Skip to content

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
+178 −118
Open

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
227c0fe
fixed
Feb 28, 2025
9e06e57
Merge branch 'main' into fix-certmanager-owner-ref
hors Feb 28, 2025
b2abb7c
Merge branch 'main' into fix-certmanager-owner-ref
gkech Feb 28, 2025
94eb55b
Merge branch 'main' into fix-certmanager-owner-ref
hors May 5, 2025
b17da06
Merge branch 'main' into fix-certmanager-owner-ref
hors Jul 23, 2025
ceff547
Merge branch 'main' into fix-certmanager-owner-ref
hors Aug 30, 2025
2b339fd
improve the fix
pooknull Sep 12, 2025
91e8479
create `Certificate` interface
pooknull Sep 15, 2025
97f61a0
add e2e test
pooknull Sep 15, 2025
75e87c6
Merge branch 'main' into fix-certmanager-owner-ref
pooknull Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion e2e-tests/arbiter/run
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ check_cr_config() {

main() {
create_infra $namespace
deploy_cert_manager
deploy_cert_manager "--enable-certificate-owner-ref"

desc 'create secrets and start client'
kubectl_bin apply \
Expand Down
5 changes: 4 additions & 1 deletion e2e-tests/functions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -885,7 +885,6 @@ run_mongosh() {
bash -c "printf '$command\n' | mongosh --quiet $driver://$uri$suffix/admin?ssl=false\&replicaSet=$replica_set $mongo_flag"
}


run_mongo_tls() {
local command="$1"
local uri="$2"
Expand Down Expand Up @@ -1158,6 +1157,10 @@ deploy_cert_manager() {
kubectl_bin create namespace cert-manager || :
kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || :
kubectl_bin apply -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null
for arg in "$@"; do
kubectl_bin patch deployment cert-manager -n cert-manager --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"'"$arg"'"}]'
done
kubectl_bin -n cert-manager wait pod -l app.kubernetes.io/instance=cert-manager --for=condition=ready
sleep 120
}
Expand Down
20 changes: 11 additions & 9 deletions pkg/controller/perconaservermongodb/ssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ func (r *ReconcilePerconaServerMongoDB) createSSLByCertManager(ctx context.Conte
return nil
}

caSecret, err := r.getSecret(ctx, cr, tls.CACertificateSecretName(cr))
caSecret, err := r.getSecret(ctx, cr, tls.CertificateCA(cr).SecretName())
if err != nil {
if k8serr.IsNotFound(err) {
return nil
Expand Down Expand Up @@ -393,14 +393,15 @@ func (r *ReconcilePerconaServerMongoDB) applyCertManagerCertificates(ctx context
return "", errors.Wrap(err, "apply ca issuer")
}

caCert := tls.CertificateCA(cr)
err = applyFunc(func() (util.ApplyStatus, error) {
return c.ApplyCACertificate(ctx, cr)
return c.ApplyCertificate(ctx, cr, caCert)
})
if err != nil {
return "", errors.Wrap(err, "create ca certificate")
}

err = c.WaitForCerts(ctx, cr, tls.CACertificateSecretName(cr))
err = c.WaitForCerts(ctx, cr, caCert)
if err != nil {
return "", errors.Wrap(err, "failed to wait for ca cert")
}
Expand All @@ -413,26 +414,27 @@ func (r *ReconcilePerconaServerMongoDB) applyCertManagerCertificates(ctx context
return "", errors.Wrap(err, "create issuer")
}

tlsCert := tls.CertificateTLS(cr, false)
err = applyFunc(func() (util.ApplyStatus, error) {
return c.ApplyCertificate(ctx, cr, false)
return c.ApplyCertificate(ctx, cr, tlsCert)
})
if err != nil {
return "", errors.Wrap(err, "create certificate")
}

secretNames := []string{tls.CertificateSecretName(cr, false)}
certificates := []tls.Certificate{tlsCert}

