K8SPSMDB-755: Allow users to disallow invalid certificates (#1523)

* K8SPSMDB-755: Allow users to disallow invalid certificates

* add tests

* increase physical restore timeouts in tests

Author: egegunes

config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml

@@ -17296,6 +17296,8 @@ spec:
                 type: object
               tls:
                 properties:
+                  allowInvalidCertificates:
+                    type: boolean
                   certValidityDuration:
                     type: string
                   issuerConf:

deploy/bundle.yaml

@@ -17969,6 +17969,8 @@ spec:
                 type: object
               tls:
                 properties:
+                  allowInvalidCertificates:
+                    type: boolean
                   certValidityDuration:
                     type: string
                   issuerConf:

deploy/cr.yaml

@@ -18,6 +18,7 @@ spec:
 #    mode: preferTLS
 #    # 90 days in hours
 #    certValidityDuration: 2160h
+#    allowInvalidCertificates: true
 #    issuerConf:
 #      name: special-selfsigned-issuer
 #      kind: ClusterIssuer

deploy/crd.yaml

@@ -17969,6 +17969,8 @@ spec:
                 type: object
               tls:
                 properties:
+                  allowInvalidCertificates:
+                    type: boolean
                   certValidityDuration:
                     type: string
                   issuerConf:

deploy/cw-bundle.yaml

@@ -17969,6 +17969,8 @@ spec:
                 type: object
               tls:
                 properties:
+                  allowInvalidCertificates:
+                    type: boolean
                   certValidityDuration:
                     type: string
                   issuerConf:
@@ -18298,7 +18300,7 @@ spec:
       serviceAccountName: percona-server-mongodb-operator
       containers:
         - name: percona-server-mongodb-operator
-          image: perconalab/percona-server-mongodb-operator:main
+          image: perconalab/percona-server-mongodb-operator:k8spsmdb-755
           imagePullPolicy: Always
           livenessProbe:
             failureThreshold: 3

e2e-tests/demand-backup-physical-sharded/run

@@ -10,32 +10,32 @@ run_backup() {
 	local storage=$1
 	local backup_name=$2
 
-	cat $test_dir/conf/backup.yml \
-		| $sed -e "s/name:/name: ${backup_name}/" \
-		| $sed -e "s/storageName:/storageName: ${storage}/" \
-		| kubectl_bin apply -f -
+	cat $test_dir/conf/backup.yml |
+		$sed -e "s/name:/name: ${backup_name}/" |
+		$sed -e "s/storageName:/storageName: ${storage}/" |
+		kubectl_bin apply -f -
 }
 
 run_restore() {
 	local backup_name=$1
 
-	cat $test_dir/conf/restore.yml \
-		| $sed -e "s/name:/name: restore-${backup_name}/" \
-		| $sed -e "s/backupName:/backupName: ${backup_name}/" \
-		| kubectl_bin apply -f -
+	cat $test_dir/conf/restore.yml |
+		$sed -e "s/name:/name: restore-${backup_name}/" |
+		$sed -e "s/backupName:/backupName: ${backup_name}/" |
+		kubectl_bin apply -f -
 }
 
 run_recovery_check() {
 	local backup_name=$1
 	local compare_suffix=${2:-"_restore"}
 
-	wait_restore "${backup_name}" "${cluster}" "requested" "0" "900"
+	wait_restore "${backup_name}" "${cluster}" "requested" "0" "1200"
 	echo
 
 	compare_kubectl "statefulset/${cluster}-rs0" ${compare_suffix}
 
 	# we don't wait for cluster readiness here because the annotation gets removed then
-	wait_restore "${backup_name}" "${cluster}" "ready" "0" "1600"
+	wait_restore "${backup_name}" "${cluster}" "ready" "0" "1800"
 	kubectl_bin get psmdb ${cluster} -o yaml
 	if [ $(kubectl_bin get psmdb ${cluster} -o yaml | yq '.metadata.annotations."percona.com/resync-pbm"') == null ]; then
 		echo "psmdb/${cluster} should be annotated with percona.com/resync-pbm after a physical restore"
@@ -77,8 +77,8 @@ wait_for_running ${cluster}-cfg 3
 wait_for_running ${cluster}-mongos 3
 wait_cluster_consistency ${cluster}
 
