From ae52bb4e525dfd2f7535ed280329023d6110cc6a Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Tue, 28 Oct 2025 15:26:55 +0530 Subject: [PATCH 1/6] CLOUDP-327089: Add status field support (squash of last 6 commits) --- api/v1/search/mongodbsearch_types.go | 4 ++ api/v1/search/status_options.go | 17 ++++++++ ...251024_fix_mongodbsearch_status_version.md | 7 ++++ .../operator/mongodbsearch_controller_test.go | 40 +++++++++++++++++-- .../mongodbsearch_reconcile_helper.go | 38 +++++++++++++----- 5 files changed, 94 insertions(+), 12 deletions(-) create mode 100644 api/v1/search/status_options.go create mode 100644 changelog/20251024_fix_mongodbsearch_status_version.md diff --git a/api/v1/search/mongodbsearch_types.go b/api/v1/search/mongodbsearch_types.go index ce1ef5176..35c093c90 100644 --- a/api/v1/search/mongodbsearch_types.go +++ b/api/v1/search/mongodbsearch_types.go @@ -102,6 +102,7 @@ type MongoDBSearchStatus struct { // +k8s:openapi-gen=true // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",description="Current state of the MongoDB deployment." +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".status.version",description="MongoDB Search version reconciled by the operator." // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The time since the MongoDB resource was created." // +kubebuilder:resource:path=mongodbsearch,scope=Namespaced,shortName=mdbs type MongoDBSearch struct { @@ -142,6 +143,9 @@ func (s *MongoDBSearch) UpdateStatus(phase status.Phase, statusOptions ...status if option, exists := status.GetOption(statusOptions, status.WarningsOption{}); exists { s.Status.Warnings = append(s.Status.Warnings, option.(status.WarningsOption).Warnings...) } + if option, exists := status.GetOption(statusOptions, MongoDBSearchVersionOption{}); exists { + s.Status.Version = option.(MongoDBSearchVersionOption).Version + } } func (s *MongoDBSearch) NamespacedName() types.NamespacedName { diff --git a/api/v1/search/status_options.go b/api/v1/search/status_options.go new file mode 100644 index 000000000..10720047c --- /dev/null +++ b/api/v1/search/status_options.go @@ -0,0 +1,17 @@ +package search + +import "github.com/mongodb/mongodb-kubernetes/api/v1/status" + +type MongoDBSearchVersionOption struct { + Version string +} + +var _ status.Option = MongoDBSearchVersionOption{} + +func NewMongoDBSearchVersionOption(version string) MongoDBSearchVersionOption { + return MongoDBSearchVersionOption{Version: version} +} + +func (o MongoDBSearchVersionOption) Value() interface{} { + return o.Version +} diff --git a/changelog/20251024_fix_mongodbsearch_status_version.md b/changelog/20251024_fix_mongodbsearch_status_version.md new file mode 100644 index 000000000..82fded3b0 --- /dev/null +++ b/changelog/20251024_fix_mongodbsearch_status_version.md @@ -0,0 +1,7 @@ +--- +title: Surface reconciled MongoDBSearch version +kind: fix +date: 2025-10-24 +--- + +* MongoDBSearch now records the reconciled mongot version in status and exposes it via a dedicated kubectl print column. diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go index 472ea419a..19f29c575 100644 --- a/controllers/operator/mongodbsearch_controller_test.go +++ b/controllers/operator/mongodbsearch_controller_test.go @@ -172,7 +172,12 @@ func TestMongoDBSearchReconcile_Success(t *testing.T) { search.Spec.LogLevel = "WARN" mdbc := newMongoDBCommunity("mdb", mock.TestNamespace) - reconciler, c := newSearchReconciler(mdbc, search) + operatorConfig := searchcontroller.OperatorSearchConfig{ + SearchRepo: "testrepo", + SearchName: "mongot", + SearchVersion: "1.48.0", + } + reconciler, c := newSearchReconcilerWithOperatorConfig(mdbc, operatorConfig, search) res, err := reconciler.Reconcile( ctx, @@ -182,6 +187,11 @@ func TestMongoDBSearchReconcile_Success(t *testing.T) { assert.NoError(t, err) assert.Equal(t, expected, res) + // BEFORE readiness: version should still be empty (controller sets Version only after StatefulSet