From 917ad77cfd498d8572fb56661dcbd56cf5af7326 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Mon, 15 Dec 2025 14:28:37 +0200 Subject: [PATCH 01/10] K8SPSMDB-1359 control the disabling of the authorization through mongo config --- pkg/apis/psmdb/v1/psmdb_types.go | 21 +++++++++++++++++++++ pkg/psmdb/container.go | 26 +++++++++++++++++++------- 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index 4cfcae332a..15fd6204d7 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -628,6 +628,27 @@ func (conf MongoConfiguration) QuietEnabled() bool { return b } +// IsAuthorizationEnabled returns whether mongo config has `authorization` enabled under `security` section. +// If `authorization` or `security` sections are not present, returns true (enabled by default). +// The authorization can be set to "enabled" or "disabled" as per MongoDB documentation. +// https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-security.authorization +func (conf MongoConfiguration) IsAuthorizationEnabled() bool { + m, err := conf.GetOptions("security") + if err != nil || m == nil { + return true + } + v, ok := m["authorization"] + if !ok { + return true + } + + if str, ok := v.(string); ok { + return str != "disabled" + } + + return true +} + // GetPort returns the net.port of the mongo configuration. // https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-net.port func (conf MongoConfiguration) GetPort() (int32, error) { diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index ab527afcad..d00a3d716c 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -195,17 +195,29 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a // TODO(andrew): in the safe mode `sslAllowInvalidCertificates` should be set only with the external services args := []string{ "--bind_ip_all", - "--auth", - "--dbpath=" + config.MongodContainerDataDir, - "--port=" + strconv.Itoa(int(replset.GetPort())), - "--replSet=" + replset.Name, - "--storageEngine=" + string(replset.Storage.Engine), - "--relaxPermChecks", } + if replset.Configuration.IsAuthorizationEnabled() { + args = append(args, "--auth") + } + + args = append(args, + "--dbpath="+config.MongodContainerDataDir, + "--port="+strconv.Itoa(int(replset.GetPort())), + "--replSet="+replset.Name, + "--storageEngine="+string(replset.Storage.Engine), + "--relaxPermChecks", + ) + name, err := replset.CustomReplsetName() if err == nil { - args[4] = "--replSet=" + name + // Update the replSet argument with the custom name + for i, arg := range args { + if len(arg) >= 9 && arg[:9] == "--replSet" { + args[i] = "--replSet=" + name + break + } + } } if *cr.Spec.TLS.AllowInvalidCertificates || cr.CompareVersion("1.16.0") < 0 { From a9fe6412c467830d030d281478e00c7dfd8bd009 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 12:05:14 +0200 Subject: [PATCH 02/10] add tests --- deploy/cr.yaml | 4 +- .../compare/statefulset_one-pod-rs0-oc.yml | 1 - .../statefulset_one-pod-rs0-secret-oc.yml | 1 - .../statefulset_one-pod-rs0-secret.yml | 1 - .../compare/statefulset_one-pod-rs0.yml | 1 - e2e-tests/one-pod/conf/one-pod-rs0.yml | 1 + e2e-tests/one-pod/run | 6 ++ pkg/apis/psmdb/v1/psmdb_types.go | 2 - pkg/apis/psmdb/v1/psmdb_types_test.go | 63 +++++++++++++++++++ pkg/psmdb/container.go | 4 ++ 10 files changed, 76 insertions(+), 8 deletions(-) diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 185a68fc90..84d427fc6e 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -109,8 +109,8 @@ spec: # - host: 34.124.76.92 # # for more configuration fields refer to https://docs.mongodb.com/manual/reference/configuration-options/ # configuration: | -# operationProfiling: -# mode: slowOp +# security: +# authorization: "disabled" # systemLog: # verbosity: 1 # storage: diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml index 78d0bb10f5..da15d00451 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml @@ -54,7 +54,6 @@ spec: containers: - args: - --bind_ip_all - - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml index 023d683b7d..673f5f32b9 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml @@ -54,7 +54,6 @@ spec: containers: - args: - --bind_ip_all - - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml index 03f1ec7036..ce5400a466 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml @@ -54,7 +54,6 @@ spec: containers: - args: - --bind_ip_all - - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml index 7aa96c994d..0167ffbb27 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml @@ -54,7 +54,6 @@ spec: containers: - args: - --bind_ip_all - - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/conf/one-pod-rs0.yml b/e2e-tests/one-pod/conf/one-pod-rs0.yml index 2e5b960282..e592b05f71 100644 --- a/e2e-tests/one-pod/conf/one-pod-rs0.yml +++ b/e2e-tests/one-pod/conf/one-pod-rs0.yml @@ -24,6 +24,7 @@ spec: security: redactClientLogData: false enableEncryption: false + authorization: disabled setParameter: ttlMonitorSleepSecs: 60 wiredTigerConcurrentReadTransactions: 128 diff --git a/e2e-tests/one-pod/run b/e2e-tests/one-pod/run index 39a8e6f3ea..ecea6d03d7 100755 --- a/e2e-tests/one-pod/run +++ b/e2e-tests/one-pod/run @@ -38,6 +38,12 @@ main() { spinup_psmdb "$cluster" "$test_dir/conf/$cluster.yml" "1" wait_cluster_consistency "${cluster/-rs0/}" + desc 'verify connection works WITHOUT authentication given that auth is disabled' + run_mongo \ + 'db.version()' \ + "$cluster.$namespace" \ + "mongodb" + desc 'check if service and pvc created with expected config' compare_kubectl service/$cluster compare_kubectl "pvc/mongod-data-one-pod-rs0-0" diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index 15fd6204d7..dba8c80652 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -629,8 +629,6 @@ func (conf MongoConfiguration) QuietEnabled() bool { } // IsAuthorizationEnabled returns whether mongo config has `authorization` enabled under `security` section. -// If `authorization` or `security` sections are not present, returns true (enabled by default). -// The authorization can be set to "enabled" or "disabled" as per MongoDB documentation. // https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-security.authorization func (conf MongoConfiguration) IsAuthorizationEnabled() bool { m, err := conf.GetOptions("security") diff --git a/pkg/apis/psmdb/v1/psmdb_types_test.go b/pkg/apis/psmdb/v1/psmdb_types_test.go index 3bbdc63a4f..da70dc0343 100644 --- a/pkg/apis/psmdb/v1/psmdb_types_test.go +++ b/pkg/apis/psmdb/v1/psmdb_types_test.go @@ -146,6 +146,69 @@ func TestReplsetSpec_GetPort(t *testing.T) { } } +func TestMongoConfiguration_IsAuthorizationEnabled(t *testing.T) { + tests := map[string]struct { + conf MongoConfiguration + expected bool + }{ + "no security section": { + conf: `systemLog: + verbosity: 1`, + expected: true, + }, + "empty config": { + conf: MongoConfiguration(""), + expected: true, + }, + "security section without authorization": { + conf: `security: + keyFile: /etc/mongodb-keyfile`, + expected: true, + }, + "authorization explicitly enabled": { + conf: `security: + authorization: enabled`, + expected: true, + }, + "authorization explicitly disabled": { + conf: `security: + authorization: disabled`, + expected: false, + }, + "authorization with other string value": { + conf: `security: + authorization: someOtherValue`, + expected: true, + }, + "authorization with empty string": { + conf: `security: + authorization: ""`, + expected: true, + }, + "complete security config with authorization enabled": { + conf: `security: + keyFile: /etc/mongodb-keyfile + authorization: enabled + clusterAuthMode: keyFile`, + expected: true, + }, + "complete security config with authorization disabled": { + conf: `security: + keyFile: /etc/mongodb-keyfile + authorization: disabled + clusterAuthMode: keyFile`, + expected: false, + }, + } + + for name, tt := range tests { + t.Run(name, func(t *testing.T) { + result := tt.conf.IsAuthorizationEnabled() + assert.Equal(t, tt.expected, result) + }) + } +} + func TestBackupSpec_MainStorage(t *testing.T) { tests := map[string]struct { spec BackupSpec diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index d00a3d716c..13c0e08d1f 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -197,6 +197,10 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--bind_ip_all", } + if cr.CompareVersion("1.22.0") < 0 { + args = append(args, "--auth") + } + if replset.Configuration.IsAuthorizationEnabled() { args = append(args, "--auth") } From cfc6f42cd05c80aabdb45cd26c0de1bec5c4faa6 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 12:15:23 +0200 Subject: [PATCH 03/10] improve logic for cr check --- pkg/psmdb/container.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 13c0e08d1f..1bea6bce79 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -197,14 +197,6 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--bind_ip_all", } - if cr.CompareVersion("1.22.0") < 0 { - args = append(args, "--auth") - } - - if replset.Configuration.IsAuthorizationEnabled() { - args = append(args, "--auth") - } - args = append(args, "--dbpath="+config.MongodContainerDataDir, "--port="+strconv.Itoa(int(replset.GetPort())), @@ -213,6 +205,10 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--relaxPermChecks", ) + if cr.CompareVersion("1.22.0") < 0 || replset.Configuration.IsAuthorizationEnabled() { + args = append(args, "--auth") + } + name, err := replset.CustomReplsetName() if err == nil { // Update the replSet argument with the custom name From 1ab9fa649ec0e82a66aca9206e61006713e46ea3 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 12:19:20 +0200 Subject: [PATCH 04/10] improve comment --- pkg/psmdb/container.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 1bea6bce79..b1fbd22517 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -211,7 +211,7 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a name, err := replset.CustomReplsetName() if err == nil { - // Update the replSet argument with the custom name + // given that --auth option is optional, we cannot rely on the fixed hardcoded index. for i, arg := range args { if len(arg) >= 9 && arg[:9] == "--replSet" { args[i] = "--replSet=" + name From be15ef97858422a6a268bbc51abd4fed3b8a4c09 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 12:39:01 +0200 Subject: [PATCH 05/10] bring back the auth order --- pkg/psmdb/container.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index b1fbd22517..5994fa2433 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -197,6 +197,10 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--bind_ip_all", } + if cr.CompareVersion("1.22.0") < 0 || replset.Configuration.IsAuthorizationEnabled() { + args = append(args, "--auth") + } + args = append(args, "--dbpath="+config.MongodContainerDataDir, "--port="+strconv.Itoa(int(replset.GetPort())), @@ -205,10 +209,6 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a "--relaxPermChecks", ) - if cr.CompareVersion("1.22.0") < 0 || replset.Configuration.IsAuthorizationEnabled() { - args = append(args, "--auth") - } - name, err := replset.CustomReplsetName() if err == nil { // given that --auth option is optional, we cannot rely on the fixed hardcoded index. From 59d9b08269742382ff207eae1efbf5f9a78f0b07 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 12:45:21 +0200 Subject: [PATCH 06/10] restore default cr --- deploy/cr.