Skip to content

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

wants to merge 10 commits into from
+178 −118

Conversation

Demch1k
Copy link

@Demch1k Demch1k commented Feb 28, 2025
edited by atlassian bot
Loading

K8SPSMDB-1387 Powered by Pull Request Badge

CHANGE DESCRIPTION

https://perconadev.atlassian.net/browse/K8SPSMDB-1387

Problem:
We have enabled --enable-certificate-owner-ref for certmanager and after that mongodb operator can not startup any mongodb clusters.

Cause:
Mongodb operator return error when can't update owner references for certificates recources. But with --enable-certificate-owner-ref certmanager do it by itselfs.

Solution:
Catch error connected with already exists owner ref and jus print it out

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported MongoDB version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/S 10-29 lines label Feb 28, 2025
@CLAassistant
Copy link

CLAassistant commented Feb 28, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Demch1k Demch1k force-pushed the fix-certmanager-owner-ref branch from e219161 to 227c0fe Compare February 28, 2025 12:06
@gkech gkech added the community label Mar 4, 2025
egegunes
egegunes requested changes Mar 10, 2025
View reviewed changes
Copy link
Contributor

@egegunes egegunes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few comments.

also I wonder if we need to set this flag while deploying cert-manager in our tests

pkg/psmdb/tls/certmanager.go Outdated
return "", errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
case *controllerutil.AlreadyOwnedError:
fmt.Sprintf("%s", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we return error here?

pkg/psmdb/tls/certmanager.go Outdated
return errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
case *controllerutil.AlreadyOwnedError:
fmt.Sprintf("%s", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we return error here?

pkg/psmdb/tls/certmanager.go Outdated
@@ -314,7 +320,12 @@ func (c *certManagerController) WaitForCerts(ctx context.Context, cr *api.Percon
continue
}
if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil {
return errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gkech wdyt of this errors.Cause maybe we should check with errors.Is?

Copy link
Contributor

@gkech gkech Mar 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it is better @egegunes

@Demch1k let's use errors.Is and also, let's drop switch since it is not needed, so the following for all cases.

if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil {
if errors.Is(err, &controllerutil.AlreadyOwnedError{}) {
	return errors.Wrap(err, "set owner reference")
}
return errors.Wrap(err, "set controller reference")
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Demch1k any updates on this one?

@github-actions github-actions bot added the stale label Apr 10, 2025
@hors hors added this to the v1.21.0 milestone Apr 14, 2025
@hors hors removed the stale label Apr 14, 2025
@egegunes
Copy link
Contributor

seems like we will need to take this over, i'm moving this to next release

@egegunes egegunes modified the milestones: v1.21.0, v1.22.0 May 19, 2025
@gkech gkech changed the title Fix for certmanager owner ref K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters May 19, 2025
@gkech gkech requested a review from egegunes August 20, 2025 13:15
@egegunes egegunes mentioned this pull request Sep 12, 2025
Open
@pooknull
improve the fix
2b339fd 
To fix the issue, we only need to modify the `WaitForCert` method by
adding a check to see if the secret has a controller reference to a
certificate
@pooknull
create Certificate interface
91e8479
@pooknull
add e2e test
97f61a0
@pull-request-size pull-request-size bot added size/L 100-499 lines and removed size/S 10-29 lines labels Sep 15, 2025
@JNKPercona
Copy link
Collaborator

Test name Status
arbiter passed
balancer passed
cross-site-sharded passed
custom-replset-name passed
custom-tls passed
custom-users-roles passed
custom-users-roles-sharded passed
data-at-rest-encryption passed
data-sharded passed
demand-backup passed
demand-backup-eks-credentials-irsa passed
demand-backup-fs passed
demand-backup-incremental failure
demand-backup-incremental-sharded passed
demand-backup-physical-parallel passed
demand-backup-physical-aws passed
demand-backup-physical-azure passed
demand-backup-physical-gcp passed
demand-backup-physical-minio passed
demand-backup-physical-sharded-parallel passed
demand-backup-physical-sharded-aws passed
demand-backup-physical-sharded-azure passed
demand-backup-physical-sharded-gcp passed
demand-backup-physical-sharded-minio passed
demand-backup-sharded passed
expose-sharded passed
finalizer passed
ignore-labels-annotations passed
init-deploy passed
ldap passed
ldap-tls passed
limits passed
liveness passed
mongod-major-upgrade passed
mongod-major-upgrade-sharded passed
monitoring-2-0 passed
monitoring-pmm3 passed
multi-cluster-service passed
multi-storage passed
non-voting-and-hidden passed
one-pod passed
operator-self-healing-chaos passed
pitr passed
pitr-physical passed
pitr-sharded passed
pitr-physical-backup-source passed
preinit-updates passed
pvc-resize passed
recover-no-primary passed
replset-overrides failure
rs-shard-migration failure
scaling passed
scheduled-backup failure
security-context passed
self-healing-chaos passed
service-per-pod passed
serviceless-external-nodes passed
smart-update passed
split-horizon passed
stable-resource-version passed
storage passed
tls-issue-cert-manager passed
upgrade passed
upgrade-consistency passed
upgrade-consistency-sharded-tls failure
upgrade-sharded passed
users passed
version-service passed
We run 68 out of 68

commit: 75e87c6
image: perconalab/percona-server-mongodb-operator:PR-1850-75e87c60

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hors hors Awaiting requested review from hors hors is a code owner

@pooknull pooknull Awaiting requested review from pooknull pooknull is a code owner

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

@gkech gkech Awaiting requested review from gkech gkech is a code owner

@egegunes egegunes Awaiting requested review from egegunes egegunes is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@valmiranogueira valmiranogueira Awaiting requested review from valmiranogueira valmiranogueira is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
community size/L 100-499 lines
Projects
None yet
Milestone
v1.22.0
Development

Successfully merging this pull request may close these issues.
7 participants
@Demch1k @CLAassistant @egegunes @JNKPercona @gkech @hors @pooknull