Skip to content

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters #1850

wants to merge 13 commits into from

Conversation

@Demch1k
Copy link

@Demch1k Demch1k commented Feb 28, 2025
edited by atlassian bot
Loading

K8SPSMDB-1387 Powered by Pull Request Badge

CHANGE DESCRIPTION

https://perconadev.atlassian.net/browse/K8SPSMDB-1387

Problem:
We have enabled --enable-certificate-owner-ref for certmanager and after that mongodb operator can not startup any mongodb clusters.

Cause:
Mongodb operator return error when can't update owner references for certificates recources. But with --enable-certificate-owner-ref certmanager do it by itselfs.

Solution:
Catch error connected with already exists owner ref and jus print it out

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported MongoDB version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/S 10-29 lines label Feb 28, 2025
@CLAassistant
Copy link

CLAassistant commented Feb 28, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Demch1k Demch1k force-pushed the fix-certmanager-owner-ref branch from e219161 to 227c0fe Compare February 28, 2025 12:06
@gkech gkech added the community label Mar 4, 2025
egegunes
egegunes requested changes Mar 10, 2025
View reviewed changes
Copy link
Contributor

@egegunes egegunes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few comments.

also I wonder if we need to set this flag while deploying cert-manager in our tests

pkg/psmdb/tls/certmanager.go Outdated
return "", errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
case *controllerutil.AlreadyOwnedError:
fmt.Sprintf("%s", err)
Copy link
Contributor

@egegunes egegunes Mar 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we return error here?

pkg/psmdb/tls/certmanager.go Outdated
return errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
case *controllerutil.AlreadyOwnedError:
fmt.Sprintf("%s", err)
Copy link
Contributor

@egegunes egegunes Mar 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we return error here?

pkg/psmdb/tls/certmanager.go Outdated
}
if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil {
return errors.Wrap(err, "set controller reference")
switch errors.Cause(err).(type) {
Copy link
Contributor

@egegunes egegunes Mar 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gkech wdyt of this errors.Cause maybe we should check with errors.Is?

Copy link
Contributor

@gkech gkech Mar 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it is better @egegunes

@Demch1k let's use errors.Is and also, let's drop switch since it is not needed, so the following for all cases.

if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil {
if errors.Is(err, &controllerutil.AlreadyOwnedError{}) {
	return errors.Wrap(err, "set owner reference")
}
return errors.Wrap(err, "set controller reference")
}

Copy link
Contributor

@gkech gkech May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Demch1k any updates on this one?

@github-actions github-actions bot added the stale label Apr 10, 2025
@hors hors added this to the v1.21.0 milestone Apr 14, 2025
@hors hors removed the stale label Apr 14, 2025
@egegunes
Copy link
Contributor

egegunes commented May 19, 2025

seems like we will need to take this over, i'm moving this to next release

@egegunes egegunes modified the milestones: v1.21.0, v1.22.0 May 19, 2025
@gkech gkech changed the title Fix for certmanager owner ref K8SPSMDB-1387 certmanager --enable-certificate-owner-ref option causes no startup of any mongodb clusters May 19, 2025
@gkech gkech requested a review from egegunes August 20, 2025 13:15
@egegunes egegunes mentioned this pull request Sep 12, 2025
Open
@pooknull
improve the fix
2b339fd 
To fix the issue, we only need to modify the `WaitForCert` method by
adding a check to see if the secret has a controller reference to a
certificate
@pooknull
create Certificate interface
91e8479
@pooknull
add e2e test
97f61a0
@pull-request-size pull-request-size bot added size/L 100-499 lines and removed size/S 10-29 lines labels Sep 15, 2025
@Demch1k
Copy link
Author

Demch1k commented Nov 6, 2025
edited
Loading

@egegunes Could you check changes made by @pooknull , I think it's ready for review

@Demch1k
Copy link
Author

Demch1k commented Nov 7, 2025

@pooknull Could you approve this PR?

@egegunes
Copy link
Contributor

egegunes commented Nov 11, 2025

demand-backup-physical-gcp-native, demand-backup-physical-sharded-gcp-native and pitr-to-new-cluster test failures needs to be investigated. @Demch1k if you aren't able to understand what's wrong with them, we'll help you when we start working on v1.22.0.