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/cr.yaml b/deploy/cr.yaml index 84d427fc6e..185a68fc90 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -109,8 +109,8 @@ spec: # - host: 34.124.76.92 # # for more configuration fields refer to https://docs.mongodb.com/manual/reference/configuration-options/ # configuration: | -# security: -# authorization: "disabled" +# operationProfiling: +# mode: slowOp # systemLog: # verbosity: 1 # storage: From b87a66943a3732e302a5ac24cf7fa7d5ada36962 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 15:11:30 +0200 Subject: [PATCH 07/10] remove one pod test changes --- e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml | 1 + .../one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml | 1 + .../one-pod/compare/statefulset_one-pod-rs0-secret.yml | 1 + e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml | 1 + e2e-tests/one-pod/conf/one-pod-rs0.yml | 1 - e2e-tests/one-pod/run | 6 ------ 6 files changed, 4 insertions(+), 7 deletions(-) diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml index da15d00451..78d0bb10f5 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-oc.yml @@ -54,6 +54,7 @@ spec: containers: - args: - --bind_ip_all + - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml index 673f5f32b9..023d683b7d 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret-oc.yml @@ -54,6 +54,7 @@ spec: containers: - args: - --bind_ip_all + - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml index ce5400a466..03f1ec7036 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0-secret.yml @@ -54,6 +54,7 @@ spec: containers: - args: - --bind_ip_all + - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml index 0167ffbb27..7aa96c994d 100644 --- a/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml +++ b/e2e-tests/one-pod/compare/statefulset_one-pod-rs0.yml @@ -54,6 +54,7 @@ spec: containers: - args: - --bind_ip_all + - --auth - --dbpath=/data/db - --port=27017 - --replSet=rs0 diff --git a/e2e-tests/one-pod/conf/one-pod-rs0.yml b/e2e-tests/one-pod/conf/one-pod-rs0.yml index e592b05f71..2e5b960282 100644 --- a/e2e-tests/one-pod/conf/one-pod-rs0.yml +++ b/e2e-tests/one-pod/conf/one-pod-rs0.yml @@ -24,7 +24,6 @@ spec: security: redactClientLogData: false enableEncryption: false - authorization: disabled setParameter: ttlMonitorSleepSecs: 60 wiredTigerConcurrentReadTransactions: 128 diff --git a/e2e-tests/one-pod/run b/e2e-tests/one-pod/run index ecea6d03d7..39a8e6f3ea 100755 --- a/e2e-tests/one-pod/run +++ b/e2e-tests/one-pod/run @@ -38,12 +38,6 @@ main() { spinup_psmdb "$cluster" "$test_dir/conf/$cluster.yml" "1" wait_cluster_consistency "${cluster/-rs0/}" - desc 'verify connection works WITHOUT authentication given that auth is disabled' - run_mongo \ - 'db.version()' \ - "$cluster.$namespace" \ - "mongodb" - desc 'check if service and pvc created with expected config' compare_kubectl service/$cluster compare_kubectl "pvc/mongod-data-one-pod-rs0-0" From 1c5de3b9194b7c66cf548bdb413cf4991f25a308 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Tue, 16 Dec 2025 20:03:06 +0200 Subject: [PATCH 08/10] when auth is disabled, skip tls config --- pkg/psmdb/container.go | 17 ++++++++++------- pkg/psmdb/mongos.go | 21 ++++++++++++--------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index 5994fa2433..e3cf24c2cd 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -224,13 +224,16 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args = append(args, "--sslAllowInvalidCertificates") } - if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+config.MongodSecretsDir+"/mongodb-key", - ) - } else if cr.TLSEnabled() { - args = append(args, "--clusterAuthMode=x509") + authorizationDisabled := cr.CompareVersion("1.22.0") >= 0 && !replset.Configuration.IsAuthorizationEnabled() + if !authorizationDisabled { + if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+config.MongodSecretsDir+"/mongodb-key", + ) + } else if cr.TLSEnabled() { + args = append(args, "--clusterAuthMode=x509") + } } if cr.CompareVersion("1.16.0") >= 0 { diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index 28e461ec02..a8399428fa 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -256,15 +256,18 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgIn "--relaxPermChecks", }...) - if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+config.MongodSecretsDir+"/mongodb-key", - ) - } else