Add agent cert hash annotation to the STS

m1kola · m1kola · commit 499e7409db15 · 2025-08-29T16:29:13.000+02:00
diff --git a/controllers/operator/construct/database_construction.go b/controllers/operator/construct/database_construction.go
@@ -95,6 +95,7 @@ type DatabaseStatefulSetOptions struct {
 	PodVars                 *env.PodEnvVars
 	CurrentAgentAuthMode    string
 	CertificateHash         string
+	AgentCertificateHash    string
 	PrometheusTLSCertHash   string
 	InternalClusterHash     string
 	ServicePort             int32
diff --git a/controllers/operator/database_statefulset_options.go b/controllers/operator/database_statefulset_options.go
@@ -54,6 +54,13 @@ func CertificateHash(hash string) func(options *construct.DatabaseStatefulSetOpt
 	}
 }
 
+// AgentCertificateHash will assign the given AgentCertificateHash during StatefulSet construction.
+func AgentCertificateHash(hash string) func(options *construct.DatabaseStatefulSetOptions) {
+	return func(options *construct.DatabaseStatefulSetOptions) {
+		options.AgentCertificateHash = hash
+	}
+}
+
 // InternalClusterHash will assign the given InternalClusterHash during StatefulSet construction.
 func InternalClusterHash(hash string) func(options *construct.DatabaseStatefulSetOptions) {
 	return func(options *construct.DatabaseStatefulSetOptions) {
diff --git a/controllers/operator/mongodbmultireplicaset_controller.go b/controllers/operator/mongodbmultireplicaset_controller.go
@@ -493,8 +493,11 @@ func (r *ReconcileMongoDbMultiReplicaSet) reconcileStatefulSets(ctx context.Cont
 			return workflow.Failed(err)
 		}
 
+		agentCertSecretName := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.Name).Name
+
 		// get cert hash of tls secret if it exists
 		certHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, mrsConfig.CertSecretName, "", log)
+		agentCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, agentCertSecretName, "", log)
 		internalCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, mrsConfig.InternalClusterSecretName, "", log)
 		log.Debugf("Creating StatefulSet %s with %d replicas in cluster: %s", mrs.MultiStatefulsetName(clusterNum), replicasThisReconciliation, item.ClusterName)
 
@@ -524,6 +527,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) reconcileStatefulSets(ctx context.Cont
 			PodEnvVars(newPodVars(conn, projectConfig, mrs.Spec.LogLevel)),
 			CurrentAgentAuthMechanism(currentAgentAuthMode),
 			CertificateHash(certHash),
+			AgentCertificateHash(agentCertHash),
 			InternalClusterHash(internalCertHash),
 			WithLabels(mrs.GetOwnerLabels()),
 			WithAdditionalMongodConfig(mrs.Spec.GetAdditionalMongodConfig()),
diff --git a/controllers/operator/mongodbreplicaset_controller.go b/controllers/operator/mongodbreplicaset_controller.go
@@ -200,12 +200,15 @@ func (r *ReconcileMongoDbReplicaSet) Reconcile(ctx context.Context, request reco
 
 	tlsCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.CertSecretName, databaseSecretPath, log)
 	internalClusterCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, rsCertsConfig.InternalClusterSecretName, databaseSecretPath, log)
+	agentCertSecretName := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name).Name
+	agentCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, rs.Namespace, agentCertSecretName, databaseSecretPath, log)
 
