Disallow TLS disabling by checking last successful saved configuration (#206)

Rodrigo Valin · web-flow · commit 8bc4d07f3673 · 2020-10-01T12:07:25.000+01:00
diff --git a/pkg/controller/mongodb/replica_set_controller.go b/pkg/controller/mongodb/replica_set_controller.go
@@ -24,6 +24,7 @@ import (
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/scram"
 	"github.com/stretchr/objx"
 
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/controller/validation"
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/controller/watch"
 
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/persistentvolumeclaim"
@@ -82,7 +83,8 @@ const (
 
 	// lastVersionAnnotationKey should indicate which version of MongoDB was last
 	// configured
-	lastVersionAnnotationKey = "mongodb.com/v1.lastVersion"
+	lastVersionAnnotationKey    = "mongodb.com/v1.lastVersion"
+	lastSuccessfulConfiguration = "mongodb.com/v1.lastSuccessfulConfiguration"
 	// tlsRolledOutAnnotationKey indicates if TLS has been fully rolled out
 	tlsRolledOutAnnotationKey      = "mongodb.com/v1.tlsRolledOut"
 	hasLeftReadyStateAnnotationKey = "mongodb.com/v1.hasLeftReadyStateAnnotationKey"
@@ -181,6 +183,15 @@ func (r *ReplicaSetReconciler) Reconcile(request reconcile.Request) (reconcile.R
 	r.log = zap.S().With("ReplicaSet", request.NamespacedName)
 	r.log.Infow("Reconciling MongoDB", "MongoDB.Spec", mdb.Spec, "MongoDB.Status", mdb.Status)
 
+	r.log.Debug("Validating MongoDB.Spec")
+	if err := r.validateUpdate(mdb); err != nil {
+		return status.Update(r.client.Status(), &mdb,
+			statusOptions().
+				withMessage(Error, fmt.Sprintf("error validating new Spec: %s", err)).
+				withFailedPhase(),
+		)
+	}
+
 	r.log.Debug("Ensuring Automation Config for deployment")
 	if err := r.ensureAutomationConfig(mdb); err != nil {
 		return status.Update(r.client.Status(), &mdb,
@@ -290,7 +301,6 @@ func (r *ReplicaSetReconciler) Reconcile(request reconcile.Request) (reconcile.R
 	}
 
 	r.log.Debug("Setting MongoDB Annotations")
-
 	annotations := map[string]string{
 		lastVersionAnnotationKey:       mdb.Spec.Version,
 		hasLeftReadyStateAnnotationKey: "false",
@@ -331,12 +341,15 @@ func (r *ReplicaSetReconciler) Reconcile(request reconcile.Request) (reconcile.R
 			withMessage(None, "").
 			withRunningPhase(),
 	)
-
 	if err != nil {
 		r.log.Errorf("Error updating the status of the MongoDB resource: %s", err)
 		return res, err
 	}
 
+	if err := r.updateCurrentSpecAnnotation(mdb); err != nil {
+		r.log.Errorf("Could not save current state as an annotation: %s", err)
+	}
+
 	if res.RequeueAfter > 0 || res.Requeue {
 		r.log.Infow("Requeuing reconciliation", "MongoDB.Spec:", mdb.Spec, "MongoDB.Status:", mdb.Status)
 		return res, nil
@@ -537,6 +550,25 @@ func getCurrentAutomationConfig(getUpdater secret.GetUpdater, mdb mdbv1.MongoDB)
 	return currentAc, nil
 }
 
+// validateUpdate validates that the new Spec, corresponding to the existing one
+// is still valid. If there is no a previous Spec, then the function assumes this is
+// the first version of the MongoDB resource and skips.
+func (r ReplicaSetReconciler) validateUpdate(mdb mdbv1.MongoDB) error {
+	lastSuccessfulConfigurationSaved, ok := mdb.Annotations[lastSuccessfulConfiguration]
+	if !ok {
+		// First version of Spec, no need to validate
+		return nil
+	}
+
+	prevSpec := mdbv1.MongoDBSpec{}
+	err := json.Unmarshal([]byte(lastSuccessfulConfigurationSaved), &prevSpec)
+	if err != nil {
+		return err
+	}
+
+	return validation.Validate(prevSpec, mdb.Spec)
+}
+
 func (r ReplicaSetReconciler) buildAutomationConfigSecret(mdb mdbv1.MongoDB) (corev1.Secret, error) {
 
 	manifest, err := r.manifestProvider()
@@ -581,6 +613,18 @@ func (r ReplicaSetReconciler) buildAutomationConfigSecret(mdb mdbv1.MongoDB) (co
 		Build(), nil
 }
 
