Skip to content

K8SPSMDB-1154: disable encryption by default for inMemory #1912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 26, 2025
Merged

K8SPSMDB-1154: disable encryption by default for inMemory #1912

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
fcda99e
K8SPSMDB-1154: disable encryption by default for inMemory
pooknull May 8, 2025
8f992ab
fix
pooknull May 8, 2025
f0d9be5
Merge branch 'main' into K8SPSMDB-1154
hors May 16, 2025
23d9ce0
small improvement
pooknull May 21, 2025
75facc3
Merge remote-tracking branch 'origin/main' into K8SPSMDB-1154
pooknull May 21, 2025
ab1be45
fix manifests
pooknull May 21, 2025
5f9aa7c
Merge branch 'main' into K8SPSMDB-1154
pooknull May 22, 2025
694b258
Merge branch 'main' into K8SPSMDB-1154
pooknull May 22, 2025
2f3c99f
Merge branch 'main' into K8SPSMDB-1154
hors May 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deploy/bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19788,7 +19788,7 @@ spec:
serviceAccountName: percona-server-mongodb-operator
containers:
- name: percona-server-mongodb-operator
image: percona/percona-server-mongodb-operator:1.20.0
image: perconalab/percona-server-mongodb-operator:main
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
Expand Down
2 changes: 1 addition & 1 deletion deploy/cw-bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19809,7 +19809,7 @@ spec:
serviceAccountName: percona-server-mongodb-operator
containers:
- name: percona-server-mongodb-operator
image: percona/percona-server-mongodb-operator:1.20.0
image: perconalab/percona-server-mongodb-operator:main
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
Expand Down
2 changes: 1 addition & 1 deletion deploy/cw-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
serviceAccountName: percona-server-mongodb-operator
containers:
- name: percona-server-mongodb-operator
image: percona/percona-server-mongodb-operator:1.20.0
image: perconalab/percona-server-mongodb-operator:main
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
Expand Down
2 changes: 1 addition & 1 deletion deploy/operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
serviceAccountName: percona-server-mongodb-operator
containers:
- name: percona-server-mongodb-operator
image: percona/percona-server-mongodb-operator:1.20.0
image: perconalab/percona-server-mongodb-operator:main
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
Expand Down
25 changes: 25 additions & 0 deletions pkg/apis/psmdb/v1/psmdb_defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,21 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(ctx context.Context, platform
return nil
}

func (rs *ReplsetSpec) IsEncryptionEnabled() (bool, error) {
enabled, err := rs.Configuration.isEncryptionEnabled()
if err != nil {
return false, errors.Wrap(err, "failed to parse replset configuration")
}

if enabled == nil {
if rs.Storage.Engine == StorageEngineInMemory {
return false, nil // disabled for inMemory engine by default
}
return true, nil // true by default
}
return *enabled, nil
}

// SetDefaults set default options for the replset
func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerMongoDB, log logr.Logger) error {
if rs.VolumeSpec == nil {
Expand Down Expand Up @@ -734,6 +749,16 @@ func (rs *ReplsetSpec) SetDefaults(platform version.Platform, cr *PerconaServerM
}
}

if rs.Storage != nil && rs.Storage.Engine == StorageEngineInMemory {
encryptionEnabled, err := rs.IsEncryptionEnabled()
if err != nil {
return errors.Wrap(err, "failed to parse replset configuration")
}
if encryptionEnabled {
return errors.New("inMemory storage engine doesn't support encryption")
}
}

return nil
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/apis/psmdb/v1/psmdb_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -558,8 +558,8 @@ func (conf MongoConfiguration) GetTLSMode() (string, error) {
return mode, nil
}

// IsEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field
func (conf MongoConfiguration) IsEncryptionEnabled() (*bool, error) {
// isEncryptionEnabled returns nil if "enableEncryption" field is not specified or the pointer to the value of this field
func (conf MongoConfiguration) isEncryptionEnabled() (*bool, error) {
m, err := conf.GetOptions("security")
if err != nil || m == nil {
return nil, err
Expand Down
4 changes: 2 additions & 2 deletions pkg/psmdb/container.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func container(ctx context.Context, cr *api.PerconaServerMongoDB, replset *api.R
}...)
}

encryptionEnabled, err := isEncryptionEnabled(cr, replset)
encryptionEnabled, err := replset.IsEncryptionEnabled()
if err != nil {
return corev1.Container{}, err
}
Expand Down Expand Up @@ -214,7 +214,7 @@ func containerArgs(ctx context.Context, cr *api.PerconaServerMongoDB, replset *a
args = append(args, "--shardsvr")
}

encryptionEnabled, err := isEncryptionEnabled(cr, replset)
encryptionEnabled, err := replset.IsEncryptionEnabled()
if err != nil {
logf.FromContext(ctx).Error(err, "failed to check if mongo encryption enabled")
}
Expand Down
13 changes: 1 addition & 12 deletions pkg/psmdb/statefulset.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ func StatefulSpec(ctx context.Context, cr *api.PerconaServerMongoDB, replset *ap
VolumeSource: customConf.Type.VolumeSource(configName),
})
}
encryptionEnabled, err := isEncryptionEnabled(cr, replset)
encryptionEnabled, err := replset.IsEncryptionEnabled()
if err != nil {
return appsv1.StatefulSetSpec{}, errors.Wrap(err, "failed to check if encryption is enabled")
}
Expand Down Expand Up @@ -580,14 +580,3 @@ func PodTopologySpreadConstraints(cr *api.PerconaServerMongoDB, tscs []corev1.To
}
return result
}

func isEncryptionEnabled(cr *api.PerconaServerMongoDB, replset *api.ReplsetSpec) (bool, error) {
enabled, err := replset.Configuration.IsEncryptionEnabled()
if err != nil {
return false, errors.Wrap(err, "failed to parse replset configuration")
}
if enabled == nil {
return true, nil // true by default
}
return *enabled, nil
}
Loading