ready) + searchPending := &searchv1.MongoDBSearch{} + assert.NoError(t, c.Get(ctx, types.NamespacedName{Name: search.Name, Namespace: search.Namespace}, searchPending)) + assert.Empty(t, searchPending.Status.Version, "Status.Version must be empty before StatefulSet is marked ready") + svc := &corev1.Service{} err = c.Get(ctx, search.SearchServiceNamespacedName(), svc) assert.NoError(t, err) @@ -194,9 +204,18 @@ func TestMongoDBSearchReconcile_Success(t *testing.T) { assert.NoError(t, err) assert.Equal(t, string(configYaml), cm.Data[searchcontroller.MongotConfigFilename]) - sts := &appsv1.StatefulSet{} - err = c.Get(ctx, search.StatefulSetNamespacedName(), sts) + markStatefulSetReady(ctx, t, c, search.StatefulSetNamespacedName()) + + res, err = reconciler.Reconcile( + ctx, + reconcile.Request{NamespacedName: types.NamespacedName{Name: search.Name, Namespace: search.Namespace}}, + ) assert.NoError(t, err) + assert.Equal(t, expected, res) + + updatedSearch := &searchv1.MongoDBSearch{} + assert.NoError(t, c.Get(ctx, types.NamespacedName{Name: search.Name, Namespace: search.Namespace}, updatedSearch)) + assert.Equal(t, operatorConfig.SearchVersion, updatedSearch.Status.Version) } func checkSearchReconcileFailed( @@ -296,3 +315,18 @@ func TestMongoDBSearchReconcile_InvalidSearchImageVersion(t *testing.T) { }) } } + +func markStatefulSetReady(ctx context.Context, t *testing.T, c client.Client, name types.NamespacedName) { + t.Helper() + + sts := &appsv1.StatefulSet{} + assert.NoError(t, c.Get(ctx, name, sts)) + + sts.Status.UpdatedReplicas = 1 + sts.Status.ReadyReplicas = 1 + sts.Status.CurrentReplicas = 1 + sts.Status.Replicas = 1 + sts.Status.ObservedGeneration = sts.Generation + + assert.NoError(t, c.Status().Update(ctx, sts)) +} diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go index 4e94074e7..0a8fcae48 100644 --- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go +++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go @@ -89,7 +89,9 @@ func (r *MongoDBSearchReconcileHelper) reconcile(ctx context.Context, log *zap.S return workflow.Failed(err) } - if err := r.ValidateSearchImageVersion(); err != nil { + version := r.getMongotVersion() + + if err := r.ValidateSearchImageVersion(version); err != nil { return workflow.Failed(err) } @@ -137,7 +139,7 @@ func (r *MongoDBSearchReconcileHelper) reconcile(ctx context.Context, log *zap.S return statefulSetStatus } - return workflow.OK() + return workflow.OK().WithAdditionalOptions(searchv1.NewMongoDBSearchVersionOption(version)) } func (r *MongoDBSearchReconcileHelper) ensureSourceKeyfile(ctx context.Context, log *zap.SugaredLogger) (statefulset.Modification, error) { @@ -435,9 +437,7 @@ func (r *MongoDBSearchReconcileHelper) ValidateSingleMongoDBSearchForSearchSourc return nil } -func (r *MongoDBSearchReconcileHelper) ValidateSearchImageVersion() error { - version := r.getMongotImage() - +func (r *MongoDBSearchReconcileHelper) ValidateSearchImageVersion(version string) error { if strings.Contains(version, unsupportedSearchVersion) { return xerrors.Errorf(unsupportedSearchVersionErrorFmt, unsupportedSearchVersion) } @@ -445,14 +445,15 @@ func (r *MongoDBSearchReconcileHelper) ValidateSearchImageVersion() error { return nil } -func (r *MongoDBSearchReconcileHelper) getMongotImage() string { +func (r *MongoDBSearchReconcileHelper) getMongotVersion() string { version := strings.TrimSpace(r.mdbSearch.Spec.Version) if version != "" { return version } - if r.operatorSearchConfig.SearchVersion != "" { - return r.operatorSearchConfig.SearchVersion + version = strings.TrimSpace(r.operatorSearchConfig.SearchVersion) + if version != "" { + return version } if r.mdbSearch.Spec.StatefulSetConfiguration == nil { @@ -461,13 +462,32 @@ func (r *MongoDBSearchReconcileHelper) getMongotImage() string { for _, container := range r.mdbSearch.Spec.StatefulSetConfiguration.SpecWrapper.Spec.Template.Spec.Containers { if container.Name == MongotContainerName { - return container.Image + return extractImageTag(container.Image) } } return "" } +func extractImageTag(image string) string { + image = strings.TrimSpace(image) + if image == "" { + return "" + } + + if at := strings.Index(image, "@"); at != -1 { + image = image[:at] + } + + lastSlash := strings.LastIndex(image, "/") + lastColon := strings.LastIndex(image, ":") + if lastColon > lastSlash { + return image[lastColon+1:] + } + + return "" +} + func SearchCoordinatorRole() mdbv1.MongoDBRole { // direct translation of https://github.com/10gen/mongo/blob/6f8d95a513eea8f91ea9f5d895dd8a288dfcf725/src/mongo/db/auth/builtin_roles.yml#L652 return mdbv1.MongoDBRole{ From 4aab7737a54e13f83f11ae54af3cfa2004b282a3 Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Fri, 7 Nov 2025 14:10:22 +0100 Subject: [PATCH 2/6] use existing function --- .../operator/mongodbsearch_controller_test.go | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go index 19f29c575..22325dd42 100644 --- a/controllers/operator/mongodbsearch_controller_test.go +++ b/controllers/operator/mongodbsearch_controller_test.go @@ -204,7 +204,7 @@ func TestMongoDBSearchReconcile_Success(t *testing.T) { assert.NoError(t, err) assert.Equal(t, string(configYaml), cm.Data[searchcontroller.MongotConfigFilename]) - markStatefulSetReady(ctx, t, c, search.StatefulSetNamespacedName()) + assert.NoError(t, mock.MarkAllStatefulSetsAsReady(ctx, search.StatefulSetNamespacedName().Namespace, c)) res, err = reconciler.Reconcile( ctx, @@ -315,18 +315,3 @@ func TestMongoDBSearchReconcile_InvalidSearchImageVersion(t *testing.T) { }) } } - -func markStatefulSetReady(ctx context.Context, t *testing.T, c client.Client, name types.NamespacedName) { - t.Helper() - - sts := &appsv1.StatefulSet{} - assert.NoError(t, c.Get(ctx, name, sts)) - - sts.Status.UpdatedReplicas = 1 - sts.Status.ReadyReplicas = 1 - sts.Status.CurrentReplicas = 1 - sts.Status.Replicas = 1 - sts.Status.ObservedGeneration = sts.Generation - - assert.NoError(t, c.Status().Update(ctx, sts)) -} From 1a4435bba994aa2f20bbf8bd8c63771b6400bb8d Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Mon, 10 Nov 2025 10:07:34 +0100 Subject: [PATCH 3/6] lint fix --- .../mongodb-kubernetes-tests/kubetester/operator.py | 5 ++--- .../kubetester/opsmanager.py | 13 ++++++------- .../tests/multicluster/multi_cluster_clusterwide.py | 2 +- .../multi_cluster_recover_clusterwide.py | 2 +- .../multi_cluster_recover_network_partition.py | 2 +- .../vaultintegration/mongodb_deployment_vault.py | 2 +- .../tests/vaultintegration/om_backup_vault.py | 2 +- .../tests/vaultintegration/om_deployment_vault.py | 2 +- .../tests/vaultintegration/vault_tls.py | 2 +- 9 files changed, 15 insertions(+), 17 deletions(-) diff --git a/docker/mongodb-kubernetes-tests/kubetester/operator.py b/docker/mongodb-kubernetes-tests/kubetester/operator.py index e29175dcd..097f688b9 100644 --- a/docker/mongodb-kubernetes-tests/kubetester/operator.py +++ b/docker/mongodb-kubernetes-tests/kubetester/operator.py @@ -7,6 +7,7 @@ from kubernetes import client from kubernetes.client import V1CustomResourceDefinition, V1Deployment, V1Pod from kubernetes.client.rest import ApiException +from kubetester import wait_for_webhook from kubetester.create_or_replace_from_yaml import create_or_replace_from_yaml from kubetester.helm import ( helm_install, @@ -15,10 +16,8 @@ helm_uninstall, helm_upgrade, ) -from tests.constants import LOCAL_HELM_CHART_DIR - -from kubetester import wait_for_webhook from tests import test_logger +from tests.constants import LOCAL_HELM_CHART_DIR OPERATOR_CRDS = ( "mongodb.mongodb.com", diff --git a/docker/mongodb-kubernetes-tests/kubetester/opsmanager.py b/docker/mongodb-kubernetes-tests/kubetester/opsmanager.py index 51fea6f3b..0a463c839 100644 --- a/docker/mongodb-kubernetes-tests/kubetester/opsmanager.py +++ b/docker/mongodb-kubernetes-tests/kubetester/opsmanager.py @@ -10,6 +10,11 @@ import requests from kubeobject import