-lbEndpoint=$(kubectl_bin get svc $cluster-mongos -o=jsonpath='{.status}' \
-	| jq -r 'select(.loadBalancer != null and .loadBalancer.ingress != null and .loadBalancer.ingress != []) | .loadBalancer.ingress[0][]')
+lbEndpoint=$(kubectl_bin get svc $cluster-mongos -o=jsonpath='{.status}' |
+	jq -r 'select(.loadBalancer != null and .loadBalancer.ingress != null and .loadBalancer.ingress != []) | .loadBalancer.ingress[0][]')
 if [ -z $lbEndpoint ]; then
 	echo "mongos service not exported correctly"
 	exit 1

e2e-tests/demand-backup-physical/run

@@ -10,32 +10,32 @@ run_backup() {
 	local storage=$1
 	local backup_name=$2
 
-	cat $test_dir/conf/backup.yml \
-		| $sed -e "s/name:/name: ${backup_name}/" \
-		| $sed -e "s/storageName:/storageName: ${storage}/" \
-		| kubectl_bin apply -f -
+	cat $test_dir/conf/backup.yml |
+		$sed -e "s/name:/name: ${backup_name}/" |
+		$sed -e "s/storageName:/storageName: ${storage}/" |
+		kubectl_bin apply -f -
 }
 
 run_restore() {
 	local backup_name=$1
 
-	cat $test_dir/conf/restore.yml \
-		| $sed -e "s/name:/name: restore-${backup_name}/" \
-		| $sed -e "s/backupName:/backupName: ${backup_name}/" \
-		| kubectl_bin apply -f -
+	cat $test_dir/conf/restore.yml |
+		$sed -e "s/name:/name: restore-${backup_name}/" |
+		$sed -e "s/backupName:/backupName: ${backup_name}/" |
+		kubectl_bin apply -f -
 }
 
 run_recovery_check() {
 	local backup_name=$1
 	local compare_suffix=${2:-"_restore"}
 
-	wait_restore "${backup_name}" "${cluster}" "requested" "0" "900"
+	wait_restore "${backup_name}" "${cluster}" "requested" "0" "1200"
 	echo
 
 	compare_kubectl "statefulset/${cluster}-rs0" ${compare_suffix}
 
 	# we don't wait for cluster readiness here because the annotation gets removed then
-	wait_restore "${backup_name}" "${cluster}" "ready" "0" "1600"
+	wait_restore "${backup_name}" "${cluster}" "ready" "0" "1800"
 	kubectl_bin get psmdb ${cluster} -o yaml
 	if [ $(kubectl_bin get psmdb ${cluster} -o yaml | yq '.metadata.annotations."percona.com/resync-pbm"') == null ]; then
 		echo "psmdb/${cluster} should be annotated with percona.com/resync-pbm after a physical restore"

e2e-tests/version-service/conf/crd.yaml

@@ -17969,6 +17969,8 @@ spec:
                 type: object
               tls:
                 properties:
+                  allowInvalidCertificates:
+                    type: boolean
                   certValidityDuration:
                     type: string
                   issuerConf:

pkg/apis/psmdb/v1/psmdb_defaults.go

@@ -84,16 +84,27 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log
 		cr.Spec.Secrets.SSLInternal = cr.Name + "-ssl-internal"
 	}
 
+	t := true
 	if cr.Spec.TLS == nil {
 		cr.Spec.TLS = &TLSSpec{
-			CertValidityDuration: metav1.Duration{Duration: time.Hour * 24 * 90},
+			Mode:                     TLSModePrefer,
+			AllowInvalidCertificates: &t,
+			CertValidityDuration:     metav1.Duration{Duration: time.Hour * 24 * 90},
 		}
 	}
 
 	if cr.Spec.TLS.Mode == "" {
 		cr.Spec.TLS.Mode = TLSModePrefer
 	}
 
+	if cr.Spec.TLS.CertValidityDuration.Duration == 0 {
+		cr.Spec.TLS.CertValidityDuration = metav1.Duration{Duration: time.Hour * 24 * 90}
+	}
+
+	if cr.Spec.TLS.AllowInvalidCertificates == nil {
+		cr.Spec.TLS.AllowInvalidCertificates = &t
+	}
+
 	if !cr.TLSEnabled() && !cr.Spec.Unsafe.TLS {
 		return errors.New("TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check")
 	}

pkg/apis/psmdb/v1/psmdb_defaults_test.go

@@ -3,15 +3,16 @@ package v1_test
 import (
 	"testing"
 
