K8SPSMDB-1154: disable encryption by default for inMemory (#1912)

pooknull · hors · web-flow · commit c3ff004e3183 · 2025-05-26T11:59:18.000+03:00
* K8SPSMDB-1154: disable encryption by default for inMemory https://perconadev.atlassian.net/browse/K8SPSMDB-1154 * fix * small improvement * fix manifests --------- Co-authored-by: Viacheslav Sarzhan <slava.sarzhan@percona.com>
diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go
@@ -637,6 +637,21 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(ctx context.Context, platform
 	return nil
 }
 
+func (rs *ReplsetSpec) IsEncryptionEnabled() (bool, error) {
+	enabled, err := rs.Configuration.isEncryptionEnabled()
+	if err != nil {
+		return false, errors.Wrap(err, "failed to parse replset configuration")
+	}
+
+	if enabled == nil {
+		if rs.Storage.Engine == StorageEngineInMemory {
+			return false, nil // disabled for inMemory engine by default
+		}
+		return true, nil // true by default
+	}
+	return *enabled, nil
+}
+
 // SetDefaults set default options for the replset
 func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerMongoDB, log logr.Logger) error {
 	if rs.VolumeSpec == nil {
@@ -738,6 +753,16 @@ func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerM
 		}
 	}
 
+	if rs.Storage != nil && rs.Storage.Engine == StorageEngineInMemory {
+		encryptionEnabled, err := rs.IsEncryptionEnabled()
+		if err != nil {
+			return errors.Wrap(err, "failed to parse replset configuration")
+		}
+		if encryptionEnabled {
+			return errors.New("inMemory storage engine doesn't support encryption")
+		}
+	}
+
 	return nil
 }
 
diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go
@@ -578,8 +578,8 @@ func (conf MongoConfiguration) GetTLSMode() (string, error) {
 	return mode, nil
 }
 
-// IsEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field
-func (conf MongoConfiguration) IsEncryptionEnabled() (*bool, error) {
+// isEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field
+func (conf MongoConfiguration) isEncryptionEnabled() (*bool, error) {
 	m, err := conf.GetOptions("security")
 	if err != nil || m == nil {
 		return nil, err
diff --git a/pkg/psmdb/container.go b/pkg/psmdb/container.go
@@ -66,7 +66,7 @@ func container(ctx context.Context, cr *api.PerconaServerMongoDB, replset *api.R
 		}...)
 	}
 
-	encryptionEnabled, err := isEncryptionEnabled(cr, replset)
+	encryptionEnabled, err := replset.IsEncryptionEnabled()
 	if err != nil {
 		return corev1.Container{}, err
 	}
@@ -214,7 +214,7 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a
 		args = append(args, "--shardsvr")
 	}
 
-	encryptionEnabled, err := isEncryptionEnabled(cr, replset)
+	encryptionEnabled, err := replset.IsEncryptionEnabled()
 	if err != nil {
 		logf.FromContext(ctx).Error(err, "failed to check if mongo encryption enabled")
 	}
diff --git a/pkg/psmdb/statefulset.go b/pkg/psmdb/statefulset.go
@@ -127,7 +127,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap
 			VolumeSource: customConf.Type.VolumeSource(configName),
 		})
 	}
-	encryptionEnabled, err := isEncryptionEnabled(cr, replset)
+	encryptionEnabled, err := replset.IsEncryptionEnabled()
 	if err != nil {
 		return appsv1.StatefulSetSpec{}, errors.Wrap(err, "failed to check if encryption is enabled")
 	}
@@ -583,14 +583,3 @@ func PodTopologySpreadConstraints(cr *api.PerconaServerMongoDB, tscs []corev1.To
 	}
 	return result
 }
-
-func isEncryptionEnabled(cr *api.PerconaServerMongoDB, replset *api.ReplsetSpec) (bool, error) {
-	enabled, err := replset.Configuration.IsEncryptionEnabled()
-	if err != nil {
-		return false, errors.Wrap(err, "failed to parse replset configuration")
-	}
-	if enabled == nil {
-		return true, nil // true by default
-	}
-	return *enabled, nil
-}

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func container(ctx context.Context, cr api.PerconaServerMongoDB, replset api.R`
`66`	`66`	`}...)`
`67`	`67`	`}`
`68`	`68`
`69`		`- encryptionEnabled, err := isEncryptionEnabled(cr, replset)`
	`69`	`+ encryptionEnabled, err := replset.IsEncryptionEnabled()`
`70`	`70`	`if err != nil {`
`71`	`71`	`return corev1.Container{}, err`
`72`	`72`	`}`
`@@ -214,7 +214,7 @@ func containerArgs(ctx context.Context, cr api.PerconaServerMongoDB, replset a`
`214`	`214`	`args = append(args, "--shardsvr")`
`215`	`215`	`}`
`216`	`216`
`217`		`- encryptionEnabled, err := isEncryptionEnabled(cr, replset)`
	`217`	`+ encryptionEnabled, err := replset.IsEncryptionEnabled()`
`218`	`218`	`if err != nil {`
`219`	`219`	`logf.FromContext(ctx).Error(err, "failed to check if mongo encryption enabled")`
`220`	`220`	`}`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ func StatefulSpec(ctx context.Context, cr api.PerconaServerMongoDB, replset ap`
`127`	`127`	`VolumeSource: customConf.Type.VolumeSource(configName),`
`128`	`128`	`})`
`129`	`129`	`}`
`130`		`- encryptionEnabled, err := isEncryptionEnabled(cr, replset)`
	`130`	`+ encryptionEnabled, err := replset.IsEncryptionEnabled()`
`131`	`131`	`if err != nil {`
`132`	`132`	`return appsv1.StatefulSetSpec{}, errors.Wrap(err, "failed to check if encryption is enabled")`
`133`	`133`	`}`
`@@ -583,14 +583,3 @@ func PodTopologySpreadConstraints(cr *api.PerconaServerMongoDB, tscs []corev1.To`
`583`	`583`	`}`
`584`	`584`	`return result`
`585`	`585`	`}`
`586`		`-`
`587`		`-func isEncryptionEnabled(cr api.PerconaServerMongoDB, replset api.ReplsetSpec) (bool, error) {`
`588`		`- enabled, err := replset.Configuration.IsEncryptionEnabled()`
`589`		`- if err != nil {`
`590`		`- return false, errors.Wrap(err, "failed to parse replset configuration")`
`591`		`- }`
`592`		`- if enabled == nil {`
`593`		`- return true, nil // true by default`
`594`		`- }`
`595`		`- return *enabled, nil`
`596`		`-}`