-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8SPSMDB-813: Fail TLS configuration if provided certificates do not exist #1254
Conversation
'allowUnsafeConfigurations' is set for 'another-name' rs only
"--sslCAFile", "/etc/mongodb-ssl/ca.crt", | ||
"--sslPEMKeyFile", "/tmp/tls.pem", | ||
}, | ||
Command: []string{"/data/db/mongodb-healthcheck", "k8s", "liveness"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@egegunes, maybe we need to do it only for cr >= 1.15?
@@ -646,7 +649,7 @@ func (nv *NonVotingSpec) SetDefaults(cr *PerconaServerMongoDB, rs *ReplsetSpec) | |||
Command: []string{"/data/db/mongodb-healthcheck", "k8s", "liveness"}, | |||
} | |||
|
|||
if !cr.Spec.UnsafeConf { | |||
if !cr.Spec.UnsafeConf || cr.CompareVersion("1.15.0") < 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it correct? before we were adding ssl flags if UnsafeConf
is false but with these changes we'll add flags if crVersion is < 1.15 no matter unsafe flag value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before the PR, we had this code without any checks:
Command: []string{
"/data/db/mongodb-healthcheck",
"k8s",
"liveness",
"--ssl", "--sslInsecure",
"--sslCAFile", "/etc/mongodb-ssl/ca.crt",
"--sslPEMKeyFile", "/tmp/tls.pem",
},
We should add these flags to crs with < 1.15.0 versions to maintain the old behavior
if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || | ||
cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we seem to changed the behavior, with these we'll add these flags to probe command for all clusters <1.15
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should check for unsafe option only for clusters with >=1.15.0 version to maintain the old behavior for older cluster versions.
It seems that you checked the diff of only my changes, and not those of the entire pull request.
commit: 7d8974c |
@t-yrka Thank you for your contribution |
CHANGE DESCRIPTION
Problem:
Short explanation of the problem.
Healthcheck runs without TLS appropriately configured (when it is enabled).
Cause:
Short explanation of the root cause of the issue if applicable.
Invalid TLS configuration is silently dropped.
Solution:
Short explanation of the solution we are providing with this PR.
Fail the healthcheck when TLS configuration is provided, but is invalid.
CHECKLIST
Jira
Needs Doc
) and QA (Needs QA
)?Tests
compare/*-oc.yml
)?Config/Logging/Testability