diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml index 3000719a6a..b25bbc2920 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml @@ -76,12 +76,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml index 265a335ed5..86c5ee0e81 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml @@ -76,12 +76,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml index 04d39b473f..3a96a92471 100644 --- a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml +++ b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml @@ -76,12 +76,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml index 3b65105d16..df1f40126f 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml @@ -86,12 +86,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml index f272279415..2aff36f191 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml @@ -86,12 +86,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml index b9077a0248..15b5fb233d 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml @@ -86,12 +86,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml index 8b7606714a..8e713548af 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml @@ -86,12 +86,6 @@ spec: - /opt/percona/mongodb-healthcheck - k8s - liveness - - --ssl - - --sslInsecure - - --sslCAFile - - /etc/mongodb-ssl/ca.crt - - --sslPEMKeyFile - - /tmp/tls.pem - --startupDelaySeconds - "7200" failureThreshold: 4 diff --git a/healthcheck/tools/db/ssl.go b/healthcheck/tools/db/ssl.go index 305301dc88..8be5cffc48 100644 --- a/healthcheck/tools/db/ssl.go +++ b/healthcheck/tools/db/ssl.go @@ -48,56 +48,49 @@ func LastSSLError() error { } func (cnf *Config) configureTLS() error { - config := &tls.Config{ - InsecureSkipVerify: cnf.SSL.Insecure, - } - - if len(cnf.SSL.PEMKeyFile) == 0 || len(cnf.SSL.CAFile) == 0 { + if !cnf.SSL.Enabled { return nil } - pemOk, err := isFileExists(cnf.SSL.PEMKeyFile) - if err != nil { - return errors.Wrapf(err, "check if file with name %s exists", cnf.SSL.PEMKeyFile) - } - - caOk, err := isFileExists(cnf.SSL.CAFile) - if err != nil { - return errors.Wrapf(err, "check if file with name %s exists", cnf.SSL.CAFile) + config := &tls.Config{ + InsecureSkipVerify: cnf.SSL.Insecure, } - if !pemOk || !caOk { - cnf.SSL = nil - return nil - } + // Configure client cert + if len(cnf.SSL.PEMKeyFile) != 0 { + if err := isFileExists(cnf.SSL.PEMKeyFile); err != nil { + return errors.Wrapf(err, "check if file with name %s exists", cnf.SSL.PEMKeyFile) + } - log.Debugf("Loading SSL/TLS PEM certificate: %s", cnf.SSL.PEMKeyFile) + log.Debugf("Loading SSL/TLS PEM certificate: %s", cnf.SSL.PEMKeyFile) + certificates, err := tls.LoadX509KeyPair(cnf.SSL.PEMKeyFile, cnf.SSL.PEMKeyFile) + if err != nil { + return errors.Wrapf(err, "load key pair from '%s' to connect to server '%s'", cnf.SSL.PEMKeyFile, cnf.Hosts) + } - certificates, err := tls.LoadX509KeyPair(cnf.SSL.PEMKeyFile, cnf.SSL.PEMKeyFile) - if err != nil { - return errors.Wrapf(err, "load key pair from '%s' to connect to server '%s'", cnf.SSL.PEMKeyFile, cnf.Hosts) + config.Certificates = []tls.Certificate{certificates} } - config.Certificates = []tls.Certificate{certificates} + // Configure CA cert + if len(cnf.SSL.CAFile) != 0 { + if err := isFileExists(cnf.SSL.CAFile); err != nil { + return errors.Wrapf(err, "check if file with name %s exists", cnf.SSL.CAFile) + } - log.Debugf("Loading SSL/TLS Certificate Authority: %s", cnf.SSL.CAFile) - ca, err := cnf.SSL.loadCaCertificate() - if err != nil { - return errors.Wrapf(err, "load client CAs from %s", cnf.SSL.CAFile) + log.Debugf("Loading SSL/TLS Certificate Authority: %s", cnf.SSL.CAFile) + ca, err := cnf.SSL.loadCaCertificate() + if err != nil { + return errors.Wrapf(err, "load client CAs from %s", cnf.SSL.CAFile) + } + + config.RootCAs = ca } - config.RootCAs = ca cnf.TLSConf = config - return nil } -func isFileExists(name string) (bool, error) { +func isFileExists(name string) error { _, err := os.Stat(name) - if os.IsNotExist(err) { - return false, nil - } else if err != nil { - return false, err - } - return true, nil + return err } diff --git