WIP

Author: m1kola

controllers/operator/mongodbmultireplicaset_controller.go

@@ -493,11 +493,11 @@ func (r *ReconcileMongoDbMultiReplicaSet) reconcileStatefulSets(ctx context.Cont
 			return workflow.Failed(err)
 		}
 
-		agentCertSecretSelector := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.Name).Name
+		agentCertSecretSelector := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.Name)
 
 		// get cert hash of tls secret if it exists
 		certHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, mrsConfig.CertSecretName, "", log)
-		agentCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, agentCertSecretSelector, "", log)
+		agentCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, agentCertSecretSelector.Name, "", log)
 		internalCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, mrsConfig.InternalClusterSecretName, "", log)
 		log.Debugf("Creating StatefulSet %s with %d replicas in cluster: %s", mrs.MultiStatefulsetName(clusterNum), replicasThisReconciliation, item.ClusterName)
 
@@ -761,7 +761,11 @@ func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Conte
 
 	caFilePath := fmt.Sprintf("%s/ca-pem", util.TLSCaMountPath)
 
+	// TODO: make mrs.GetSecurity().AgentClientCertificateSecretName(mrs.GetName()) return only name
 	agentCertSecretSelector := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.GetName())
+	// TODO: Move hash reads somewhere up the call stack
+	agentCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, agentCertSecretSelector.Name, "", log)
+	agentCertSecretSelector.Key = agentCertHash
 	status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, rs.GetProcessNames(), &mrs, agentCertSecretSelector, caFilePath, internalClusterCertPath, isRecovering, log)
 	if !status.IsOK() && !isRecovering {
 		return xerrors.Errorf("failed to enable Authentication for MongoDB Multi Replicaset")

controllers/operator/mongodbreplicaset_controller.go

@@ -238,6 +238,8 @@ func (r *ReconcileMongoDbReplicaSet) Reconcile(ctx context.Context, request reco
 
 	// TODO: copy maybe?
 	agentCertSecretSelector.Name += certs.OperatorGeneratedCertSuffix
+	// TODO: make rs.GetSecurity().AgentClientCertificateSecretName(rs.Name) return only name and add hash later.
+	agentCertSecretSelector.Key = agentCertHash
 
 	internalClusterCertPath := ""
 	if internalClusterCertHash != "" {

controllers/operator/mongodbshardedcluster_controller.go

@@ -1085,6 +1085,8 @@ func (r *ShardedClusterReconcileHelper) doShardedClusterProcessing(ctx context.C
 	}
 
 	agentCertSecretSelector := sc.GetSecurity().AgentClientCertificateSecretName(sc.Name)
+	// TODO: Add a key
+	// TODO: Make sc.GetSecurity().AgentClientCertificateSecretName(sc.Name) return only name
 
 	opts = deploymentOptions{
 		podEnvVars:              podEnvVars,
@@ -2281,6 +2283,7 @@ func (r *ShardedClusterReconcileHelper) getConfigServerOptions(ctx context.Conte
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, databaseSecretPath, log)),
+		// TODO: Check if it is necessary. Can we just use opts?
 		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretSelector.Name, databaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, databaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),
@@ -2313,6 +2316,7 @@ func (r *ShardedClusterReconcileHelper) getMongosOptions(ctx context.Context, sc
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, vaultConfig.DatabaseSecretPath, log)),
+		// TODO: Check if it is necessary. Can we just use opts?
 		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretSelector.Name, vaultConfig.DatabaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, vaultConfig.DatabaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),
@@ -2344,6 +2348,7 @@ func (r *ShardedClusterReconcileHelper) getShardOptions(ctx context.Context, sc
 		PodEnvVars(opts.podEnvVars),
 		CurrentAgentAuthMechanism(opts.currentAgentAuthMode),
 		CertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, certSecretName, databaseSecretPath, log)),
+		// TODO: Check if it is necessary. Can we just use opts?
 		AgentCertificateHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, opts.agentCertSecretSelector.Name, databaseSecretPath, log)),
 		InternalClusterHash(enterprisepem.ReadHashFromSecret(ctx, r.commonController.SecretClient, sc.Namespace, internalClusterSecretName, databaseSecretPath, log)),
 		PrometheusTLSCertHash(opts.prometheusCertHash),

controllers/operator/mongodbstandalone_controller.go

@@ -323,6 +323,8 @@ func (r *ReconcileMongoDbStandalone) updateOmDeployment(ctx context.Context, con
 	}
 
 	agentCertSecretSelector := s.GetSecurity().AgentClientCertificateSecretName(s.Name)
+	// TODO: Add a key
+	// TODO: Make sc.GetSecurity().AgentClientCertificateSecretName(sc.Name) return only name
 
 	// TODO standalone PR
 	status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, []string{set.Name}, s, agentCertSecretSelector, "", "", isRecovering, log)