if cr.TLSEnabled() { - args = append(args, - "--clusterAuthMode=x509", - ) + authorizationDisabled := cr.CompareVersion("1.22.0") >= 0 && !cfgRs.Configuration.IsAuthorizationEnabled() + if !authorizationDisabled { + if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+config.MongodSecretsDir+"/mongodb-key", + ) + } else if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) + } } if cr.CompareVersion("1.16.0") >= 0 { From f4590b81ad318c4bb47c406b76830c41d47dfc69 Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Wed, 17 Dec 2025 11:47:27 +0200 Subject: [PATCH 09/10] remove tls disabling if auth is disabled --- pkg/psmdb/container.go | 17 +++++++---------- pkg/psmdb/mongos.go | 21 +++++++++------------ 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go index e3cf24c2cd..5994fa2433 100644 --- a/pkg/psmdb/container.go +++ b/pkg/psmdb/container.go @@ -224,16 +224,13 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a args = append(args, "--sslAllowInvalidCertificates") } - authorizationDisabled := cr.CompareVersion("1.22.0") >= 0 && !replset.Configuration.IsAuthorizationEnabled() - if !authorizationDisabled { - if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+config.MongodSecretsDir+"/mongodb-key", - ) - } else if cr.TLSEnabled() { - args = append(args, "--clusterAuthMode=x509") - } + if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+config.MongodSecretsDir+"/mongodb-key", + ) + } else if cr.TLSEnabled() { + args = append(args, "--clusterAuthMode=x509") } if cr.CompareVersion("1.16.0") >= 0 { diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go index a8399428fa..28e461ec02 100644 --- a/pkg/psmdb/mongos.go +++ b/pkg/psmdb/mongos.go @@ -256,18 +256,15 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgIn "--relaxPermChecks", }...) - authorizationDisabled := cr.CompareVersion("1.22.0") >= 0 && !cfgRs.Configuration.IsAuthorizationEnabled() - if !authorizationDisabled { - if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { - args = append(args, - "--clusterAuthMode=keyFile", - "--keyFile="+config.MongodSecretsDir+"/mongodb-key", - ) - } else if cr.TLSEnabled() { - args = append(args, - "--clusterAuthMode=x509", - ) - } + if cr.Spec.Secrets.InternalKey != "" || (cr.TLSEnabled() && cr.Spec.TLS.Mode == api.TLSModeAllow) || (!cr.TLSEnabled() && cr.UnsafeTLSDisabled()) { + args = append(args, + "--clusterAuthMode=keyFile", + "--keyFile="+config.MongodSecretsDir+"/mongodb-key", + ) + } else if cr.TLSEnabled() { + args = append(args, + "--clusterAuthMode=x509", + ) } if cr.CompareVersion("1.16.0") >= 0 { From 3fd2715eed9c67bebdca213874b67b819cadbc4b Mon Sep 17 00:00:00 2001 From: George Kechagias Date: Wed, 17 Dec 2025 13:08:45 +0200 Subject: [PATCH 10/10] add e2e test structure --- e2e-tests/disabled-auth/conf/backup-minio.yml | 9 ++ .../disabled-auth/conf/cluster-no-auth.yml | 128 +++++++++++++++ .../disabled-auth/conf/cluster-with-auth.yml | 120 ++++++++++++++ e2e-tests/disabled-auth/conf/restore.yml | 7 + e2e-tests/disabled-auth/run | 151 ++++++++++++++++++ 5 files changed, 415 insertions(+) create mode 100644 e2e-tests/disabled-auth/conf/backup-minio.yml create mode 100644 e2e-tests/disabled-auth/conf/cluster-no-auth.yml create mode 100644 e2e-tests/disabled-auth/conf/cluster-with-auth.yml create mode 100644 e2e-tests/disabled-auth/conf/restore.yml create mode 100755 e2e-tests/disabled-auth/run diff --git a/e2e-tests/disabled-auth/conf/backup-minio.yml b/e2e-tests/disabled-auth/conf/backup-minio.yml new file mode 100644 index 0000000000..9549c64fdf --- /dev/null +++ b/e2e-tests/disabled-auth/conf/backup-minio.yml @@ -0,0 +1,9 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDBBackup +metadata: + finalizers: + - percona.com/delete-backup + name: backup-minio +spec: + clusterName: some-name + storageName: minio \ No newline at end of file diff --git a/e2e-tests/disabled-auth/conf/cluster-no-auth.yml