@hors hors requested a review from mayankshah1607 November 30, 2025 17:55
@JNKPercona
Copy link
Collaborator

JNKPercona commented Nov 30, 2025

Test Name Result Time
arbiter passed 00:11:39
balancer passed 00:18:05
cross-site-sharded passed 00:19:14
custom-replset-name passed 00:10:27
custom-tls passed 00:14:24
custom-users-roles passed 00:10:51
custom-users-roles-sharded passed 00:11:54
data-at-rest-encryption passed 00:13:11
data-sharded passed 00:23:13
demand-backup passed 00:16:30
demand-backup-eks-credentials-irsa passed 00:00:08
demand-backup-fs passed 00:24:06
demand-backup-if-unhealthy passed 00:08:25
demand-backup-incremental passed 00:43:14
demand-backup-incremental-sharded passed 00:57:04
demand-backup-physical-parallel passed 00:08:34
demand-backup-physical-aws passed 00:12:07
demand-backup-physical-azure passed 00:12:10
demand-backup-physical-gcp-s3 passed 00:12:24
demand-backup-physical-gcp-native passed 00:12:05
demand-backup-physical-minio passed 00:20:23
demand-backup-physical-sharded-parallel passed 00:10:32
demand-backup-physical-sharded-aws passed 00:17:59
demand-backup-physical-sharded-azure passed 00:17:38
demand-backup-physical-sharded-gcp-native passed 00:17:11
demand-backup-physical-sharded-minio passed 00:16:53
demand-backup-sharded passed 00:25:06
expose-sharded failure 00:15:30
finalizer passed 00:09:46
ignore-labels-annotations passed 00:07:30
init-deploy passed 00:13:00
ldap passed 00:08:52
ldap-tls passed 00:12:48
limits passed 00:06:13
liveness passed 00:08:24
mongod-major-upgrade passed 00:12:31
mongod-major-upgrade-sharded passed 00:21:03
monitoring-2-0 passed 00:24:35
monitoring-pmm3 passed 00:28:21
multi-cluster-service passed 00:13:20
multi-storage passed 00:18:50
non-voting-and-hidden passed 00:16:12
one-pod passed 00:07:56
operator-self-healing-chaos passed 00:12:54
pitr passed 00:32:00
pitr-physical passed 01:00:49
pitr-sharded passed 00:20:41
pitr-to-new-cluster passed 00:25:21
pitr-physical-backup-source passed 00:55:23
preinit-updates passed 00:05:02
pvc-resize passed 00:13:07
recover-no-primary passed 00:28:08
replset-overrides passed 00:16:33
rs-shard-migration passed 00:13:25
scaling passed 00:10:55
scheduled-backup passed 00:16:43
security-context passed 00:06:52
self-healing-chaos passed 00:15:09
service-per-pod passed 00:18:53
serviceless-external-nodes passed 00:07:32
smart-update passed 00:07:50
split-horizon passed 00:08:01
stable-resource-version passed 00:04:41
storage passed 00:07:40
tls-issue-cert-manager passed 00:29:06
upgrade passed 00:10:02
upgrade-consistency passed 00:06:25
upgrade-consistency-sharded-tls passed 00:52:08
upgrade-sharded passed 00:19:14
upgrade-partial-backup passed 00:16:11
users passed 00:17:25
version-service passed 00:25:04
Summary Value
Tests Run 72/72
Job Duration 03:16:36
Total Test Time 20:54:08

commit: e336896
image: perconalab/percona-server-mongodb-operator:PR-1850-e336896c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egegunes egegunes egegunes approved these changes

@hors hors Awaiting requested review from hors hors is a code owner

@pooknull pooknull Awaiting requested review from pooknull pooknull is a code owner

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

@gkech gkech Awaiting requested review from gkech gkech is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@valmiranogueira valmiranogueira Awaiting requested review from valmiranogueira valmiranogueira is a code owner

@mayankshah1607 mayankshah1607 Awaiting requested review from mayankshah1607

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

community size/L 100-499 lines

Projects

None yet

Milestone

v1.22.0

Development

Successfully merging this pull request may close these issues.

7 participants

@Demch1k @CLAassistant @egegunes @JNKPercona @gkech @hors @pooknull