+func (r ReplicaSetReconciler) updateCurrentSpecAnnotation(mdb mdbv1.MongoDB) error {
+	currentSpec, err := json.Marshal(mdb.Spec)
+	if err != nil {
+		return err
+	}
+
+	annotations := map[string]string{
+		lastSuccessfulConfiguration: string(currentSpec),
+	}
+	return r.setAnnotations(mdb.NamespacedName(), annotations)
+}
+
 // getMongodConfigModification will merge the additional configuration in the CRD
 // into the configuration set up by the operator.
 func getMongodConfigModification(mdb mdbv1.MongoDB) automationconfig.Modification {
diff --git a/pkg/controller/validation/validation.go b/pkg/controller/validation/validation.go
@@ -0,0 +1,14 @@
+package validation
+
+import (
+	mdbv1 "github.com/mongodb/mongodb-kubernetes-operator/pkg/apis/mongodb/v1"
+	"github.com/pkg/errors"
+)
+
+func Validate(oldSpec, newSpec mdbv1.MongoDBSpec) error {
+	if oldSpec.Security.TLS.Enabled && !newSpec.Security.TLS.Enabled {
+		return errors.New("TLS can't be set to disabled after it has been enabled")
+	}
+
+	return nil
+}
diff --git a/test/e2e/mongodbtests/mongodbtests.go b/test/e2e/mongodbtests/mongodbtests.go
@@ -100,6 +100,17 @@ func MongoDBReachesRunningPhase(mdb *mdbv1.MongoDB) func(t *testing.T) {
 	}
 }
 
+// MongoDBReachesFailed ensure the MongoDB resource reaches the Failed phase.
+func MongoDBReachesFailedPhase(mdb *mdbv1.MongoDB) func(t *testing.T) {
+	return func(t *testing.T) {
+		err := e2eutil.WaitForMongoDBToReachPhase(t, mdb, mdbv1.Failed, time.Second*15, time.Minute*5)
+		if err != nil {
+			t.Fatal(err)
+		}
+		t.Logf("MongoDB %s/%s is in Failed state!", mdb.Namespace, mdb.Name)
+	}
+}
+
 func AutomationConfigSecretExists(mdb *mdbv1.MongoDB) func(t *testing.T) {
 	return func(t *testing.T) {
 		s, err := e2eutil.WaitForSecretToExist(mdb.AutomationConfigSecretName(), time.Second*5, time.Minute*1)
@@ -209,6 +220,29 @@ func Scale(mdb *mdbv1.MongoDB, newMembers int) func(*testing.T) {
 	}
 }
 
+// DisableTLS changes the tls.enabled attribute to false.
+func DisableTLS(mdb *mdbv1.MongoDB) func(*testing.T) {
+	return tls(mdb, false)
+}
+
+// EnableTLS changes the tls.enabled attribute to true.
+func EnableTLS(mdb *mdbv1.MongoDB) func(*testing.T) {
+	return tls(mdb, true)
+}
+
+// tls function configures the security.tls.enabled attribute.
+func tls(mdb *mdbv1.MongoDB, enabled bool) func(*testing.T) {
+	return func(t *testing.T) {
+		t.Logf("Setting security.tls.enabled to %t", enabled)
+		err := e2eutil.UpdateMongoDBResource(mdb, func(db *mdbv1.MongoDB) {
+			db.Spec.Security.TLS.Enabled = enabled
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
 func ChangeVersion(mdb *mdbv1.MongoDB, newVersion string) func(*testing.T) {
 	return func(t *testing.T) {
 		t.Logf("Changing versions from: %s to %s", mdb.Spec.Version, newVersion)
diff --git a/test/e2e/replica_set_tls/replica_set_tls_test.go b/test/e2e/replica_set_tls/replica_set_tls_test.go
@@ -44,4 +44,8 @@ func TestReplicaSetTLS(t *testing.T) {
 	t.Run("Test Basic TLS Connectivity", tester.ConnectivitySucceeds(WithTls()))
 	t.Run("Test TLS required", tester.ConnectivityFails(WithoutTls()))
 	t.Run("Ensure Authentication", tester.EnsureAuthenticationIsConfigured(3, WithTls()))
+	t.Run("TLS is disabled", mongodbtests.DisableTLS(&mdb))
+	t.Run("MongoDB Reaches Failed Phase", mongodbtests.MongoDBReachesFailedPhase(&mdb))
+	t.Run("TLS is enabled", mongodbtests.EnableTLS(&mdb))
+	t.Run("MongoDB Reaches Running Phase", mongodbtests.MongoDBReachesRunningPhase(&mdb))
 }

Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,8 @@ func TestReplicaSetTLS(t *testing.T) {`
`44`	`44`	`t.Run("Test Basic TLS Connectivity", tester.ConnectivitySucceeds(WithTls()))`
`45`	`45`	`t.Run("Test TLS required", tester.ConnectivityFails(WithoutTls()))`
`46`	`46`	`t.Run("Ensure Authentication", tester.EnsureAuthenticationIsConfigured(3, WithTls()))`
	`47`	`+ t.Run("TLS is disabled", mongodbtests.DisableTLS(&mdb))`
	`48`	`+ t.Run("MongoDB Reaches Failed Phase", mongodbtests.MongoDBReachesFailedPhase(&mdb))`
	`49`	`+ t.Run("TLS is enabled", mongodbtests.EnableTLS(&mdb))`
	`50`	`+ t.Run("MongoDB Reaches Running Phase", mongodbtests.MongoDBReachesRunningPhase(&mdb))`
`47`	`51`	`}`