b/e2e-tests/disabled-auth/conf/cluster-no-auth.yml new file mode 100644 index 0000000000..4486a98264 --- /dev/null +++ b/e2e-tests/disabled-auth/conf/cluster-no-auth.yml @@ -0,0 +1,128 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: some-name +spec: + image: + imagePullPolicy: Always + updateStrategy: SmartUpdate + tls: + mode: disabled + unsafeFlags: + tls: true + backup: + enabled: true + image: perconalab/percona-server-mongodb-operator:1.1.0-backup + storages: + minio: + type: s3 + s3: + credentialsSecret: minio-secret + region: us-east-1 + bucket: operator-testing + endpointUrl: http://minio-service:9000/ + insecureSkipTLSVerify: false + sharding: + enabled: true + + configsvrReplSet: + size: 3 + affinity: + antiAffinityTopologyKey: none + configuration: | + net: + port: 27018 + security: + authorization: disabled + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 3Gi + expose: + enabled: true + type: ClusterIP + + mongos: + size: 3 + affinity: + antiAffinityTopologyKey: none + configuration: | + net: + port: 27019 + expose: + type: ClusterIP + + replsets: + - name: rs0 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 + security: + authorization: disabled + - name: rs1 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 + security: + authorization: disabled + - name: rs2 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 + security: + authorization: disabled \ No newline at end of file diff --git a/e2e-tests/disabled-auth/conf/cluster-with-auth.yml b/e2e-tests/disabled-auth/conf/cluster-with-auth.yml new file mode 100644 index 0000000000..681e3d4f0b --- /dev/null +++ b/e2e-tests/disabled-auth/conf/cluster-with-auth.yml @@ -0,0 +1,120 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: some-name +spec: + image: + imagePullPolicy: Always + updateStrategy: SmartUpdate + tls: + mode: disabled + unsafeFlags: + tls: true + backup: + enabled: true + image: perconalab/percona-server-mongodb-operator:1.1.0-backup + storages: + minio: + type: s3 + s3: + credentialsSecret: minio-secret + region: us-east-1 + bucket: operator-testing + endpointUrl: http://minio-service:9000/ + insecureSkipTLSVerify: false + sharding: + enabled: true + + configsvrReplSet: + size: 3 + affinity: + antiAffinityTopologyKey: none + configuration: | + net: + port: 27018 + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 3Gi + expose: + enabled: true + type: ClusterIP + + mongos: + size: 3 + affinity: + antiAffinityTopologyKey: none + configuration: | + net: + port: 27019 + expose: + type: ClusterIP + + replsets: + - name: rs0 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 + - name: rs1 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 + - name: rs2 + affinity: + antiAffinityTopologyKey: none + expose: + enabled: true + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 1G + requests: + cpu: 100m + memory: 0.1G + volumeSpec: + persistentVolumeClaim: + resources: + requests: + storage: 1Gi + size: 3 + configuration: | + net: + port: 27016 diff --git a/e2e-tests/disabled-auth/conf/restore.yml b/e2e-tests/disabled-auth/conf/restore.yml new file mode 100644 index 0000000000..ea8aa31053 --- /dev/null +++ b/e2e-tests/disabled-auth/conf/restore.yml @@ -0,0 +1,7 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDBRestore +metadata: + name: +spec: + clusterName: some-name + backupName: \ No newline at end of file diff --git a/e2e-tests/disabled-auth/run b/e2e-tests/disabled-auth/run new file mode 100755 index 0000000000..e47ecb1d2c --- /dev/null +++ b/e2e-tests/disabled-auth/run @@ -0,0 +1,151 @@ +#!