a/healthcheck/tools/db/ssl_test.go b/healthcheck/tools/db/ssl_test.go new file mode 100644 index 0000000000..36f0241b85 --- /dev/null +++ b/healthcheck/tools/db/ssl_test.go @@ -0,0 +1,86 @@ +package db + +import ( + "fmt" + "testing" +) + +const ( + notExistingFilePath = "not-existing-file-path" +) + +func TestSSLNotEnabled(t *testing.T) { + cfg := &Config{ + SSL: &SSLConfig{ + Enabled: false, + }, + } + + if err := cfg.configureTLS(); err != nil { + t.Fatalf("TLS configuration failed: %s", err) + } + + if cfg.TLSConf != nil { + t.Error("Expected TLSConf to be nil") + } +} + +func TestSSLEnabled(t *testing.T) { + cfg := &Config{ + SSL: &SSLConfig{ + Enabled: true, + }, + } + + if err := cfg.configureTLS(); err != nil { + t.Fatalf("TLS configuration failed: %s", err) + } + + if cfg.TLSConf == nil { + t.Error("Expected TLSConf to not be nil") + } +} + +func TestPEMKeyFileDoesNotExists(t *testing.T) { + cfg := &Config{ + SSL: &SSLConfig{ + Enabled: true, + PEMKeyFile: notExistingFilePath, + }, + } + + err := cfg.configureTLS() + if err == nil { + t.Fatal("Expected TLS config to fail, but it returned no error") + } + + expectedErrorMessage := fmt.Sprintf( + "check if file with name %s exists: stat %s: no such file or directory", + notExistingFilePath, notExistingFilePath, + ) + if err.Error() != expectedErrorMessage { + t.Errorf("error message '%s' does not match expected '%s'", err.Error(), expectedErrorMessage) + } +} + +func TestCAFileDoesNotExists(t *testing.T) { + cfg := &Config{ + SSL: &SSLConfig{ + Enabled: true, + CAFile: notExistingFilePath, + }, + } + + err := cfg.configureTLS() + if err == nil { + t.Fatal("Expected TLS config to fail, but it returned no error") + } + + expectedErrorMessage := fmt.Sprintf( + "check if file with name %s exists: stat %s: no such file or directory", + notExistingFilePath, notExistingFilePath, + ) + if err.Error() != expectedErrorMessage { + t.Errorf("error message '%s' does not match expected '%s'", err.Error(), expectedErrorMessage) + } +} diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go index 7105f7591e..66fd6f85d1 100644 --- a/pkg/apis/psmdb/v1/psmdb_defaults.go +++ b/pkg/apis/psmdb/v1/psmdb_defaults.go @@ -191,7 +191,8 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if cr.CompareVersion("1.7.0") >= 0 { + if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || + cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.LivenessProbe.Exec.Command, "--ssl", "--sslInsecure", @@ -236,7 +237,8 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log }, } - if cr.CompareVersion("1.7.0") >= 0 { + if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || + cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command = append(cr.Spec.Sharding.Mongos.ReadinessProbe.Exec.Command, "--ssl", "--sslInsecure", @@ -362,7 +364,8 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log if cr.CompareVersion("1.6.0") >= 0 { replset.LivenessProbe.Probe.Exec.Command[0] = "/data/db/mongodb-healthcheck" - if cr.CompareVersion("1.7.0") >= 0 { + if (cr.CompareVersion("1.7.0") >= 0 && cr.CompareVersion("1.15.0") < 0) || + cr.CompareVersion("1.15.0") >= 0 && !cr.Spec.UnsafeConf { replset.LivenessProbe.Probe.Exec.Command = append(replset.LivenessProbe.Probe.Exec.Command, "--ssl", "--sslInsecure", @@ -643,14 +646,14 @@ func (nv *NonVotingSpec) SetDefaults(cr *PerconaServerMongoDB, rs *ReplsetSpec) } if nv.LivenessProbe.ProbeHandler.Exec == nil { nv.LivenessProbe.Probe.ProbeHandler.Exec = &corev1.ExecAction{ - Command: []string{ - "/data/db/mongodb-healthcheck", - "k8s", - "liveness", - "--ssl", "--sslInsecure", - "--sslCAFile", "/etc/mongodb-ssl/ca.crt", - "--sslPEMKeyFile", "/tmp/tls.pem", - }, + Command: []string{"/data/db/mongodb-healthcheck", "k8s", "liveness"}, + } + + if !cr.Spec.UnsafeConf || cr.CompareVersion("1.15.0") < 0 { + nv.LivenessProbe.Probe.ProbeHandler.Exec.Command = append( + nv.LivenessProbe.Probe.ProbeHandler.Exec.Command, + "--ssl", "--sslInsecure", "--sslCAFile", "/etc/mongodb-ssl/ca.crt", "--sslPEMKeyFile", "/tmp/tls.pem", + ) } if cr.CompareVersion("1.14.0") >= 0 {