CustomObject from kubernetes.client.rest import ApiException +from kubetester import ( + create_configmap, + create_or_update_secret, + read_secret, +) from kubetester.automation_config_tester import AutomationConfigTester from kubetester.kubetester import ( KubernetesTester, @@ -24,6 +29,7 @@ from kubetester.phase import Phase from opentelemetry import trace from requests.auth import HTTPDigestAuth +from tests import test_logger from tests.common.multicluster.multicluster_utils import ( multi_cluster_pod_names, multi_cluster_service_names, @@ -37,13 +43,6 @@ ) from tests.constants import LEGACY_CENTRAL_CLUSTER_NAME -from kubetester import ( - create_configmap, - create_or_update_secret, - read_secret, -) -from tests import test_logger - logger = test_logger.get_test_logger(__name__) TRACER = trace.get_tracer("evergreen-agent") diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_clusterwide.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_clusterwide.py index 11f463e3b..bda9be3c2 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_clusterwide.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_clusterwide.py @@ -17,9 +17,9 @@ run_kube_config_creation_tool, ) +from ..constants import MULTI_CLUSTER_OPERATOR_NAME from . import prepare_multi_cluster_namespaces from .conftest import cluster_spec_list, create_namespace -from ..constants import MULTI_CLUSTER_OPERATOR_NAME @fixture(scope="module") diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_clusterwide.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_clusterwide.py index fe0557a8b..31d4fb5a3 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_clusterwide.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_clusterwide.py @@ -27,10 +27,10 @@ run_multi_cluster_recovery_tool, ) +from ..constants import MULTI_CLUSTER_OPERATOR_NAME, OPERATOR_NAME from . import prepare_multi_cluster_namespaces from .conftest import cluster_spec_list, create_service_entries_objects from .multi_cluster_clusterwide import create_namespace -from ..constants import MULTI_CLUSTER_OPERATOR_NAME, OPERATOR_NAME FAILED_MEMBER_CLUSTER_NAME = "kind-e2e-cluster-3" diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_network_partition.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_network_partition.py index 239b3d642..28b910efb 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_network_partition.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_recover_network_partition.py @@ -15,8 +15,8 @@ run_multi_cluster_recovery_tool, ) -from .conftest import cluster_spec_list, create_service_entries_objects from ..constants import MULTI_CLUSTER_OPERATOR_NAME +from .conftest import cluster_spec_list, create_service_entries_objects FAILED_MEMBER_CLUSTER_NAME = "kind-e2e-cluster-3" RESOURCE_NAME = "multi-replica-set" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/mongodb_deployment_vault.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/mongodb_deployment_vault.py index 63cda0c5b..7bf25d008 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/mongodb_deployment_vault.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/mongodb_deployment_vault.py @@ -27,8 +27,8 @@ from kubetester.phase import Phase from pytest import fixture, mark -from . import run_command_in_vault, store_secret_in_vault from ..constants import DATABASE_SA_NAME, OPERATOR_NAME +from . import run_command_in_vault, store_secret_in_vault MDB_RESOURCE = "my-replica-set" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py index 3afb3eccb..4da91d515 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py @@ -24,7 +24,6 @@ from kubetester.phase import Phase from pytest import fixture, mark -from . import run_command_in_vault, store_secret_in_vault from ..constants import ( APPDB_SA_NAME, AWS_REGION, @@ -32,6 +31,7 @@ OM_SA_NAME, OPERATOR_NAME, ) +from . import run_command_in_vault, store_secret_in_vault OM_NAME = "om-basic" S3_RS_NAME = "my-mongodb-s3" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py index f14cebeaa..926232937 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py @@ -20,8 +20,8 @@ from kubetester.phase import Phase from pytest import fixture, mark -from . import run_command_in_vault, store_secret_in_vault from ..constants import APPDB_SA_NAME, OM_SA_NAME, OPERATOR_NAME +from . import run_command_in_vault, store_secret_in_vault OM_NAME = "om-basic" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py index a37ba9b45..ca4591887 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py @@ -12,8 +12,8 @@ from kubetester.phase import Phase from pytest import fixture, mark -from . import run_command_in_vault, store_secret_in_vault from ..constants import APPDB_SA_NAME, DATABASE_SA_NAME, OM_SA_NAME, OPERATOR_NAME +from . import run_command_in_vault, store_secret_in_vault MDB_RESOURCE = "my-replica-set" OM_NAME = "om-basic" From d67f603f8b3a9e6b7e58a19b39eda1fd44379b3a Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Mon, 10 Nov 2025 12:19:12 +0100 Subject: [PATCH 4/6] remove extra merge changes --- ...1015_other_remove_legacy_search_coordinator_polyfill.md | 4 +--- changelog/20251027_other_cosign_version_upgrade.md | 5 +---- ...ature_update_mongodb_search_to_use_grpc_and_mtls_for.md | 7 +------ ...feature_mongodbsearch_mongodb_deployments_using_x509.md | 5 ++--- ...ure_mongodbsearch_updated_the_default_mongodbmongodb.md | 3 +-- 5 files changed, 6 insertions(+), 18 deletions(-) diff --git a/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md b/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md index 18d891f06..0616cc062 100644 --- a/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md +++ b/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md @@ -3,6 +3,4 @@ kind: other date: 2025-10-15 --- -* Simplified MongoDB Search setup: Removed the custom Search Coordinator polyfill (a piece of compatibility code - previously needed to add the required permissions), as MongoDB 8.2.0 and later now include the necessary permissions - via the built-in searchCoordinator role. +* Simplified MongoDB Search setup: Removed the custom Search Coordinator polyfill (a piece of compatibility code previously needed to add the required permissions), as MongoDB 8.2.0 and later now include the necessary permissions via the built-in searchCoordinator role. diff --git a/changelog/20251027_other_cosign_version_upgrade.md b/changelog/20251027_other_cosign_version_upgrade.md index 0e725d392..eca5bbc2f 100644 --- a/changelog/20251027_other_cosign_version_upgrade.md +++ b/changelog/20251027_other_cosign_version_upgrade.md @@ -3,7 +3,4 @@ kind: other date: 2025-10-27 --- -* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has - been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing - both signature and certificate information. For more information on how to verify signatures using new `cosign` - version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md +* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md diff --git a/changelog/20251030_feature_update_mongodb_search_to_use_grpc_and_mtls_for.md b/changelog/20251030_feature_update_mongodb_search_to_use_grpc_and_mtls_for.md index 171e0d696..1bcecd340 100644 --- a/changelog/20251030_feature_update_mongodb_search_to_use_grpc_and_mtls_for.md +++ b/changelog/20251030_feature_update_mongodb_search_to_use_grpc_and_mtls_for.md @@ -4,9 +4,4 @@ date: 2025-10-30 --- * **MongoDBSearch**: Switch to gRPC and mTLS for internal communication - Since MCK 1.4 the `mongod` and `mongot` processess communicated using the MongoDB Wire Protocol and used keyfile - authentication. This release switches that to gRPC with mTLS authentication. gRPC will allow for load-balancing search - queries against multiple `mongot` processes in the future, and mTLS decouples the internal cluster authentication mode - and credentials among `mongod` processes from the connection to the `mongot` process. The Operator will