-	api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
-	"github.com/percona/percona-server-mongodb-operator/version"
 	"github.com/stretchr/testify/assert"
 	corevs "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+
+	api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
+	"github.com/percona/percona-server-mongodb-operator/version"
 )
 
-func TestSetSafeDefault(t *testing.T) {
+func TestSetSafeDefaultPre116(t *testing.T) {
 	type args struct {
 		replset  *api.ReplsetSpec
 		expected *api.ReplsetSpec
@@ -248,3 +249,167 @@ func TestSetSafeDefault(t *testing.T) {
 		})
 	}
 }
+
+func TestSetSafeDefault(t *testing.T) {
+	type args struct {
+		replset     *api.ReplsetSpec
+		expectedErr string
+	}
+
+	vs := &api.VolumeSpec{
+		EmptyDir: &corevs.EmptyDirVolumeSource{
+			Medium: corevs.StorageMediumDefault,
+		},
+	}
+	tests := map[string]args{
+		"even number": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       4,
+			},
+			"check safe defaults: replset size must be odd. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"even number2": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       2,
+			},
+			"check safe defaults: replset size must be odd. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"0 w/o arbiter ": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       0,
+			},
+			"check safe defaults: replset size must be at least 3. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"0 with arbiter": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       0,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    1,
+				},
+			},
+			"check safe defaults: replset size must be at least 4 with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"1 w/o arbiter ": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       1,
+			},
+			"check safe defaults: replset size must be at least 3. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"1 with arbiter": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       1,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    1,
+				},
+			},
+			"check safe defaults: replset size must be at least 4 with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"odd with arbiter": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       3,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    1,
+				},
+			},
+			"check safe defaults: replset size must be at least 4 with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"odd with two arbiters": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       3,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    2,
+				},
+			},
+			"check safe defaults: arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"odd with three arbiters": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       3,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    3,
+				},
+			},
+			"check safe defaults: arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"even with arbiter": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       2,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    1,
+				},
+			},
+			"check safe defaults: replset size must be at least 4 with arbiter. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"even4 with arbiter": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       4,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    2,
+				},
+			},
+			"check safe defaults: arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"even with two arbiters": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       2,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    2,
+				},
+			},
+			"check safe defaults: arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+		"even with three arbiters": {
+			&api.ReplsetSpec{
+				VolumeSpec: vs,
+				Size:       2,
+				Arbiter: api.Arbiter{
+					Enabled: true,
+					Size:    3,
+				},
+			},
+			"check safe defaults: arbiter size must be 1. Set spec.unsafeFlags.replsetSize to true to disable this check",
+		},
+	}
+
+	cr := &api.PerconaServerMongoDB{
+		ObjectMeta: metav1.ObjectMeta{Name: "psmdb-mock", Namespace: "psmdb"},
+		Spec: api.PerconaServerMongoDBSpec{
+			CRVersion: "1.16.0",
+			Replsets:  []*api.ReplsetSpec{{Name: "rs0", Size: 3}, {Name: "rs1", Size: 3}},
+			Sharding:  api.Sharding{Enabled: true, Mongos: &api.MongosSpec{Size: 3}},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			for _, platform := range []version.Platform{version.PlatformKubernetes, version.PlatformOpenshift} {
+				err := test.replset.SetDefaults(platform, cr, logf.Log.WithName("TestSetSafeDefault"))
+				if err == nil {
+					t.Fatalf("expected error: %v, got nil", test.expectedErr)
+				}
+
+				assert.EqualError(t, err, test.expectedErr)
+			}
+		})
+	}
+}