAME_SPACE-psmdb-issuer + secretName: some-name-ssl-internal + subject: + organizations: + - PSMDB diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl.yml new file mode 100644 index 0000000000..c6d9380d3b --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl.yml @@ -0,0 +1,53 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-ssl + ownerReferences: + - blockOwnerDeletion: true + controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-NAME_SPACE-psmdb-issuer + secretName: some-name-ssl + subject: + organizations: + - PSMDB diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-ca-issuer-custom.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-ca-issuer-custom.yml new file mode 100644 index 0000000000..50cff75372 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-ca-issuer-custom.yml @@ -0,0 +1,9 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + some-random-annotation: "true" + generation: 1 + name: some-name-psmdb-ca-issuer +spec: + selfSigned: {} diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-issuer-custom.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-issuer-custom.yml new file mode 100644 index 0000000000..db3bc5d91e --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/clusterissuer_some-name-psmdb-issuer-custom.yml @@ -0,0 +1,10 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + some-random-annotation: "true" + generation: 1 + name: some-name-psmdb-issuer +spec: + ca: + secretName: some-name-ca-cert diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-oc.yml new file mode 100644 index 0000000000..d80ee80aaf --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-oc.yml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + name: some-name-cfg + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + serviceName: some-name-cfg + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + topologyKey: kubernetes.io/hostname + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=cfg + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --configsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: cfg + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled-oc.yml new file mode 100644 index 0000000000..cce51b0dd4 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled-oc.yml @@ -0,0 +1,204 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + name: some-name-cfg + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + serviceName: some-name-cfg + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + topologyKey: kubernetes.io/hostname + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=cfg + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + - --configsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: cfg + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled.yml new file mode 100644 index 0000000000..fff3d526be --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg-tls-disabled.yml @@ -0,0 +1,206 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + name: some-name-cfg + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + serviceName: some-name-cfg + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + topologyKey: kubernetes.io/hostname + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=cfg + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + - --configsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: cfg + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg.yml new file mode 100644 index 0000000000..660161719c --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-cfg.yml @@ -0,0 +1,218 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + name: some-name-cfg + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + serviceName: some-name-cfg + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: cfg + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: cfg + topologyKey: kubernetes.io/hostname + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=cfg + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --configsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: cfg + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-oc.yml new file mode 100644 index 0000000000..1ad16db55e --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-oc.yml @@ -0,0 +1,187 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-mongos + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + serviceName: "" + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + topologyKey: kubernetes.io/hostname + containers: + - args: + - mongos + - --bind_ip_all + - --port=27017 + - --sslAllowInvalidCertificates + - --configdb + - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 + - --relaxPermChecks + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + command: + - /opt/percona/ps-entry.sh + env: + - name: MONGODB_PORT + value: "27017" + envFrom: + - secretRef: + name: some-users + optional: false + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --component + - mongos + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "10" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongos + ports: + - containerPort: 27017 + name: mongos + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongos + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + readOnly: true + - mountPath: /opt/percona + name: bin + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - emptyDir: {} + name: mongod-data + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + - emptyDir: {} + name: bin + updateStrategy: + type: OnDelete diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled-oc.yml new file mode 100644 index 0000000000..7be6f7d016 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled-oc.