automatically - enable gRPC for existing and new workloads, and will enable mTLS authentication if both Database Server and - `MongoDBSearch` resource are configured for TLS. + Since MCK 1.4 the `mongod` and `mongot` processess communicated using the MongoDB Wire Protocol and used keyfile authentication. This release switches that to gRPC with mTLS authentication. gRPC will allow for load-balancing search queries against multiple `mongot` processes in the future, and mTLS decouples the internal cluster authentication mode and credentials among `mongod` processes from the connection to the `mongot` process. The Operator will automatically enable gRPC for existing and new workloads, and will enable mTLS authentication if both Database Server and `MongoDBSearch` resource are configured for TLS. \ No newline at end of file diff --git a/changelog/20251103_feature_mongodbsearch_mongodb_deployments_using_x509.md b/changelog/20251103_feature_mongodbsearch_mongodb_deployments_using_x509.md index 567543392..01362c4c0 100644 --- a/changelog/20251103_feature_mongodbsearch_mongodb_deployments_using_x509.md +++ b/changelog/20251103_feature_mongodbsearch_mongodb_deployments_using_x509.md @@ -3,6 +3,5 @@ kind: feature date: 2025-11-03 --- -* **MongoDBSearch**: MongoDB deployments using X509 internal cluster authentication are now supported. Previously - MongoDB Search required SCRAM authentication among members of a MongoDB replica set. Note: SCRAM client authentication - is still required, this change merely relaxes the requirements on internal cluster authentication. +* **MongoDBSearch**: MongoDB deployments using X509 internal cluster authentication are now supported. Previously MongoDB Search required SCRAM authentication among members of a MongoDB replica set. Note: SCRAM client authentication is still required, this change merely relaxes the requirements on internal cluster authentication. + diff --git a/changelog/20251106_feature_mongodbsearch_updated_the_default_mongodbmongodb.md b/changelog/20251106_feature_mongodbsearch_updated_the_default_mongodbmongodb.md index 410dd45c6..540075ffd 100644 --- a/changelog/20251106_feature_mongodbsearch_updated_the_default_mongodbmongodb.md +++ b/changelog/20251106_feature_mongodbsearch_updated_the_default_mongodbmongodb.md @@ -3,5 +3,4 @@ kind: feature date: 2025-11-06 --- -* **MongoDBSearch**: Updated the default `mongodb/mongodb-search` image version to 0.55.0. This is the version MCK uses - if `.spec.version` is not specified. +* **MongoDBSearch**: Updated the default `mongodb/mongodb-search` image version to 0.55.0. This is the version MCK uses if `.spec.version` is not specified. From 9c507670cafc4ce87f830a96e32098c0f50a53ed Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Mon, 10 Nov 2025 12:21:54 +0100 Subject: [PATCH 5/6] remove extra merge changes --- build_info.json | 4 +--- docker/mongodb-kubernetes-tests/kubetester/helm.py | 1 + .../fixtures/cluster-mongodb-role-without-empty-strings.yaml | 2 +- .../tests/authentication/mongodb_custom_roles.py | 2 -- .../multicluster_appdb_s3_based_backup_restore.py | 1 + .../upgrades/sharded_cluster_operator_upgrade_v1_27_to_mck.py | 3 ++- .../tests/vaultintegration/om_backup_vault.py | 2 +- .../tests/vaultintegration/om_deployment_vault.py | 2 +- .../tests/vaultintegration/vault_tls.py | 3 ++- scripts/release/build/build_scenario.py | 1 - 10 files changed, 10 insertions(+), 11 deletions(-) diff --git a/build_info.json b/build_info.json index b702816ae..21efc0bd3 100644 --- a/build_info.json +++ b/build_info.json @@ -185,9 +185,7 @@ ] }, "release": { - "repositories": [ - "268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-tests" - ], + "repositories": ["268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-tests"], "platforms": [ "linux/amd64" ] diff --git a/docker/mongodb-kubernetes-tests/kubetester/helm.py b/docker/mongodb-kubernetes-tests/kubetester/helm.py index 5d8be4d75..276e8ad51 100644 --- a/docker/mongodb-kubernetes-tests/kubetester/helm.py +++ b/docker/mongodb-kubernetes-tests/kubetester/helm.py @@ -1,4 +1,5 @@ import glob +import logging import os import re import subprocess diff --git a/docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-without-empty-strings.yaml b/docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-without-empty-strings.yaml index 3e5cf0931..2da1f5b7a 100644 --- a/docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-without-empty-strings.yaml +++ b/docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-without-empty-strings.yaml @@ -23,7 +23,7 @@ spec: - "update" - "insert" - "remove" - - resource: { } + - resource: {} actions: - "find" - resource: diff --git a/docker/mongodb-kubernetes-tests/tests/authentication/mongodb_custom_roles.py b/docker/mongodb-kubernetes-tests/tests/authentication/mongodb_custom_roles.py index 42fe2b3fd..9665e6169 100644 --- a/docker/mongodb-kubernetes-tests/tests/authentication/mongodb_custom_roles.py +++ b/docker/mongodb-kubernetes-tests/tests/authentication/mongodb_custom_roles.py @@ -73,8 +73,6 @@ def get_expected_role(role_name: str) -> dict: } ], } - - # fmt: on diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster_appdb/multicluster_appdb_s3_based_backup_restore.py b/docker/mongodb-kubernetes-tests/tests/multicluster_appdb/multicluster_appdb_s3_based_backup_restore.py index daac6c8a8..0d573066c 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster_appdb/multicluster_appdb_s3_based_backup_restore.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster_appdb/multicluster_appdb_s3_based_backup_restore.py @@ -11,6 +11,7 @@ from kubetester.omtester import OMTester from kubetester.opsmanager import MongoDBOpsManager from kubetester.phase import Phase +from pymongo.errors import ServerSelectionTimeoutError from pytest import fixture, mark from tests.common.constants import ( MONGODB_PORT, diff --git a/docker/mongodb-kubernetes-tests/tests/upgrades/sharded_cluster_operator_upgrade_v1_27_to_mck.py b/docker/mongodb-kubernetes-tests/tests/upgrades/sharded_cluster_operator_upgrade_v1_27_to_mck.py index 9360c104e..a6ce7cc04 100644 --- a/docker/mongodb-kubernetes-tests/tests/upgrades/sharded_cluster_operator_upgrade_v1_27_to_mck.py +++ b/docker/mongodb-kubernetes-tests/tests/upgrades/sharded_cluster_operator_upgrade_v1_27_to_mck.py @@ -1,7 +1,8 @@ -from typing import Dict +from typing import Dict, Optional import pytest from kubeobject import CustomObject +from kubernetes import client from kubetester import create_or_update_configmap, read_configmap from kubetester.certs import create_sharded_cluster_certs from kubetester.kubetester import ensure_nested_objects diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py index 4da91d515..8c29f8751 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py @@ -31,7 +31,7 @@ OM_SA_NAME, OPERATOR_NAME, ) -from . import run_command_in_vault, store_secret_in_vault +from . import assert_secret_in_vault, run_command_in_vault, store_secret_in_vault OM_NAME = "om-basic" S3_RS_NAME = "my-mongodb-s3" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py index 926232937..422217047 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/om_deployment_vault.py @@ -21,7 +21,7 @@ from pytest import fixture, mark from ..constants import APPDB_SA_NAME, OM_SA_NAME, OPERATOR_NAME -from . import run_command_in_vault, store_secret_in_vault +from . import assert_secret_in_vault, run_command_in_vault, store_secret_in_vault OM_NAME = "om-basic" diff --git a/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py b/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py index ca4591887..c933a7ead 100644 --- a/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py +++ b/docker/mongodb-kubernetes-tests/tests/vaultintegration/vault_tls.py @@ -1,6 +1,7 @@ from typing import Optional from kubernetes import client +from kubernetes.client import V1ConfigMap from kubetester import