Disabling allowConnectionsWithoutCertificates when using requireTLS in MongoDB Community Operator (v0.13.0) #1731
Description
What did you do to encounter the bug?
Hi,
I'm not sure if this is a bug, but I had to post it here. I can't figure it out or find any helpful information.
I’m deploying a MongoDB ReplicaSet using the MongoDB Community Operator v0.13.0 (Helm chart). I want to enforce mutual TLS so that clients must present a valid certificate signed by my CA.
My CR looks like this (simplified):
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: mongodb
namespace: mongodb
spec:
members: 3
type: ReplicaSet
version: "7.0.7"
security:
tls:
enabled: true
certificateKeySecretRef:
name: mongodb-server-tls
caConfigMapRef:
name: mongodb-ca
additionalMongodConfig:
net:
tls:
mode: requireTLS
allowConnectionsWithoutCertificates: false
What did you expect?
I expected allowConnectionsWithoutCertificates to be set to false inside mongod.conf, but instead it's defaulting to true
port: 27017,
tls: {
CAFile: '/var/lib/tls/ca/longhash.pem',
allowConnectionsWithoutCertificates: true,
certificateKeyFile: '/var/lib/tls/server/longhash.pem',
mode: 'requireTLS'
}
What happened instead?
allowConnectionsWithoutCertificates defaults to true, and I can connect to MongoDB by setting tls=true but not needing to provide the certificates. My target is allowing only clients that provide certificate to connect.
Operator Information
Kubernetes-mongodb-operator version 0.13.0
Mongodb community version 7.0.7
kubernetes version 1.33.2
Additional context
I can confirm that both mongodb-operator and mongodb community pods are running smoothly without any restarts.
mongodb-0 2/2 Running 0 70m
mongodb-1 2/2 Running 0 70m
mongodb-2 2/2 Running 0 69m
mongodb-kubernetes-operator-67f556ff66-265cj 1/1 Running 0 77m