/bin/bash + +set -o errexit +set -o xtrace + +test_dir=$(realpath "$(dirname "$0")") +. "${test_dir}/../functions" +set_debug + +custom_port='27019' + +create_infra "$namespace" + +deploy_minio + +desc "create PSMDB sharded cluster without auth" +cluster="some-name" +kubectl_bin apply -f "$conf_dir/client.yml" + +apply_s3_storage_secrets + +apply_cluster "$test_dir/conf/cluster-no-auth.yml" + +desc 'wait for all pods to start' +wait_for_running $cluster-rs0 3 +wait_for_running $cluster-rs1 3 +wait_for_running $cluster-rs2 3 +wait_for_running $cluster-cfg 3 "false" +wait_for_running $cluster-mongos 3 + +sleep 10 + +desc 'write data without auth' +run_mongos \ + 'use myApp\n db.createCollection("test")' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port" +run_mongos \ + 'use myApp\n db.test.insert({x: 100500})' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'verify data was written' +run_mongos \ + 'use myApp\n db.test.find()' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'wait for backup agents' +wait_backup_agent $cluster-rs0-0 +wait_backup_agent $cluster-rs1-0 +wait_backup_agent $cluster-rs2-0 + +backup_name_no_auth="backup-no-auth" + +desc 'run backup without auth' +run_backup minio ${backup_name_no_auth} +wait_backup "$backup_name_no_auth" + +sleep 5 + +desc 'insert new data without auth' +run_mongos \ + 'use myApp\n db.test.insert({x: 100501})' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'verify new data exists' +count_no_auth_after=$(run_mongos \ + 'use myApp\n db.test.find()' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port") +echo "Find after insert: $count_no_auth_after" + +desc 'restore from backup (no auth)' +run_restore "$backup_name_no_auth" +wait_restore "$backup_name_no_auth" "$cluster" + +sleep 20 + +desc 'verify data was restored to original state' +count_no_auth_restored=$(run_mongos \ + 'use myApp\n db.test.find()' \ + "@$cluster-mongos.$namespace" "" "" "" "$custom_port") +echo "Find after restore: $count_no_auth_restored" + +desc 'enable authentication' +kubectl_bin apply -f "$conf_dir/secrets.yml" +apply_cluster "$test_dir/conf/cluster-with-auth.yml" + +desc 'wait for cluster to restart with auth enabled' +wait_for_running $cluster-rs0 3 +wait_for_running $cluster-rs1 3 +wait_for_running $cluster-rs2 3 +wait_for_running $cluster-cfg 3 "false" +wait_for_running $cluster-mongos 3 + +sleep 30 + +desc 'create users with auth enabled' +run_mongos \ + 'db.createUser({user:"myApp",pwd:"myPass",roles:[{db:"myApp",role:"readWrite"}]})' \ + "userAdmin:userAdmin123456@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'verify existing data is still accessible with auth' +count_with_auth=$(run_mongos \ + 'use myApp\n db.test.find()' \ + "myApp:myPass@$cluster-mongos.$namespace" "" "" "" "$custom_port") +echo "Find with auth enabled: $count_with_auth" + +desc 'insert new data with auth' +run_mongos \ + 'use myApp\n db.test.insert({x: 200500})' \ + "myApp:myPass@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'wait for backup agents after auth change' +wait_backup_agent $cluster-rs0-0 +wait_backup_agent $cluster-rs1-0 +wait_backup_agent $cluster-rs2-0 + +backup_name_with_auth="backup-with-auth" + +desc 'run backup with auth enabled' +run_backup minio ${backup_name_with_auth} +wait_backup "$backup_name_with_auth" + +sleep 5 + +desc 'insert more data with auth' +run_mongos \ + 'use myApp\n db.test.insert({x: 200501})' \ + "myApp:myPass@$cluster-mongos.$namespace" "" "" "" "$custom_port" + +desc 'verify new data exists' +count_with_auth_after=$(run_mongos \ + 'use myApp\n db.test.find()' \ + "myApp:myPass@$cluster-mongos.$namespace" "" "" "" "$custom_port") +echo "Find after insert with auth: $count_with_auth_after" + +desc 'restore from backup (with auth)' +run_restore "$backup_name_with_auth" +wait_restore "$backup_name_with_auth" "$cluster" + +sleep 10 + +desc 'verify data was restored to state before last insert' +count_with_auth_restored=$(run_mongos \ + 'use myApp\n db.test.find()' \ + "myApp:myPass@$cluster-mongos.$namespace" "" "" "" "$custom_port") +echo "Find after restore with auth: $count_with_auth_restored" + +desc 'cleanup backups' +kubectl_bin delete psmdb-backup --all + +destroy "$namespace" +desc 'test passed' \ No newline at end of file