if tls.CertificateSecretName(cr, false) != tls.CertificateSecretName(cr, true) {
if internalCert := tls.CertificateTLS(cr, true); tlsCert.SecretName() != internalCert.SecretName() {
err = applyFunc(func() (util.ApplyStatus, error) {
return c.ApplyCertificate(ctx, cr, true)
return c.ApplyCertificate(ctx, cr, internalCert)
})
if err != nil {
return "", errors.Wrap(err, "create certificate")
}
secretNames = append(secretNames, tls.CertificateSecretName(cr, true))
certificates = append(certificates, internalCert)
}

err = c.WaitForCerts(ctx, cr, secretNames...)
err = c.WaitForCerts(ctx, cr, certificates...)
if err != nil {
return "", errors.Wrap(err, "failed to wait for certs")
}
Expand Down
135 changes: 135 additions & 0 deletions pkg/psmdb/tls/certificate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
package tls

import (
"time"

cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
"github.com/percona/percona-server-mongodb-operator/pkg/naming"
)

type Certificate interface {
Name() string
SecretName() string
Object() *cm.Certificate
}

type caCert struct {
cr *api.PerconaServerMongoDB
}

func CertificateCA(cr *api.PerconaServerMongoDB) Certificate {
return &caCert{
cr: cr,
}
}

func (c *caCert) Name() string {
return c.cr.Name + "-ca-cert"
}

func (c *caCert) SecretName() string {
return c.Name()
}

func (c *caCert) Object() *cm.Certificate {
cr := c.cr

labels := naming.ClusterLabels(cr)
if cr.CompareVersion("1.17.0") < 0 {
labels = nil
}
return &cm.Certificate{
ObjectMeta: metav1.ObjectMeta{
Name: c.Name(),
Namespace: cr.Namespace,
Labels: labels,
},
Spec: cm.CertificateSpec{
SecretName: c.SecretName(),
CommonName: cr.Name + "-ca",
IsCA: true,
IssuerRef: cmmeta.ObjectReference{
Name: caIssuerName(cr),
Kind: cm.IssuerKind,
},
Duration: &metav1.Duration{Duration: time.Hour * 24 * 365},
RenewBefore: &metav1.Duration{Duration: 730 * time.Hour},
},
}
}

type tlsCert struct {
cr *api.PerconaServerMongoDB

internal bool
}

func CertificateTLS(cr *api.PerconaServerMongoDB, internal bool) Certificate {
return &tlsCert{
cr: cr,
internal: internal,
}
}

func (c *tlsCert) Name() string {
if c.internal {
return c.cr.Name + "-ssl-internal"
}
return c.cr.Name + "-ssl"
}

func (c *tlsCert) SecretName() string {
if c.internal {
return api.SSLInternalSecretName(c.cr)
}

return api.SSLSecretName(c.cr)
}

func (c *tlsCert) Object() *cm.Certificate {
cr := c.cr

issuerKind := cm.IssuerKind
issuerGroup := ""
if cr.CompareVersion("1.16.0") >= 0 && cr.Spec.TLS != nil && cr.Spec.TLS.IssuerConf != nil {
issuerKind = cr.Spec.TLS.IssuerConf.Kind
issuerGroup = cr.Spec.TLS.IssuerConf.Group

}
isCA := false
if cr.CompareVersion("1.15.0") < 0 {
isCA = true
}

labels := naming.ClusterLabels(cr)
if cr.CompareVersion("1.17.0") < 0 {
labels = nil
}

return &cm.Certificate{
ObjectMeta: metav1.ObjectMeta{
Name: c.Name(),
Namespace: cr.Namespace,
Labels: labels,
},
Spec: cm.CertificateSpec{
Subject: &cm.X509Subject{
Organizations: []string{"PSMDB"},
},
CommonName: cr.Name,
SecretName: c.SecretName(),
DNSNames: GetCertificateSans(cr),
IsCA: isCA,
Duration: &cr.Spec.TLS.CertValidityDuration,
IssuerRef: cmmeta.ObjectReference{
Name: issuerName(cr),
Kind: issuerKind,
Group: issuerGroup,
},
},
}
}
Loading
Loading