 	rsConfig := construct.ReplicaSetOptions(
 		PodEnvVars(newPodVars(conn, projectConfig, rs.Spec.LogLevel)),
 		CurrentAgentAuthMechanism(currentAgentAuthMode),
 		CertificateHash(tlsCertHash),
 		InternalClusterHash(internalClusterCertHash),
+		AgentCertificateHash(agentCertHash),
 		PrometheusTLSCertHash(prometheusCertHash),
 		WithVaultConfig(vaultConfig),
 		WithLabels(rs.Labels),
diff --git a/controllers/operator/mongodbshardedcluster_controller.go b/controllers/operator/mongodbshardedcluster_controller.go
@@ -2280,6 +2280,7 @@ func (r *ShardedClusterReconcileHelper) getConfigServerOptions(ctx context.Conte
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, databaseSecretPath, log)),
+		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretName, databaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, databaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),
 		WithVaultConfig(vaultConfig),
@@ -2311,6 +2312,7 @@ func (r *ShardedClusterReconcileHelper) getMongosOptions(ctx context.Context, sc
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, vaultConfig.DatabaseSecretPath, log)),
+		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretName, vaultConfig.DatabaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, vaultConfig.DatabaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),
 		WithVaultConfig(vaultConfig),
@@ -2341,6 +2343,7 @@ func (r *ShardedClusterReconcileHelper) getShardOptions(ctx context.Context, sc
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, databaseSecretPath, log)),
+		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretName, databaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, databaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),
 		WithVaultConfig(vaultConfig),
diff --git a/controllers/operator/mongodbstandalone_controller.go b/controllers/operator/mongodbstandalone_controller.go
@@ -243,8 +243,11 @@ func (r *ReconcileMongoDbStandalone) Reconcile(ctx context.Context, request reco
 		}
 	}
 
+	agentCertSecretName := s.GetSecurity().AgentClientCertificateSecretName(s.Name).Name
+
 	standaloneOpts := construct.StandaloneOptions(
 		CertificateHash(pem.ReadHashFromSecret(ctx, r.SecretClient, s.Namespace, standaloneCertSecretName, databaseSecretPath, log)),
+		AgentCertificateHash(pem.ReadHashFromSecret(ctx, r.SecretClient, s.Namespace, agentCertSecretName, databaseSecretPath, log)),
 		CurrentAgentAuthMechanism(currentAgentAuthMode),
 		PodEnvVars(podVars),
 		WithVaultConfig(vaultConfig),

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,13 @@ func CertificateHash(hash string) func(options *construct.DatabaseStatefulSetOpt`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
	`57`	`+// AgentCertificateHash will assign the given AgentCertificateHash during StatefulSet construction.`
	`58`	`+func AgentCertificateHash(hash string) func(options *construct.DatabaseStatefulSetOptions) {`
	`59`	`+ return func(options *construct.DatabaseStatefulSetOptions) {`
	`60`	`+ options.AgentCertificateHash = hash`
	`61`	`+ }`
	`62`	`+}`
	`63`	`+`
`57`	`64`	`// InternalClusterHash will assign the given InternalClusterHash during StatefulSet construction.`
`58`	`65`	`func InternalClusterHash(hash string) func(options *construct.DatabaseStatefulSetOptions) {`
`59`	`66`	`return func(options *construct.DatabaseStatefulSetOptions) {`
Original file line number	Diff line number	Diff line change
`@@ -243,8 +243,11 @@ func (r *ReconcileMongoDbStandalone) Reconcile(ctx context.Context, request reco`
`243`	`243`	`}`
`244`	`244`	`}`
`245`	`245`
	`246`	`+ agentCertSecretName := s.GetSecurity().AgentClientCertificateSecretName(s.Name).Name`
	`247`	`+`
`246`	`248`	`standaloneOpts := construct.StandaloneOptions(`
`247`	`249`	`CertificateHash(pem.ReadHashFromSecret(ctx, r.SecretClient, s.Namespace, standaloneCertSecretName, databaseSecretPath, log)),`
	`250`	`+ AgentCertificateHash(pem.ReadHashFromSecret(ctx, r.SecretClient, s.Namespace, agentCertSecretName, databaseSecretPath, log)),`
`248`	`251`	`CurrentAgentAuthMechanism(currentAgentAuthMode),`
`249`	`252`	`PodEnvVars(podVars),`
`250`	`253`	`WithVaultConfig(vaultConfig),`