Skip to content

CLOUDP-290847: Remove cert hash annotations #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2025
Merged

CLOUDP-290847: Remove cert hash annotations #383

merged 1 commit into from
Sep 2, 2025
+65 −85

Conversation

m1kola
Copy link
Contributor

@m1kola m1kola commented Aug 28, 2025
edited
Loading

Summary

This refactors the way we do cert rotation: we no longer write certificate hashes into annotations of STS. This simplifies the flow and will make it easier to implement agent cert rotation (CLOUDP-290847) in a similar way.

Proof of Work

Existing tests must be green.

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you added changelog file?

@m1kola m1kola added the skip-changelog Use this label in Pull Request to not require new changelog entry file label Aug 28, 2025
@m1kola m1kola force-pushed the remove_certs_hash_annotations branch from e6b05c9 to 6736153 Compare August 29, 2025 10:02
@m1kola m1kola force-pushed the remove_certs_hash_annotations branch from 6736153 to 66935c4 Compare August 29, 2025 12:05
@m1kola m1kola changed the title WIP: Remove certs hash annotations Remove certs hash annotations Aug 29, 2025
@m1kola m1kola changed the title Remove certs hash annotations CLOUDP-290847: Remove cert hash annotations Aug 29, 2025
@m1kola m1kola marked this pull request as ready for review August 29, 2025 12:47
@m1kola m1kola requested a review from a team as a code owner August 29, 2025 12:47
MaciejKaras
MaciejKaras reviewed Aug 29, 2025
View reviewed changes
controllers/operator/mongodbmultireplicaset_controller.go
if mrs.Spec.Security.IsTLSEnabled() {
certSecretName := mrs.Spec.GetSecurity().MemberCertificateSecretName(mrs.Name)
internalClusterCertSecretName := mrs.Spec.GetSecurity().InternalClusterAuthSecretName(mrs.Name)
tlsCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, certSecretName, "", log)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that tlsCertHash and tlsCertPath are calculated here and also in the other controllers/operator/mongodbreplicaset_controller.go. Can we move this logic to common controller?
I thought about method like:

func (r *ReconcileCommonController) tlsCertHashAndPath(ctx, ...) (string, string) {
  tlsCertHash := enterprisepem.ReadHashFromSecret(ctx, r.SecretClient, mrs.Namespace, certSecretName, "", log)
  if tlsCertHash == "" {
    return "", ""
  }
  
  return tlsCertHash, fmt.Sprintf("%s/%s", util.TLSCertMountPath, tlsCertHash)  
}

Copy link
Contributor Author

@m1kola m1kola Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to leave this out of the scope of this PR. Here I want to make a minimal change so that I can progress with my main goal (agent cert rotation).

There are more places where we read the secret and calculate the hash and I have a feeling that after adding agent cert rotation it will be a bit more clear if there is a pattern which we can abstract somehow. I'll look into this if I have time left after implementing agent cert rotation.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understand. In that case can you add TODO item for improving this later?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a to do in another branch (I'll eventually push the to do or a change to #389). Don't want to push to this branch and wait for CI again.

MaciejKaras
MaciejKaras reviewed Aug 29, 2025
View reviewed changes
@m1kola m1kola mentioned this pull request Aug 29, 2025
Draft
3 tasks
@m1kola
Copy link
Contributor Author

m1kola commented Sep 2, 2025

e2e_om_ops_manager_queryable_backup is red, but it is a known CI issue and is not related to this change. Merging.

@m1kola m1kola merged commit b7211ae into mongodb:master Sep 2, 2025
35 of 37 checks passed
@m1kola m1kola deleted the remove_certs_hash_annotations branch September 2, 2025 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaciejKaras MaciejKaras MaciejKaras approved these changes

@vinilage vinilage vinilage left review comments

@anandsyncs anandsyncs anandsyncs approved these changes

@lsierant lsierant Awaiting requested review from lsierant

@lucian-tosa lucian-tosa Awaiting requested review from lucian-tosa

Assignees
No one assigned
Labels
skip-changelog Use this label in Pull Request to not require new changelog entry file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@m1kola @MaciejKaras @anandsyncs @vinilage