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-mongos + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + serviceName: "" + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + topologyKey: kubernetes.io/hostname + containers: + - args: + - mongos + - --bind_ip_all + - --port=27017 + - --sslAllowInvalidCertificates + - --configdb + - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 + - --relaxPermChecks + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + command: + - /opt/percona/ps-entry.sh + env: + - name: MONGODB_PORT + value: "27017" + envFrom: + - secretRef: + name: some-users + optional: false + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --component + - mongos + - --startupDelaySeconds + - "10" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongos + ports: + - containerPort: 27017 + name: mongos + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongos + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + readOnly: true + - mountPath: /opt/percona + name: bin + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - emptyDir: {} + name: mongod-data + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + - emptyDir: {} + name: bin + updateStrategy: + type: OnDelete diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled.yml new file mode 100644 index 0000000000..4b9e7af6ab --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos-tls-disabled.yml @@ -0,0 +1,177 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-mongos + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + serviceName: "" + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + topologyKey: kubernetes.io/hostname + containers: + - args: + - mongos + - --bind_ip_all + - --port=27017 + - --sslAllowInvalidCertificates + - --configdb + - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 + - --relaxPermChecks + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + command: + - /opt/percona/ps-entry.sh + env: + - name: MONGODB_PORT + value: "27017" + envFrom: + - secretRef: + name: some-users + optional: false + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --component + - mongos + - --startupDelaySeconds + - "10" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongos + ports: + - containerPort: 27017 + name: mongos + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongos + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + readOnly: true + - mountPath: /opt/percona + name: bin + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - emptyDir: {} + name: mongod-data + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + - emptyDir: {} + name: bin + updateStrategy: + type: OnDelete diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos.yml new file mode 100644 index 0000000000..0cbdf54ce6 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-mongos.yml @@ -0,0 +1,189 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + name: some-name-mongos + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + serviceName: "" + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: mongos + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + topologyKey: kubernetes.io/hostname + containers: + - args: + - mongos + - --bind_ip_all + - --port=27017 + - --sslAllowInvalidCertificates + - --configdb + - cfg/some-name-cfg-0.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-1.some-name-cfg.NAME_SPACE.svc.cluster.local:27017,some-name-cfg-2.some-name-cfg.NAME_SPACE.svc.cluster.local:27017 + - --relaxPermChecks + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + command: + - /opt/percona/ps-entry.sh + env: + - name: MONGODB_PORT + value: "27017" + envFrom: + - secretRef: + name: some-users + optional: false + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --component + - mongos + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "10" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongos + ports: + - containerPort: 27017 + name: mongos + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongos + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + readOnly: true + - mountPath: /opt/percona + name: bin + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - emptyDir: {} + name: mongod-data + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + - emptyDir: {} + name: bin + updateStrategy: + type: OnDelete diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-oc.yml new file mode 100644 index 0000000000..a43ae4d19e --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-oc.yml @@ -0,0 +1,217 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: some-name-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: some-name-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --shardsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled-oc.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled-oc.yml new file mode 100644 index 0000000000..88a681ee00 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled-oc.yml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: some-name-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: some-name-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + - --shardsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + securityContext: + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled.yml new file mode 100644 index 0000000000..166a043766 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0-tls-disabled.yml @@ -0,0 +1,207 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: some-name-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: some-name-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=keyFile + - --keyFile=/etc/mongodb-secrets/mongodb-key + - --tlsMode=disabled + - --shardsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0.yml b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0.yml new file mode 100644 index 0000000000..78c9aa1ba8 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/compare/statefulset_some-name-rs0.yml @@ -0,0 +1,219 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: {} + generation: 1 + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + name: some-name-rs0 + ownerReferences: + - controller: true + kind: PerconaServerMongoDB + name: some-name +spec: + podManagementPolicy: OrderedReady + replicas: 3 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + serviceName: some-name-rs0 + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/component: mongod + app.kubernetes.io/instance: some-name + app.kubernetes.io/managed-by: percona-server-mongodb-operator + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb + app.kubernetes.io/replset: rs0 + spec: + containers: + - args: + - --bind_ip_all + - --auth + - --dbpath=/data/db + - --port=27017 + - --replSet=rs0 + - --storageEngine=wiredTiger + - --relaxPermChecks + - --sslAllowInvalidCertificates + - --clusterAuthMode=x509 + - --tlsMode=preferTLS + - --shardsvr + - --enableEncryption + - --encryptionKeyFile=/etc/mongodb-encryption/encryption-key + - --wiredTigerCacheSizeGB=0.25 + - --wiredTigerIndexPrefixCompression=true + - --quiet + command: + - /opt/percona/ps-entry.sh + env: + - name: SERVICE_NAME + value: some-name + - name: MONGODB_PORT + value: "27017" + - name: MONGODB_REPLSET + value: rs0 + envFrom: + - secretRef: + name: internal-some-name-users + optional: false + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - liveness + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + - --startupDelaySeconds + - "7200" + failureThreshold: 4 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: mongod + ports: + - containerPort: 27017 + name: mongodb + protocol: TCP + readinessProbe: + exec: + command: + - /opt/percona/mongodb-healthcheck + - k8s + - readiness + - --component + - mongod + - --ssl + - --sslInsecure + - --sslCAFile + - /etc/mongodb-ssl/ca.crt + - --sslPEMKeyFile + - /tmp/tls.pem + failureThreshold: 8 + initialDelaySeconds: 10 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + securityContext: + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /etc/mongodb-secrets + name: some-name-mongodb-keyfile + readOnly: true + - mountPath: /etc/mongodb-ssl + name: ssl + readOnly: true + - mountPath: /etc/mongodb-ssl-internal + name: ssl-internal + readOnly: true + - mountPath: /opt/percona + name: bin + - mountPath: /.mongodb + name: mongosh + - mountPath: /etc/mongodb-encryption + name: some-name-mongodb-encryption-key + readOnly: true + - mountPath: /etc/users-secret + name: users-secret-file + workingDir: /data/db + dnsPolicy: ClusterFirst + initContainers: + - command: + - /init-entrypoint.sh + imagePullPolicy: Always + name: mongo-init + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 100M + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data/db + name: mongod-data + - mountPath: /opt/percona + name: bin + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1001 + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 60 + volumes: + - name: some-name-mongodb-keyfile + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-keyfile + - emptyDir: {} + name: bin + - emptyDir: {} + name: mongosh + - name: some-name-mongodb-encryption-key + secret: + defaultMode: 288 + optional: false + secretName: some-name-mongodb-encryption-key + - name: ssl + secret: + defaultMode: 288 + optional: false + secretName: some-name-ssl + - name: ssl-internal + secret: + defaultMode: 288 + optional: true + secretName: some-name-ssl-internal + - name: users-secret-file + secret: + defaultMode: 420 + secretName: internal-some-name-users + updateStrategy: + type: OnDelete + volumeClaimTemplates: + - metadata: + name: mongod-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: + phase: Pending diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ca-cert.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ca-cert.yml new file mode 100644 index 0000000000..32d10c1a31 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ca-cert.yml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + some-random-annotation: "true" + name: some-name-ca-cert + namespace: cert-manager +spec: + commonName: some-name-ca + duration: 8760h0m0s + isCA: true + issuerRef: + kind: ClusterIssuer + name: some-name-psmdb-ca-issuer + renewBefore: 730h0m0s + secretName: some-name-ca-cert diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-ca-issuer.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-ca-issuer.yml new file mode 100644 index 0000000000..d44d10aa2c --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-ca-issuer.yml @@ -0,0 +1,8 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + some-random-annotation: "true" + name: some-name-psmdb-ca-issuer +spec: + selfSigned: {} diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-issuer.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-issuer.yml new file mode 100644 index 0000000000..188cdc3252 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-psmdb-issuer.yml @@ -0,0 +1,9 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + some-random-annotation: "true" + name: some-name-psmdb-issuer +spec: + ca: + secretName: some-name-ca-cert diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl-internal.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl-internal.yml new file mode 100644 index 0000000000..4b10ed19ce --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl-internal.yml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + some-random-annotation: "true" + name: some-name-ssl-internal +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-psmdb-issuer + secretName: some-name-ssl-internal + subject: + organizations: + - CUSTOM diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl.yml new file mode 100644 index 0000000000..a2a3e17587 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name-ssl.yml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + some-random-annotation: "true" + name: some-name-ssl +spec: + commonName: some-name + dnsNames: + - localhost + - some-name-rs0 + - some-name-rs0.NAME_SPACE + - some-name-rs0.NAME_SPACE.svc.cluster.local + - '*.some-name-rs0' + - '*.some-name-rs0.NAME_SPACE' + - '*.some-name-rs0.NAME_SPACE.svc.cluster.local' + - some-name-rs0.NAME_SPACE.svc.clusterset.local + - '*.some-name-rs0.NAME_SPACE.svc.clusterset.local' + - '*.NAME_SPACE.svc.clusterset.local' + - some-name-mongos + - some-name-mongos.NAME_SPACE + - some-name-mongos.NAME_SPACE.svc.cluster.local + - '*.some-name-mongos' + - '*.some-name-mongos.NAME_SPACE' + - '*.some-name-mongos.NAME_SPACE.svc.cluster.local' + - some-name-cfg + - some-name-cfg.NAME_SPACE + - some-name-cfg.NAME_SPACE.svc.cluster.local + - '*.some-name-cfg' + - '*.some-name-cfg.NAME_SPACE' + - '*.some-name-cfg.NAME_SPACE.svc.cluster.local' + - some-name-mongos.NAME_SPACE.svc.clusterset.local + - '*.some-name-mongos.NAME_SPACE.svc.clusterset.local' + - some-name-cfg.NAME_SPACE.svc.clusterset.local + - '*.some-name-cfg.NAME_SPACE.svc.clusterset.local' + duration: 2160h0m0s + issuerRef: + kind: ClusterIssuer + name: some-name-psmdb-issuer + secretName: some-name-ssl + subject: + organizations: + - CUSTOM diff --git a/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name.yml b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name.yml new file mode 100644 index 0000000000..281c22c5c1 --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/conf/some-name.yml @@ -0,0 +1,49 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: some-name +spec: + #platform: openshift + image: + imagePullPolicy: Always + updateStrategy: SmartUpdate + tls: + issuerConf: + kind: ClusterIssuer + backup: + enabled: false + replsets: + - name: rs0 + affinity: + antiAffinityTopologyKey: none + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + expose: + enabled: false + type: ClusterIP + size: 3 + sharding: + enabled: true + configsvrReplSet: + size: 3 + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 3Gi + expose: + enabled: false + mongos: + size: 3 + secrets: + users: some-users diff --git a/e2e-tests/tls-clusterissuer-cert-manager/run b/e2e-tests/tls-clusterissuer-cert-manager/run new file mode 100755 index 0000000000..ba953fdfdd --- /dev/null +++ b/e2e-tests/tls-clusterissuer-cert-manager/run @@ -0,0 +1,141 @@ +#!/bin/bash + +set -o errexit + +test_dir=$(realpath $(dirname $0)) +. "${test_dir}/../functions" +set_debug + +check_tls_secret() { + local secret_name=$1 + check_secret_data_key "$secret_name" 'ca.crt' + check_secret_data_key "$secret_name" 'tls.crt' + check_secret_data_key "$secret_name" 'tls.key' +} + +check_secret_data_key() { + local secret_name=$1 + local data_key=$2 + local secret_data + + secret_data=$(kubectl_bin get "secrets/${secret_name}" -o json | jq ".data[\"${data_key}\"]") + if [ -z "$secret_data" ]; then + exit 1 + fi +} + +main() { + if [ -z "$OPERATOR_NS" ]; then + echo "Skipping the test. This test runs only in cluster-wide mode" + exit 0 + fi + + create_infra "$namespace" + deploy_cert_manager + + desc 'create secrets and start client' + kubectl_bin apply -f "$conf_dir/secrets.yml" + kubectl_bin apply -f "$conf_dir/client_with_tls.yml" + + desc 'create custom cert-manager issuers and certificates' + kubectl_bin apply -f "$test_dir/conf/some-name-ca-cert.yml" + kubectl_bin apply -f "$test_dir/conf/some-name-ssl-internal.yml" + kubectl_bin apply -f "$test_dir/conf/some-name-ssl.yml" + kubectl_bin apply -f "$test_dir/conf/some-name-psmdb-ca-issuer.yml" + kubectl_bin apply -f "$test_dir/conf/some-name-psmdb-issuer.yml" + deploy_cmctl + sleep 60 + + cluster="some-name" + desc "create first PSMDB cluster $cluster" + apply_cluster "$test_dir/conf/$cluster.yml" + + desc 'check if all Pods started' + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + desc 'compare custom certificates and clusterissuers' + compare_kubectl "certificate/${cluster}-ssl" "-custom" + compare_kubectl "certificate/${cluster}-ssl-internal" "-custom" + compare_kubectl "clusterissuer/$cluster-psmdb-ca-issuer" "-custom" + compare_kubectl "clusterissuer/$cluster-psmdb-issuer" "-custom" + + desc 'delete cluster' + kubectl delete psmdb --all + wait_for_delete psmdb/$cluster 180 + + kubectl delete pvc --all + + desc 'delete custom cert-manager issuers and certificates' + kubectl_bin delete -f "$test_dir/conf/some-name-psmdb-ca-issuer.yml" + kubectl_bin delete -f "$test_dir/conf/some-name-psmdb-issuer.yml" + kubectl_bin delete -f "$test_dir/conf/some-name-ca-cert.yml" + kubectl_bin delete -f "$test_dir/conf/some-name-ssl-internal.yml" + kubectl_bin delete -f "$test_dir/conf/some-name-ssl.yml" + + sleep 30 + + desc 'delete ssl secrets, operator should recreate them' + kubectl_bin delete secret "$cluster-ssl-internal" + kubectl_bin delete secret "$cluster-ssl" + + sleep 30 + + desc "recreate PSMDB cluster $cluster" + apply_cluster "$test_dir/conf/$cluster.yml" + + desc 'check if all Pods started' + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + compare_kubectl statefulset/${cluster}-rs0 + compare_kubectl statefulset/${cluster}-cfg + compare_kubectl statefulset/${cluster}-mongos + + desc 'check if certificates issued with certmanager' + check_tls_secret "$cluster-ssl" + + desc 'check if certificate issued' + compare_kubectl certificate/$cluster-ssl + + desc 'check if internal certificate issued' + compare_kubectl certificate/$cluster-ssl-internal + + renew_certificate "some-name-ssl" + sleep 10 + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + renew_certificate "some-name-ssl-internal" + sleep 10 + wait_for_running $cluster-rs0 3 + wait_for_running $cluster-cfg 3 "false" + wait_for_running $cluster-mongos 3 + + desc 'check if certificate issued' + compare_kubectl certificate/$cluster-ssl + + desc 'check if internal certificate issued' + compare_kubectl certificate/$cluster-ssl-internal + + desc 'disable TLS' + pause_cluster "$cluster" + wait_for_cluster_state "${cluster}" "paused" + + disable_tls "$cluster" + + unpause_cluster "$cluster" + wait_for_cluster_state "${cluster}" "ready" + + compare_kubectl statefulset/${cluster}-rs0 "-tls-disabled" "skip_generation_check" + compare_kubectl statefulset/${cluster}-cfg "-tls-disabled" "skip_generation_check" + compare_kubectl statefulset/${cluster}-mongos "-tls-disabled" "skip_generation_check" + + destroy "$namespace" + desc 'test passed' +} + +main diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 64fc72478a..c70a3ebd81 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -26310,8 +26310,6 @@ spec: type: string name: type: string - required: - - name type: object mode: type: string diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index 8a1e3d627c..da802fab3a 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -7,6 +7,7 @@ import ( "strings" "time" + cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "github.com/go-logr/logr" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" @@ -132,6 +133,10 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(ctx context.Context, platform cr.Spec.TLS.AllowInvalidCertificates = &t } + if cr.Spec.TLS.IssuerConf.Kind == "" { + cr.Spec.TLS.IssuerConf.Kind = cm.IssuerKind + } + if cr.Spec.UnsafeConf { cr.Spec.Unsafe = UnsafeFlags{ TLS: true, diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index e1bee7ea6a..ee2ee19335 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -8,7 +8,6 @@ import ( "strings" "time" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/go-logr/logr" v "github.com/hashicorp/go-version" "github.com/pkg/errors" @@ -178,10 +177,24 @@ const ( ) type TLSSpec struct { - Mode TLSMode `json:"mode,omitempty"` - AllowInvalidCertificates *bool `json:"allowInvalidCertificates,omitempty"` - CertValidityDuration metav1.Duration `json:"certValidityDuration,omitempty"` - IssuerConf *cmmeta.ObjectReference `json:"issuerConf,omitempty"` + Mode TLSMode `json:"mode,omitempty"` + AllowInvalidCertificates *bool `json:"allowInvalidCertificates,omitempty"` + CertValidityDuration metav1.Duration `json:"certValidityDuration,omitempty"` + IssuerConf IssuerConfReference `json:"issuerConf,omitempty"` +} + +type IssuerConfReference struct { + // Name of the issuer being referred to. + // +optional + Name string `json:"name"` + // Kind of the issuer being referred to. + // Defaults to 'Issuer'. + // +optional + Kind string `json:"kind,omitempty"` + // Group of the issuer being referred to. + // Defaults to 'cert-manager.io'. + // +optional + Group string `json:"group,omitempty"` } func (spec *PerconaServerMongoDBSpec) Replset(name string) *ReplsetSpec { diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go index c6e07feffe..0a51fd63d8 100644 --- a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go @@ -5,7 +5,6 @@ package v1 import ( - metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/percona/percona-server-mongodb-operator/pkg/version" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -617,6 +616,21 @@ func (in *InheritenceRole) DeepCopy() *InheritenceRole { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IssuerConfReference) DeepCopyInto(out *IssuerConfReference) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfReference. +func (in *IssuerConfReference) DeepCopy() *IssuerConfReference { + if in == nil { + return nil + } + out := new(IssuerConfReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LivenessProbeExtended) DeepCopyInto(out *LivenessProbeExtended) { *out = *in @@ -2297,11 +2311,7 @@ func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { **out = **in } out.CertValidityDuration = in.CertValidityDuration - if in.IssuerConf != nil { - in, out := &in.IssuerConf, &out.IssuerConf - *out = new(metav1.ObjectReference) - **out = **in - } + out.IssuerConf = in.IssuerConf } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go index c618f8fd9c..6602d90e4a 100644 --- a/pkg/controller/perconaservermongodb/ssl.go +++ b/pkg/controller/perconaservermongodb/ssl.go @@ -236,12 +236,6 @@ func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Conte return errors.Wrap(err, "update cert mangager certs") } - c := r.newCertManagerCtrlFunc(r.client, r.scheme, false) - if cr.CompareVersion("1.15.0") >= 0 { - if err := c.DeleteDeprecatedIssuerIfExists(ctx, cr); err != nil { - return errors.Wrap(err, "delete deprecated issuer") - } - } return nil } @@ -385,57 +379,49 @@ func (r *ReconcilePerconaServerMongoDB) applyCertManagerCertificates(ctx context } return nil } - if cr.CompareVersion("1.15.0") >= 0 { - err := applyFunc(func() (util.ApplyStatus, error) { - return c.ApplyCAIssuer(ctx, cr) - }) - if err != nil { - return "", errors.Wrap(err, "apply ca issuer") - } + if err := applyFunc(func() (util.ApplyStatus, error) { + return c.ApplyCAIssuer(ctx, cr) + }); err != nil { + return "", errors.Wrap(err, "apply ca issuer") + } - caCert := tls.CertificateCA(cr) - err = applyFunc(func() (util.ApplyStatus, error) { - return c.ApplyCertificate(ctx, cr, caCert) - }) - if err != nil { - return "", errors.Wrap(err, "create ca certificate") - } + caCert := tls.CertificateCA(cr) - err = c.WaitForCerts(ctx, cr, caCert) - if err != nil { - return "", errors.Wrap(err, "failed to wait for ca cert") - } + if err := applyFunc(func() (util.ApplyStatus, error) { + return c.ApplyCertificate(ctx, cr, caCert) + }); err != nil { + return "", errors.Wrap(err, "create ca certificate") + } + + if err := c.WaitForCerts(ctx, cr, caCert); err != nil { + return "", errors.Wrap(err, "failed to wait for ca cert") } - err := applyFunc(func() (util.ApplyStatus, error) { + if err := applyFunc(func() (util.ApplyStatus, error) { return c.ApplyIssuer(ctx, cr) - }) - if err != nil { + }); err != nil { return "", errors.Wrap(err, "create issuer") } tlsCert := tls.CertificateTLS(cr, false) - err = applyFunc(func() (util.ApplyStatus, error) { + if err := applyFunc(func() (util.ApplyStatus, error) { return c.ApplyCertificate(ctx, cr, tlsCert) - }) - if err != nil { + }); err != nil { return "", errors.Wrap(err, "create certificate") } certificates := []tls.Certificate{tlsCert} if internalCert := tls.CertificateTLS(cr, true); tlsCert.SecretName() != internalCert.SecretName() { - err = applyFunc(func() (util.ApplyStatus, error) { + if err := applyFunc(func() (util.ApplyStatus, error) { return c.ApplyCertificate(ctx, cr, internalCert) - }) - if err != nil { + }); err != nil { return "", errors.Wrap(err, "create certificate") } certificates = append(certificates, internalCert) } - err = c.WaitForCerts(ctx, cr, certificates...) - if