K8SPSMDB-780: Fix upgrade from v1.15.0 (#1545)

egegunes · hors · web-flow · commit 6ed848b18f99 · 2024-05-08T08:22:57.000+03:00
* K8SPSMDB-780: Fix upgrade from v1.15.0

* adress review comments

* disable TLS mode if user has unsafeConf in v1.15.0

* fix

* fix diffs

---------

Co-authored-by: Viacheslav Sarzhan &lt;slava.sarzhan@percona.com&gt;
diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-4-oc.yml
@@ -48,6 +48,7 @@ spec:
             - --replSet=rs0
             - --storageEngine=wiredTiger
             - --relaxPermChecks
+            - --sslAllowInvalidCertificates
             - --clusterAuthMode=keyFile
             - --keyFile=/etc/mongodb-secrets/mongodb-key
             - --tlsMode=disabled
diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0-oc.yml
@@ -48,6 +48,7 @@ spec:
             - --replSet=rs0
             - --storageEngine=wiredTiger
             - --relaxPermChecks
+            - --sslAllowInvalidCertificates
             - --clusterAuthMode=keyFile
             - --keyFile=/etc/mongodb-secrets/mongodb-key
             - --tlsMode=disabled
diff --git a/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml b/e2e-tests/init-deploy/compare/statefulset_another-name-rs0.yml
@@ -48,6 +48,7 @@ spec:
             - --replSet=rs0
             - --storageEngine=wiredTiger
             - --relaxPermChecks
+            - --sslAllowInvalidCertificates
             - --clusterAuthMode=keyFile
             - --keyFile=/etc/mongodb-secrets/mongodb-key
             - --tlsMode=disabled
diff --git a/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-cfg-tls-disabled.yml b/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-cfg-tls-disabled.yml
@@ -30,6 +30,7 @@ spec:
   serviceName: some-name-cfg
   template:
     metadata:
+      annotations: {}
       labels:
         app.kubernetes.io/component: cfg
         app.kubernetes.io/instance: some-name
@@ -59,6 +60,7 @@ spec:
             - --replSet=cfg
             - --storageEngine=wiredTiger
             - --relaxPermChecks
+            - --sslAllowInvalidCertificates
             - --clusterAuthMode=keyFile
             - --keyFile=/etc/mongodb-secrets/mongodb-key
             - --tlsMode=disabled
diff --git a/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-mongos-tls-disabled.yml b/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-mongos-tls-disabled.yml
@@ -28,6 +28,7 @@ spec:
   serviceName: ""
   template:
     metadata:
+      annotations: {}
       labels:
         app.kubernetes.io/component: mongos
         app.kubernetes.io/instance: some-name
diff --git a/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-rs0-tls-disabled.yml b/e2e-tests/tls-issue-cert-manager/compare/statefulset_some-name-rs0-tls-disabled.yml
@@ -30,6 +30,7 @@ spec:
   serviceName: some-name-rs0
   template:
     metadata:
+      annotations: {}
       labels:
         app.kubernetes.io/component: mongod
         app.kubernetes.io/instance: some-name
@@ -47,6 +48,7 @@ spec:
             - --replSet=rs0
             - --storageEngine=wiredTiger
             - --relaxPermChecks
+            - --sslAllowInvalidCertificates
             - --clusterAuthMode=keyFile
             - --keyFile=/etc/mongodb-secrets/mongodb-key
             - --tlsMode=disabled
diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go
@@ -105,6 +105,17 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log
 		cr.Spec.TLS.AllowInvalidCertificates = &t
 	}
 
+	if cr.Spec.UnsafeConf {
+		cr.Spec.Unsafe = UnsafeFlags{
+			TLS:                    true,
+			ReplsetSize:            true,
+			MongosSize:             true,
+			BackupIfUnhealthy:      true,
+			TerminationGracePeriod: true,
+		}
+		cr.Spec.TLS.Mode = TLSModeDisabled
+	}
+
 	if !cr.TLSEnabled() && !cr.Spec.Unsafe.TLS {
 		return errors.New("TLS must be enabled. Set spec.unsafeFlags.tls to true to disable this check")
 	}
diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go
@@ -1202,21 +1202,19 @@ func (r *ReconcilePerconaServerMongoDB) reconcileMongosStatefulset(ctx context.C
 		return errors.Wrapf(err, "create template spec for mongos")
 	}
 
-	if cr.TLSEnabled() {
-		sslAnn, err := r.sslAnnotation(ctx, cr)
-		if err != nil {
-			if err == errTLSNotReady {
-				return nil
-			}
-			return errors.Wrap(err, "failed to get ssl annotations")
-		}
-		if templateSpec.Annotations == nil {
-			templateSpec.Annotations = make(map[string]string)
+	sslAnn, err := r.sslAnnotation(ctx, cr)
+	if err != nil {
+		if errors.Is(err, errTLSNotReady) {
+			return nil
 		}
+		return errors.Wrap(err, "failed to get ssl annotations")
+	}
+	if templateSpec.Annotations == nil {
+		templateSpec.Annotations = make(map[string]string)
+	}
 
