K8SPSMDB-1503: include horizon domains in certificates

[pooknull]

https://perconadev.atlassian.net/browse/K8SPSMDB-1503

DESCRIPTION

This PR includes split-horizon domains from .spec.replsets[].splitHorizons to the operator-generated TLS certificates. When .spec.replsets[].replsetOverrides are present, their domains override the corresponding split-horizon domains in the certificates.

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported MongoDB version?
• Does the change support oldest and newest supported Kubernetes version?

[Copilot]

Pull request overview

This PR implements support for including MongoDB split horizon domains in TLS certificates, addressing K8SPSMDB-1503. The change extracts duplicate horizon-handling logic into a reusable GetHorizons method and uses it to add horizon domains to certificate Subject Alternative Names (SANs) for clusters running version 1.22.0 or later.

Key Changes:

• Added GetHorizons method to consolidate horizon domain retrieval with optional port handling
• Updated certificate SANs generation to include horizon domains when horizons are configured
• Refactored MongoDB replica set member configuration to use the new shared method

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
pkg/apis/psmdb/v1/psmdb_types.go	Added GetHorizons method to extract and process horizon domains with override support
pkg/controller/perconaservermongodb/mgo.go	Replaced inline horizon processing with call to new GetHorizons method
pkg/psmdb/tls/tls.go	Added horizon domains to certificate SANs for version 1.22.0+; removed version gate for wildcard DNS suffix

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

pkg/apis/psmdb/v1/psmdb_types.go:754

• Missing documentation: The GetHorizons method lacks a doc comment explaining its purpose, parameters, and behavior. Add a comment describing that it returns horizon configurations for all pods, with optional port handling based on the withPorts parameter, and that overrides take precedence over base horizons.

	PodSecurityContext       *corev1.PodSecurityContext   `json:"podSecurityContext,omitempty"`

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[egegunes]

LGTM. Please check copilot comments

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The GetHorizons method only iterates over base Horizons (line 769) and applies overrides to them. This means if a pod has horizons defined exclusively in ReplsetOverrides but not in the base Horizons map, those override-only horizons will be ignored. Consider also iterating over ReplsetOverrides to ensure all horizon configurations are included, even if they don't have a corresponding entry in the base Horizons map.

Suggested change

	}
	}
	for podName, overrides := range r.ReplsetOverrides {
	if len(overrides.Horizons) == 0 {
	continue
	}
	// Skip pods that already have horizons from the base spec.
	if _, exists := horizons[podName]; exists {
	continue
	}
	horizons[podName] = make(map[string]string, len(overrides.Horizons))
	for h, domain := range overrides.Horizons {
	if withPorts {
	if !strings.Contains(domain, ":") {
	domain = fmt.Sprintf("%s:%d", domain, r.GetPort())
	}
	}
	horizons[podName][h] = domain
	}
	}

[Copilot]

The test case for GetHorizons doesn't cover the scenario where horizons are defined only in ReplsetOverrides but not in the base Horizons map. Add a test case where a pod (e.g., "pod-2") has horizons defined only in ReplsetOverrides to ensure the method handles this edge case correctly.

[JNKPercona]

Test Name	Result	Time
arbiter	passed	00:11:28
balancer	passed	00:17:31
cross-site-sharded	passed	00:18:39
custom-replset-name	passed	00:10:07
custom-tls	passed	00:14:34
custom-users-roles	passed	00:10:40
custom-users-roles-sharded	passed	00:11:51
data-at-rest-encryption	passed	00:14:11
data-sharded	passed	00:23:16
demand-backup	passed	00:15:37
demand-backup-eks-credentials-irsa	passed	00:00:07
demand-backup-fs	passed	00:23:19
demand-backup-if-unhealthy	passed	00:08:19
demand-backup-incremental	passed	00:45:05
demand-backup-incremental-sharded	passed	00:59:03
demand-backup-physical-parallel	passed	00:08:26
demand-backup-physical-aws	passed	00:11:46
demand-backup-physical-azure	passed	00:11:38
demand-backup-physical-gcp-s3	passed	00:11:22
demand-backup-physical-gcp-native	passed	00:11:25
demand-backup-physical-minio	passed	00:20:22
demand-backup-physical-minio-native	passed	00:19:47
demand-backup-physical-sharded-parallel	passed	00:10:34
demand-backup-physical-sharded-aws	passed	00:18:08
demand-backup-physical-sharded-azure	passed	00:17:29
demand-backup-physical-sharded-gcp-native	passed	00:16:49
demand-backup-physical-sharded-minio	passed	00:17:59
demand-backup-physical-sharded-minio-native	passed	00:17:19
demand-backup-sharded	passed	00:25:23
expose-sharded	passed	00:33:42
finalizer	passed	00:10:16
ignore-labels-annotations	passed	00:07:40
init-deploy	passed	00:12:35
ldap	passed	00:09:01
ldap-tls	passed	00:12:31
limits	passed	00:05:58
liveness	passed	00:08:15
mongod-major-upgrade	passed	00:12:14
mongod-major-upgrade-sharded	passed	00:21:16
monitoring-2-0	passed	00:24:39
monitoring-pmm3	passed	00:26:02
multi-cluster-service	passed	00:15:15
multi-storage	passed	00:18:29
non-voting-and-hidden	passed	00:15:44
one-pod	passed	00:07:45
operator-self-healing-chaos	passed	00:13:10
pitr	passed	00:31:38
pitr-physical	passed	01:02:33
pitr-sharded	passed	00:21:14
pitr-to-new-cluster	passed	00:24:39
pitr-physical-backup-source	passed	00:54:27
preinit-updates	passed	00:05:11
pvc-resize	passed	00:13:43
recover-no-primary	passed	00:28:11
replset-overrides	passed	00:15:53
replset-remapping	passed	00:08:25
replset-remapping-sharded	passed	00:16:50
rs-shard-migration	passed	00:13:34
scaling	passed	00:11:03
scheduled-backup	passed	00:17:06
security-context	passed	00:07:31
self-healing-chaos	passed	00:15:08
service-per-pod	passed	00:18:52
serviceless-external-nodes	passed	00:07:29
smart-update	passed	00:08:01
split-horizon	passed	00:13:37
stable-resource-version	passed	00:04:44
storage	passed	00:08:12
tls-issue-cert-manager	passed	00:29:11
upgrade	passed	00:09:37
upgrade-consistency	passed	00:06:20
upgrade-consistency-sharded-tls	passed	00:52:36
upgrade-sharded	passed	00:19:36
upgrade-partial-backup	passed	00:15:44
users	passed	00:17:17
users-vault	passed	00:13:30
version-service	passed	00:24:47

Summary	Value
Tests Run	77/77
Job Duration	03:17:02
Total Test Time	22:33:59

commit: d63d7c4
image: perconalab/percona-server-mongodb-operator:PR-2157-d63d7c45