err != nil { + if err := c.WaitForCerts(ctx, cr, certificates...); err != nil { return "", errors.Wrap(err, "failed to wait for certs") } return applyStatus, nil diff --git a/pkg/psmdb/tls/certificate.go b/pkg/psmdb/tls/certificate.go index d0d36bf688..e0e5f5b3bc 100644 --- a/pkg/psmdb/tls/certificate.go +++ b/pkg/psmdb/tls/certificate.go @@ -13,6 +13,7 @@ import ( type Certificate interface { Name() string + Namespace() string SecretName() string Object() *cm.Certificate } @@ -31,6 +32,14 @@ func (c *caCert) Name() string { return c.cr.Name + "-ca-cert" } +func (c *caCert) Namespace() string { + if c.cr.CompareVersion("1.22.0") >= 0 && c.cr.Spec.TLS != nil && c.cr.Spec.TLS.IssuerConf.Kind == cm.ClusterIssuerKind { + return certManagerNamespace() + } + + return c.cr.Namespace +} + func (c *caCert) SecretName() string { return c.Name() } @@ -42,10 +51,15 @@ func (c *caCert) Object() *cm.Certificate { if cr.CompareVersion("1.17.0") < 0 { labels = nil } + + issuerKind := cm.IssuerKind + if cr.CompareVersion("1.22.0") >= 0 && cr.Spec.TLS != nil { + issuerKind = cr.Spec.TLS.IssuerConf.Kind + } return &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: c.Name(), - Namespace: cr.Namespace, + Namespace: c.Namespace(), Labels: labels, }, Spec: cm.CertificateSpec{ @@ -54,7 +68,7 @@ func (c *caCert) Object() *cm.Certificate { IsCA: true, IssuerRef: cmmeta.ObjectReference{ Name: caIssuerName(cr), - Kind: cm.IssuerKind, + Kind: issuerKind, }, Duration: &metav1.Duration{Duration: time.Hour * 24 * 365}, RenewBefore: &metav1.Duration{Duration: 730 * time.Hour}, @@ -82,6 +96,10 @@ func (c *tlsCert) Name() string { return c.cr.Name + "-ssl" } +func (c *tlsCert) Namespace() string { + return c.cr.Namespace +} + func (c *tlsCert) SecretName() string { if c.internal { return api.SSLInternalSecretName(c.cr) @@ -95,26 +113,16 @@ func (c *tlsCert) Object() *cm.Certificate { issuerKind := cm.IssuerKind issuerGroup := "" - if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.TLS != nil && cr.Spec.TLS.IssuerConf != nil { + if cr.Spec.TLS != nil { issuerKind = cr.Spec.TLS.IssuerConf.Kind issuerGroup = cr.Spec.TLS.IssuerConf.Group - - } - isCA := false - if cr.CompareVersion("1.15.0") < 0 { - isCA = true - } - - labels := naming.ClusterLabels(cr) - if cr.CompareVersion("1.17.0") < 0 { - labels = nil } return &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: c.Name(), Namespace: cr.Namespace, - Labels: labels, + Labels: naming.ClusterLabels(cr), }, Spec: cm.CertificateSpec{ Subject: &cm.X509Subject{ @@ -123,7 +131,7 @@ func (c *tlsCert) Object() *cm.Certificate { CommonName: cr.Name, SecretName: c.SecretName(), DNSNames: GetCertificateSans(cr), - IsCA: isCA, + IsCA: false, Duration: &cr.Spec.TLS.CertValidityDuration, IssuerRef: cmmeta.ObjectReference{ Name: issuerName(cr), diff --git a/pkg/psmdb/tls/certificate_test.go b/pkg/psmdb/tls/certificate_test.go new file mode 100644 index 0000000000..777dfb3e02 --- /dev/null +++ b/pkg/psmdb/tls/certificate_test.go @@ -0,0 +1,114 @@ +package tls + +import ( + "testing" + + cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + "github.com/stretchr/testify/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1" + "github.com/percona/percona-server-mongodb-operator/pkg/version" +) + +func TestCertificate(t *testing.T) { + cr := &api.PerconaServerMongoDB{ + ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"}, + Spec: api.PerconaServerMongoDBSpec{ + CRVersion: version.Version(), + TLS: &api.TLSSpec{}, + Secrets: &api.SecretsSpec{}, + }, + } + + t.Run("CA certificate", func(t *testing.T) { + t.Run("IssuerKind", func(t *testing.T) { + cr := cr.DeepCopy() + ca := CertificateCA(cr) + assert.Equal(t, "psmdb", ca.Namespace()) + }) + t.Run("ClusterIssuerKind", func(t *testing.T) { + cr := cr.DeepCopy() + cr.Spec.TLS.IssuerConf.Kind = cm.ClusterIssuerKind + + t.Run("default cert-manager namespace when ClusterIssuerKind is used", func(t *testing.T) { + ca := CertificateCA(cr) + assert.Equal(t, "cert-manager", ca.Namespace()) + }) + + t.Run("namespace when env var is set and ClusterIssuerKind is used", func(t *testing.T) { + t.Setenv("CERTMANAGER_NAMESPACE", "my-cm") + ca := CertificateCA(cr) + assert.Equal(t, "my-cm", ca.Namespace()) + }) + + t.Run("issuerRef", func(t *testing.T) { + t.Run("latest version", func(t *testing.T) { + ca := CertificateCA(cr) + obj := ca.Object() + assert.Equal(t, "psmdb-mock-psmdb-psmdb-ca-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.ClusterIssuerKind, obj.Spec.IssuerRef.Kind) + }) + t.Run("old version", func(t *testing.T) { + cr := cr.DeepCopy() + cr.Spec.CRVersion = "1.21.0" + ca := CertificateCA(cr) + obj := ca.Object() + assert.Equal(t, "psmdb-mock-psmdb-ca-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.IssuerKind, obj.Spec.IssuerRef.Kind) + }) + }) + }) + }) + + t.Run("TLS certificates", func(t *testing.T) { + t.Run("IssuerKind", func(t *testing.T) { + cr := cr.DeepCopy() + t.Run("internal", func(t *testing.T) { + cert := CertificateTLS(cr, false) + assert.Equal(t, "psmdb", cert.Namespace()) + }) + t.Run("non-internal", func(t *testing.T) { + cert := CertificateTLS(cr, true) + assert.Equal(t, "psmdb", cert.Namespace()) + }) + }) + t.Run("ClusterIssuerKind", func(t *testing.T) { + cr := cr.DeepCopy() + cr.Spec.TLS.IssuerConf.Kind = cm.ClusterIssuerKind + + t.Run("issuerRef", func(t *testing.T) { + t.Run("latest version", func(t *testing.T) { + t.Run("internal", func(t *testing.T) { + cert := CertificateTLS(cr, true) + obj := cert.Object() + assert.Equal(t, "psmdb-mock-psmdb-psmdb-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.ClusterIssuerKind, obj.Spec.IssuerRef.Kind) + }) + t.Run("non-internal", func(t *testing.T) { + cert := CertificateTLS(cr, false) + obj := cert.Object() + assert.Equal(t, "psmdb-mock-psmdb-psmdb-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.ClusterIssuerKind, obj.Spec.IssuerRef.Kind) + }) + }) + t.Run("old version", func(t *testing.T) { + cr := cr.DeepCopy() + cr.Spec.CRVersion = "1.21.0" + t.Run("internal", func(t *testing.T) { + cert := CertificateTLS(cr, true) + obj := cert.Object() + assert.Equal(t, "psmdb-mock-psmdb-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.ClusterIssuerKind, obj.Spec.IssuerRef.Kind) + }) + t.Run("non-internal", func(t *testing.T) { + cert := CertificateTLS(cr, false) + obj := cert.Object() + assert.Equal(t, "psmdb-mock-psmdb-issuer", obj.Spec.IssuerRef.Name) + assert.Equal(t, cm.ClusterIssuerKind, obj.Spec.IssuerRef.Kind) + }) + }) + }) + }) + }) +} diff --git a/pkg/psmdb/tls/certmanager.go b/pkg/psmdb/tls/certmanager.go index e53aa0f3b2..7561974691 100644 --- a/pkg/psmdb/tls/certmanager.go +++ b/pkg/psmdb/tls/certmanager.go @@ -2,6 +2,7 @@ package tls import ( "context" + "os" "regexp" "time" @@ -27,7 +28,6 @@ type CertManagerController interface { ApplyIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) (util.ApplyStatus, error) ApplyCAIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) (util.ApplyStatus, error) ApplyCertificate(ctx context.Context, cr *api.PerconaServerMongoDB, cert Certificate) (util.ApplyStatus, error) - DeleteDeprecatedIssuerIfExists(ctx context.Context, cr *api.PerconaServerMongoDB) error WaitForCerts(ctx context.Context, cr *api.PerconaServerMongoDB, certificates ...Certificate) error GetMergedCA(ctx context.Context, cr *api.PerconaServerMongoDB, secretNames []string) ([]byte, error) Check(ctx context.Context, config *rest.Config, ns string) error @@ -60,44 +60,31 @@ func (c *certManagerController) IsDryRun() bool { return c.dryRun } -func deprecatedIssuerName(cr *api.PerconaServerMongoDB) string { - return cr.Name + "-psmdb-ca" -} - func issuerName(cr *api.PerconaServerMongoDB) string { - if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.TLS != nil && cr.Spec.TLS.IssuerConf != nil { - return cr.Spec.TLS.IssuerConf.Name - } - - if cr.CompareVersion("1.15.0") < 0 { - return deprecatedIssuerName(cr) + const suffix = "-psmdb-issuer" + tls := cr.Spec.TLS + switch { + case tls != nil && tls.IssuerConf.Name != "": + return tls.IssuerConf.Name + case tls != nil && cr.CompareVersion("1.22.0") >= 0 && tls.IssuerConf.Kind == cm.ClusterIssuerKind: + return cr.Name + "-" + cr.Namespace + suffix } - - return cr.Name + "-psmdb-issuer" + return cr.Name + suffix } func caIssuerName(cr *api.PerconaServerMongoDB) string { - return cr.Name + "-psmdb-ca-issuer" -} - -func (c *certManagerController) DeleteDeprecatedIssuerIfExists(ctx context.Context, cr *api.PerconaServerMongoDB) error { - issuer := new(cm.Issuer) - err := c.cl.Get(ctx, types.NamespacedName{ - Name: deprecatedIssuerName(cr), - Namespace: cr.Namespace, - }, issuer) - if err != nil { - if k8serrors.IsNotFound(err) { - return nil - } - return err + const suffix = "-psmdb-ca-issuer" + if tls := cr.Spec.TLS; cr.CompareVersion("1.22.0") >= 0 && tls != nil && tls.IssuerConf.Kind == cm.ClusterIssuerKind { + return cr.Name + "-" + cr.Namespace + suffix } - return c.cl.Delete(ctx, issuer) + return cr.Name + suffix } func (c *certManagerController) createOrUpdate(ctx context.Context, cr *api.PerconaServerMongoDB, obj client.Object) (util.ApplyStatus, error) { - if err := controllerutil.SetControllerReference(cr, obj, c.scheme); err != nil { - return "", errors.Wrap(err, "set controller reference") + if cr.Namespace == obj.GetNamespace() { + if err := controllerutil.SetControllerReference(cr, obj, c.scheme); err != nil { + return "", errors.Wrap(err, "set controller reference") + } } status, err := util.Apply(ctx, c.cl, obj) @@ -108,52 +95,71 @@ func (c *certManagerController) createOrUpdate(ctx context.Context, cr *api.Perc } func (c *certManagerController) ApplyIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) (util.ApplyStatus, error) { - issuer := &cm.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: issuerName(cr), - Namespace: cr.Namespace, - Labels: naming.ClusterLabels(cr), - }, - Spec: cm.IssuerSpec{ - IssuerConfig: cm.IssuerConfig{ - CA: &cm.CAIssuer{ - SecretName: CertificateCA(cr).SecretName(), - }, + var issuer client.Object + meta := metav1.ObjectMeta{ + Name: issuerName(cr), + Labels: naming.ClusterLabels(cr), + } + spec := cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + CA: &cm.CAIssuer{ + SecretName: CertificateCA(cr).SecretName(), }, }, } - - if cr.CompareVersion("1.15.0") < 0 { - issuer.Spec = cm.IssuerSpec{ - IssuerConfig: cm.IssuerConfig{ - SelfSigned: &cm.SelfSignedIssuer{}, - }, + switch cr.Spec.TLS.IssuerConf.Kind { + case cm.IssuerKind: + issuer = &cm.Issuer{ + ObjectMeta: meta, + Spec: spec, } + issuer.SetNamespace(cr.Namespace) + case cm.ClusterIssuerKind: + issuer = &cm.ClusterIssuer{ + ObjectMeta: meta, + Spec: spec, + } + default: + return "", errors.Errorf("unknown issuer kind: %s", cr.Spec.TLS.IssuerConf.Kind) } if cr.CompareVersion("1.17.0") < 0 { - issuer.Labels = nil + issuer.SetLabels(nil) } return c.createOrUpdate(ctx, cr, issuer) } func (c *certManagerController) ApplyCAIssuer(ctx context.Context, cr *api.PerconaServerMongoDB) (util.ApplyStatus, error) { - issuer := &cm.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: caIssuerName(cr), - Namespace: cr.Namespace, - Labels: naming.ClusterLabels(cr), - }, - Spec: cm.IssuerSpec{ - IssuerConfig: cm.IssuerConfig{ - SelfSigned: &cm.SelfSignedIssuer{}, - }, + var issuer client.Object + meta := metav1.ObjectMeta{ + Name: caIssuerName(cr), + Namespace: cr.Namespace, + Labels: naming.ClusterLabels(cr), + } + spec := cm.IssuerSpec{ + IssuerConfig: cm.IssuerConfig{ + SelfSigned: &cm.SelfSignedIssuer{}, }, } + switch cr.Spec.TLS.IssuerConf.Kind { + case cm.IssuerKind: + issuer = &cm.Issuer{ + ObjectMeta: meta, + Spec: spec, + } + case cm.ClusterIssuerKind: + issuer = &cm.ClusterIssuer{ + ObjectMeta: meta, + Spec: spec, + } + default: + return "", errors.Errorf("unknown issuer kind: %s", cr.Spec.TLS.IssuerConf.Kind) + } + if cr.CompareVersion("1.17.0") < 0 { - issuer.Labels = nil + issuer.SetLabels(nil) } return c.createOrUpdate(ctx, cr, issuer) @@ -218,7 +224,7 @@ func (c *certManagerController) WaitForCerts(ctx context.Context, cr *api.Percon secret := &corev1.Secret{} err := c.cl.Get(ctx, types.NamespacedName{ Name: cert.SecretName(), - Namespace: cr.Namespace, + Namespace: cert.Namespace(), }, secret) if err != nil && !k8serrors.IsNotFound(err) { return err @@ -232,7 +238,7 @@ func (c *certManagerController) WaitForCerts(ctx context.Context, cr *api.Percon if err != nil { return err } - if metav1.IsControlledBy(secret, certificate) { + if metav1.IsControlledBy(secret, certificate) || secret.Namespace != cr.Namespace { continue } if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil { @@ -282,3 +288,11 @@ func (c *certManagerController) GetMergedCA(ctx context.Context, cr *api.Percona func (c *certManagerController) GetClient() client.Client { return c.cl } + +func certManagerNamespace() string { + ns := os.Getenv("CERTMANAGER_NAMESPACE") + if ns == "" { + return "cert-manager" + } + return ns +} diff --git a/pkg/psmdb/tls/certmanager_test.go b/pkg/psmdb/tls/certmanager_test.go index 6ed174e5ed..0c3826e158 100644 --- a/pkg/psmdb/tls/certmanager_test.go +++ b/pkg/psmdb/tls/certmanager_test.go @@ -5,7 +5,6 @@ import ( "testing" cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -20,17 +19,16 @@ import ( ) func TestCreateIssuer(t *testing.T) { - ctx := context.Background() - customIssuerName := "issuer-conf-name" cr := &api.PerconaServerMongoDB{ ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"}, Spec: api.PerconaServerMongoDBSpec{ - CRVersion: "1.16.0", + CRVersion: version.Version(), TLS: &api.TLSSpec{ - IssuerConf: &cmmeta.ObjectReference{ + IssuerConf: api.IssuerConfReference{ Name: customIssuerName, + Kind: cm.IssuerKind, }, }, }, @@ -38,37 +36,70 @@ func TestCreateIssuer(t *testing.T) { r := buildFakeClient(cr) - issuer := &cm.Issuer{} - t.Run("Create issuer with custom name", func(t *testing.T) { - if _, err := r.ApplyIssuer(ctx, cr); err != nil { - t.Fatal(err) - } + ctx := t.Context() + cr := cr.DeepCopy() - err := r.GetClient().Get(ctx, types.NamespacedName{Namespace: "psmdb", Name: customIssuerName}, issuer) - if err != nil { - t.Fatal(err) - } + issuer := &cm.Issuer{} - if issuer.Name != customIssuerName { - t.Fatalf("Expected issuer name %s, got %s", customIssuerName, issuer.Name) - } + _, err := r.ApplyIssuer(ctx, cr) + assert.NoError(t, err) + + err = r.GetClient().Get(ctx, types.NamespacedName{Namespace: "psmdb", Name: customIssuerName}, issuer) + assert.NoError(t, err) + + assert.Equal(t, customIssuerName, issuer.Name) }) t.Run("Create issuer with default name", func(t *testing.T) { - cr.Spec.CRVersion = "1.15.0" - if _, err := r.ApplyIssuer(ctx, cr); err != nil { - t.Fatal(err) - } + ctx := t.Context() + cr := cr.DeepCopy() + cr.Spec.TLS.IssuerConf.Name = "" - err := r.GetClient().Get(ctx, types.NamespacedName{Namespace: "psmdb", Name: issuerName(cr)}, issuer) - if err != nil { - t.Fatal(err) - } + issuer := &cm.Issuer{} - if issuer.Name != issuerName(cr) { - t.Fatalf("Expected issuer name %s, got %s", issuerName(cr), issuer.Name) - } + _, err := r.ApplyIssuer(ctx, cr) + assert.NoError(t, err) + + err = r.GetClient().Get(ctx, types.NamespacedName{Namespace: "psmdb", Name: issuerName(cr)}, issuer) + assert.NoError(t, err) + + assert.NoError(t, err) + assert.Equal(t, "psmdb-mock-psmdb-issuer", issuer.Name) + }) + + t.Run("Create clusterissuer with custom name", func(t *testing.T) { + ctx := t.Context() + cr := cr.DeepCopy() + cr.Spec.TLS.IssuerConf.Kind = cm.ClusterIssuerKind + cr.Spec.TLS.IssuerConf.Name = customIssuerName + + issuer := &cm.ClusterIssuer{} + + _, err := r.ApplyIssuer(ctx, cr) + assert.NoError(t, err) + + err = r.GetClient().Get(ctx, types.NamespacedName{Name: customIssuerName}, issuer) + assert.NoError(t, err) + + assert.Equal(t, customIssuerName, issuer.Name) + }) + + t.Run("Create clusterissuer with default name", func(t *testing.T) { + ctx := t.Context() + cr := cr.DeepCopy() + cr.Spec.TLS.IssuerConf.Kind = cm.ClusterIssuerKind + cr.Spec.TLS.IssuerConf.Name = "" + + issuer := &cm.ClusterIssuer{} + + _, err := r.ApplyIssuer(ctx, cr) + assert.NoError(t, err) + + err = r.GetClient().Get(ctx, types.NamespacedName{Name: issuerName(cr)}, issuer) + assert.NoError(t, err) + + assert.Equal(t, "psmdb-mock-psmdb-psmdb-issuer", issuer.Name) }) } @@ -87,7 +118,7 @@ func TestCreateCertificate(t *testing.T) { SSL: "ssl", }, TLS: &api.TLSSpec{ - IssuerConf: &cmmeta.ObjectReference{ + IssuerConf: api.IssuerConfReference{ Name: customIssuerName, Kind: customIssuerKind, Group: customIssuerGroup, @@ -137,8 +168,6 @@ func TestCreateCertificate(t *testing.T) { } func TestWaitForCerts(t *testing.T) { - ctx := context.Background() - cr := &api.PerconaServerMongoDB{ ObjectMeta: metav1.ObjectMeta{ Name: "test-cluster", @@ -257,7 +286,7 @@ func TestWaitForCerts(t *testing.T) { dryRun: false, } - err := controller.WaitForCerts(ctx, cr, CertificateCA(cr)) + err := controller.WaitForCerts(t.Context(), cr, CertificateCA(cr)) assert.NoError(t, err) }) } @@ -273,6 +302,7 @@ func buildFakeClient(objs ...client.Object) CertManagerController { s.AddKnownTypes(cm.SchemeGroupVersion, new(cm.Issuer), + new(cm.ClusterIssuer), new(cm.Certificate), ) diff --git a/pkg/psmdb/tls/tls.go b/pkg/psmdb/tls/tls.go index ed123cd71a..372612adc1 100644 --- a/pkg/psmdb/tls/tls.go +++ b/pkg/psmdb/tls/tls.go @@ -43,10 +43,19 @@ func isCertManagerSecretCreatedByUser(ctx context.Context, c client.Client, cr * } issuerName := secret.Annotations[cm.IssuerNameAnnotationKey] - if secret.Annotations[cm.IssuerKindAnnotationKey] != cm.IssuerKind || issuerName == "" { + if issuerName == "" { + return true, nil + } + + var issuer client.Object + switch secret.Annotations[cm.IssuerKindAnnotationKey] { + case cm.IssuerKind: + issuer = new(cm.Issuer) + case cm.ClusterIssuerKind: + issuer = new(cm.ClusterIssuer) + default: return true, nil } - issuer := new(cm.Issuer) if err := c.Get(ctx, types.NamespacedName{ Name: issuerName, Namespace: secret.Namespace,