Git Product home page Git Product logo

Comments (4)

limwa avatar limwa commented on August 15, 2024 2

Since creating the "connectionStringSecretTemplate" proved to be too complex for me (I haven't ever programmed in Go), I've gone ahead and implemented a "connectionStringSecretAnnotations" property. It is implemented in my fork. Let me know if you'd like me to open a PR for the namespace consistency fix and/or the connectionStringSecretAnnotations property.

from mongodb-kubernetes-operator.

limwa avatar limwa commented on August 15, 2024

From what I've seen, it appears this could be caused by the following code

mongodb-kubernetes-operator/controllers/mongodb_users.go

Lines 42 to 74 in 3108a94

func (r ReplicaSetReconciler) updateConnectionStringSecrets(ctx context.Context, mdb mdbv1.MongoDBCommunity, clusterDomain string) error {
for _, user := range mdb.GetAuthUsers() {
secretName := user.ConnectionStringSecretName
secretNamespace := mdb.Namespace
if user.ConnectionStringSecretNamespace != "" {
secretNamespace = user.ConnectionStringSecretNamespace
}
existingSecret, err := r.client.GetSecret(ctx, types.NamespacedName{
Name: secretName,
Namespace: secretNamespace,
})
if err != nil && !apiErrors.IsNotFound(err) {
return err
}
if err == nil && !secret.HasOwnerReferences(existingSecret, mdb.GetOwnerReferences()) {
return fmt.Errorf("connection string secret %s already exists and is not managed by the operator", secretName)
}
pwd := ""
if user.Database != constants.ExternalDB {
secretNamespacedName := types.NamespacedName{Name: user.PasswordSecretName, Namespace: secretNamespace}
pwd, err = secret.ReadKey(ctx, r.client, user.PasswordSecretKey, secretNamespacedName)
if err != nil {
return err
}
}
connectionStringSecret := secret.Builder().
SetName(secretName).
SetNamespace(secretNamespace).

In it:

  1. In lines 46-49, secretNamespace is set to the connection string secret namespace, if it is defined
  2. In lines 65-69, the password secret is read on the secretNamespace
  3. In line 74, the connection string secret is set to be created on the secretNamespace.

Therefore, the password secret and connection string secret need to be in the same namespace.

However, when ensuring user resources, in the following code, it is expected that the password secret is in the namespace of the MDBC, and not in the one specified for the connection string secret.

mongodb-kubernetes-operator/controllers/mongodb_users.go

Lines 16 to 20 in 3108a94

func (r ReplicaSetReconciler) ensureUserResources(ctx context.Context, mdb mdbv1.MongoDBCommunity) error {
for _, user := range mdb.GetAuthUsers() {
if user.Database != constants.ExternalDB {
secretNamespacedName := types.NamespacedName{Name: user.PasswordSecretName, Namespace: mdb.Namespace}
if _, err := secret.ReadKey(ctx, r.client, user.PasswordSecretKey, secretNamespacedName); err != nil {

Ensuring consistency in the namespace used in both functions should fix the problem of needing to have the secret in both namespaces for the connection string secret to be created.

However, I'm not sure what is causing the connection string secret to be deleted immediately after it is created (could be related, or not).

from mongodb-kubernetes-operator.

limwa avatar limwa commented on August 15, 2024

An update on this: ensuring consistency on the namespaces used did solve the problem of needing to have the password secret in both namespaces (I can open a PR for this, it's a single line change).

However, the problem with the connection string secret being immediately deleted was not solved. After some investigation, I came to the conclusion that the secret was being garbage collected by kubernetes. https://kubernetes.io/docs/concepts/architecture/garbage-collection/#owners-dependents states that cross-namespace owner references are disallowed by design, which is causing the secret to be immediately deleted.

from mongodb-kubernetes-operator.

limwa avatar limwa commented on August 15, 2024

A possible solution to the connection string secret problem is to follow an approach similar to cert-manager (https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces) and allow for a "connectionStringSecretTemplate" as well. This would allow users to set annotations that can be used by reflector or kubernetes-replicator to sync the secret across namespaces. The connectionStringSecretNamespace parameter doesn't need to be removed because it is a simpler solution for cluster-wide deployments of the mongodb-kubernetes-operator.

from mongodb-kubernetes-operator.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.