create_secret, delete_secret, get_statefulset, read_secret from kubetester.certs import Certificate from kubetester.kubetester import KubernetesTester @@ -13,7 +14,7 @@ from pytest import fixture, mark from ..constants import APPDB_SA_NAME, DATABASE_SA_NAME, OM_SA_NAME, OPERATOR_NAME -from . import run_command_in_vault, store_secret_in_vault +from . import assert_secret_in_vault, run_command_in_vault, store_secret_in_vault MDB_RESOURCE = "my-replica-set" OM_NAME = "om-basic" diff --git a/scripts/release/build/build_scenario.py b/scripts/release/build/build_scenario.py index 606a9a9ba..99760ea89 100644 --- a/scripts/release/build/build_scenario.py +++ b/scripts/release/build/build_scenario.py @@ -6,5 +6,4 @@ class BuildScenario(StrEnum): STAGING = "staging" # CI build from a merge to the master DEVELOPMENT = "development" # Local build on a developer machine - SUPPORTED_SCENARIOS = supported_scenarios = list(BuildScenario) From 3aa9cfbe4fd2599c9348044855a04451b45e40d8 Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Mon, 10 Nov 2025 12:24:00 +0100 Subject: [PATCH 6/6] remove extraneous changes --- .../mongodbsearch_reconcile_helper.go | 64 ------------------- 1 file changed, 64 deletions(-) diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go index 3432502cd..e1926b80f 100644 --- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go +++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go @@ -7,7 +7,6 @@ import ( "fmt" "strings" - "github.com/blang/semver" "github.com/ghodss/yaml" "go.uber.org/zap" "golang.org/x/xerrors" @@ -22,7 +21,6 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb" searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search" "github.com/mongodb/mongodb-kubernetes/controllers/operator/workflow" "github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/automationconfig" @@ -503,65 +501,3 @@ func extractImageTag(image string) string { return "" } - -func SearchCoordinatorRole() mdbv1.MongoDBRole { - // direct translation of https://github.com/10gen/mongo/blob/6f8d95a513eea8f91ea9f5d895dd8a288dfcf725/src/mongo/db/auth/builtin_roles.yml#L652 - return mdbv1.MongoDBRole{ - Role: "searchCoordinator", - Db: "admin", - Roles: []mdbv1.InheritedRole{ - { - Role: "clusterMonitor", - Db: "admin", - }, - { - Role: "directShardOperations", - Db: "admin", - }, - { - Role: "readAnyDatabase", - Db: "admin", - }, - }, - Privileges: []mdbv1.Privilege{ - { - Resource: mdbv1.Resource{ - Db: "__mdb_internal_search", - }, - Actions: []string{ - "changeStream", "collStats", "dbHash", "dbStats", "find", - "killCursors", "listCollections", "listIndexes", "listSearchIndexes", - // performRawDataOperations is available only on mongod master - // "performRawDataOperations", - "planCacheRead", "cleanupStructuredEncryptionData", - "compactStructuredEncryptionData", "convertToCapped", "createCollection", - "createIndex", "createSearchIndexes", "dropCollection", "dropIndex", - "dropSearchIndex", "insert", "remove", "renameCollectionSameDB", - "update", "updateSearchIndex", - }, - }, - // TODO: this causes the error "(BadValue) resource: {cluster: true} conflicts with resource type 'db'" - // { - // Resource: mdbv1.Resource{ - // Cluster: ptr.To(true), - // }, - // Actions: []string{"bypassDefaultMaxTimeMS"}, - // }, - }, - AuthenticationRestrictions: nil, - } -} - -// Because the first Search Public Preview support MongoDB Server 8.0.10 we need to polyfill the searchCoordinator role -// TODO: Remove once we drop support for <8.2 in Search -func NeedsSearchCoordinatorRolePolyfill(mongodbVersion string) bool { - version, err := semver.ParseTolerant(mongodbVersion) - if err != nil { - // if we can't determine the version, assume no need to polyfill - return false - } - - // 8.0.10+ and 8.1.x need the polyfill, anything older is not supported and execution will never reach here, - // and anything newer already has the role built-in - return version.Major == 8 && version.Minor < 2 -}