-		for k, v := range sslAnn {
-			templateSpec.Annotations[k] = v
-		}
+	for k, v := range sslAnn {
+		templateSpec.Annotations[k] = v
 	}
 
 	secret := new(corev1.Secret)
@@ -1357,9 +1355,15 @@ var errTLSNotReady = errors.New("waiting for TLS secret")
 func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *api.PerconaServerMongoDB) (map[string]string, error) {
 	annotation := make(map[string]string)
 
+	annotation["percona.com/ssl-hash"] = ""
+	annotation["percona.com/ssl-internal-hash"] = ""
+
 	sslHash, err := r.getTLSHash(ctx, cr, api.SSLSecretName(cr))
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
+			if cr.UnsafeTLSDisabled() {
+				return annotation, nil
+			}
 			return nil, errTLSNotReady
 		}
 		return nil, errors.Wrap(err, "get secret hash error")
@@ -1369,6 +1373,9 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a
 	sslInternalHash, err := r.getTLSHash(ctx, cr, api.SSLInternalSecretName(cr))
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
+			if cr.UnsafeTLSDisabled() {
+				return annotation, nil
+			}
 			return nil, errTLSNotReady
 		}
 		return nil, errors.Wrap(err, "get secret hash error")
diff --git a/pkg/controller/perconaservermongodb/ssl.go b/pkg/controller/perconaservermongodb/ssl.go
@@ -100,7 +100,7 @@ func (r *ReconcilePerconaServerMongoDB) doAllStsHasLatestTLS(ctx context.Context
 
 	sslAnn, err := r.sslAnnotation(ctx, cr)
 	if err != nil {
-		if err == errTLSNotReady {
+		if errors.Is(err, errTLSNotReady) {
 			return false, nil
 		}
 		return false, errors.Wrap(err, "failed to get ssl annotations")
diff --git a/pkg/controller/perconaservermongodb/statefulset.go b/pkg/controller/perconaservermongodb/statefulset.go
@@ -118,14 +118,12 @@ func (r *ReconcilePerconaServerMongoDB) getStatefulsetFromReplset(ctx context.Co
 	sfs.Labels = sfsSpec.Template.Labels
 	sfs.Spec = sfsSpec
 
-	if cr.TLSEnabled() {
-		sslAnn, err := r.sslAnnotation(ctx, cr)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to get ssl annotations")
-		}
-		for k, v := range sslAnn {
-			sfsSpec.Template.Annotations[k] = v
-		}
+	sslAnn, err := r.sslAnnotation(ctx, cr)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get ssl annotations")
+	}
+	for k, v := range sslAnn {
+		sfsSpec.Template.Annotations[k] = v
 	}
 
 	return sfs, nil
diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go
@@ -188,11 +188,11 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a
 		args[4] = "--replSet=" + name
 	}
 
-	if cr.TLSEnabled() {
-		if *cr.Spec.TLS.AllowInvalidCertificates {
-			args = append(args, "--sslAllowInvalidCertificates")
-		}
+	if *cr.Spec.TLS.AllowInvalidCertificates || cr.CompareVersion("1.16.0") < 0 {
+		args = append(args, "--sslAllowInvalidCertificates")
+	}
 
+	if cr.TLSEnabled() {
 		if cr.Spec.TLS.Mode == api.TLSModeAllow {
 			args = append(args,
 				"--clusterAuthMode=keyFile",
diff --git a/pkg/psmdb/mongos.go b/pkg/psmdb/mongos.go
@@ -293,6 +293,11 @@ func mongosContainerArgs(cr *api.PerconaServerMongoDB, useConfigFile bool, cfgIn
 func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []corev1.Volume {
 	fvar, tvar := false, true
 
+	sslVolumeOptional := &cr.Spec.UnsafeConf
+	if cr.CompareVersion("1.16.0") >= 0 {
+		sslVolumeOptional = &cr.Spec.Unsafe.TLS
+	}
+
 	volumes := []corev1.Volume{
 		{
 			Name: InternalKey(cr),
@@ -309,7 +314,7 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName:  api.SSLSecretName(cr),
-					Optional:    &fvar,
+					Optional:    sslVolumeOptional,
 					DefaultMode: &secretFileMode,
 				},
 			},
@@ -395,8 +400,6 @@ func volumes(cr *api.PerconaServerMongoDB, configSource VolumeSourceType) []core
 				},
 			}...)
 		}
-
-		volumes[1].VolumeSource.Secret.Optional = &cr.Spec.Unsafe.TLS
 	}
 
 	return volumes

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ func (r *ReconcilePerconaServerMongoDB) doAllStsHasLatestTLS(ctx context.Context`
`100`	`100`
`101`	`101`	`sslAnn, err := r.sslAnnotation(ctx, cr)`
`102`	`102`	`if err != nil {`
`103`		`- if err == errTLSNotReady {`
	`103`	`+ if errors.Is(err, errTLSNotReady) {`
`104`	`104`	`return false, nil`
`105`	`105`	`}`
`106`	`106`	`return false, errors.Wrap(err, "failed to get ssl annotations")`