search

percona / percona-server-mongodb-operator

Percona Operator for MongoDB
https://www.percona.com/doc/kubernetes-operator-for-psmongodb/
Apache License 2.0
339 stars 140 forks source link

requireTLS is ignored in "unsafe" mode #1438

Open blushingpenguin opened 8 months ago

blushingpenguin commented 8 months ago

Report

setting 

spec:
  allowUnsafeConfigurations: true
  replsets:
    configuration: |
      net:
        tls:
          mode: requireTLS

means that requireTLS is (silently) ignored. From the code this appears to be because "unsafe" means both "less than 3 replicas" (I would like to use a PSA config) and also "don't use TLS certificates for mongo replica authentication"

I would suggest either splitting this flag into two to allow for a PSA config that requires tls, or leaving it and considering a PSA configuration safe.

More about the problem

See repro steps

Steps to reproduce

  1. apply a config as above
  2. check mongo parameters in the container, observe that requireTLS is not set

Versions

  1. 1.28.3
  2. 1.15
  3. mongo 6.0.9-7

Anything else?

No response

spron-in commented 8 months ago

Hey @blushingpenguin . Thank you for raising it. Yeah, we have a task to simplify our unsafe flag behavior. We acknowlege that such implicit behavior does no good.

It is not a bug though, as this behavior is captured in our docs. Let me check with the team on where are we.