mongodb · slaskawi · Oct 21, 2022 · Sep 17, 2022 · Oct 3, 2022 · Oct 5, 2022
@@ -162,14 +162,19 @@ func getCaCrt(cmGetter configmap.Getter, secretGetter secret.Getter, mdb mdbv1.M
 	if mdb.Spec.Security.TLS.CaCertificateSecret != nil {
 		caResourceName = mdb.TLSCaCertificateSecretNamespacedName()
 		caData, err = secret.ReadStringData(secretGetter, caResourceName)
-	} else {
+	} else if mdb.Spec.Security.TLS.CaConfigMap != nil {
 		caResourceName = mdb.TLSConfigMapNamespacedName()
 		caData, err = configmap.ReadData(cmGetter, caResourceName)
 	}
+
 	if err != nil {
 		return "", err
 	}
 
+	if caData == nil {
+		return "", fmt.Errorf("TLS field requires a reference to the CA certificate which signed the server certificates. Neither secret (field caCertificateSecretRef) not configMap (field CaConfigMap) reference present")
+	}
+
 	if cert, ok := caData[tlsCACertName]; !ok || cert == "" {
 		return "", fmt.Errorf(`CA certificate resource "%s" should have a CA certificate in field "%s"`, caResourceName, tlsCACertName)
 	} else {

@@ -328,7 +328,69 @@ func TestPemSupport(t *testing.T) {
 		err = r.ensureTLSResources(mdb)
 		assert.Error(t, err)
 		assert.Contains(t, err.Error(), `if all of "tls.crt", "tls.key" and "tls.pem" are present in the secret, the entry for "tls.pem" must be equal to the concatenation of "tls.crt" with "tls.key"`)
+	})
+}
+
+func TestTLSConfig_ReferencesToCACertAreValidated(t *testing.T) {
+	t.Run("Success if reference to CA cert provided via secret", func(t *testing.T) {
+		mdb := newTestReplicaSetWithTLSCaCertificateReferences(&mdbv1.LocalObjectReference{
+			Name: "certificateKeySecret"}, nil)
+
+		mgr := kubeClient.NewManager(&mdb)
+		cli := mdbClient.NewClient(mgr.GetClient())
+		err := createTLSSecret(cli, mdb, "CERT", "KEY", "")
+
+		assert.NoError(t, err)
+
+		r := NewReconciler(mgr)
+
+		_, err = r.validateTLSConfig(mdb)
+		assert.Nil(t, err)
+	})
+	t.Run("Success if reference to CA cert provided via config map", func(t *testing.T) {
+		mdb := newTestReplicaSetWithTLSCaCertificateReferences(nil, &mdbv1.LocalObjectReference{
+			Name: "caConfigMap"})
+
+		mgr := kubeClient.NewManager(&mdb)
+		cli := mdbClient.NewClient(mgr.GetClient())
+		err := createTLSSecret(cli, mdb, "CERT", "KEY", "")
+
+		assert.NoError(t, err)
+
+		r := NewReconciler(mgr)
 
+		_, err = r.validateTLSConfig(mdb)
+		assert.Nil(t, err)
+	})
+	t.Run("Succes if reference to CA cert provided both via secret and configMap", func(t *testing.T) {
+		mdb := newTestReplicaSetWithTLSCaCertificateReferences(&mdbv1.LocalObjectReference{
+			Name: "certificateKeySecret"}, &mdbv1.LocalObjectReference{
+			Name: "caConfigMap"})
+		mgr := kubeClient.NewManager(&mdb)
+		cli := mdbClient.NewClient(mgr.GetClient())
+		err := createTLSSecret(cli, mdb, "CERT", "KEY", "")
+
+		assert.NoError(t, err)
+
+		r := NewReconciler(mgr)
+
+		_, err = r.validateTLSConfig(mdb)
+		assert.Nil(t, err)
+	})
+	t.Run("Failure if reference to CA cert is missing", func(t *testing.T) {
+		mdb := newTestReplicaSetWithTLSCaCertificateReferences(nil, nil)
+
+		mgr := kubeClient.NewManager(&mdb)
+		cli := mdbClient.NewClient(mgr.GetClient())
+		err := createTLSSecret(cli, mdb, "CERT", "KEY", "")
+
+		assert.NoError(t, err)
+
+		r := NewReconciler(mgr)
+
+		_, err = r.validateTLSConfig(mdb)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "TLS field requires a reference to the CA certificate which signed the server certificates. Neither secret (field caCertificateSecretRef) not configMap (field CaConfigMap) reference present")
 	})
 }
 

@@ -73,7 +73,6 @@ func NewReconciler(mgr manager.Manager) *ReplicaSetReconciler {
 	mgrClient := mgr.GetClient()
 	secretWatcher := watch.New()
 	configMapWatcher := watch.New()
-
 	return &ReplicaSetReconciler{
 		client:           kubernetesClient.NewClient(mgrClient),
 		scheme:           mgr.GetScheme(),

@@ -87,6 +87,15 @@ func newScramReplicaSet(users ...mdbv1.MongoDBUser) mdbv1.MongoDBCommunity {
 }
 
 func newTestReplicaSetWithTLS() mdbv1.MongoDBCommunity {
+	return newTestReplicaSetWithTLSCaCertificateReferences(&mdbv1.LocalObjectReference{
+		Name: "caConfigMap",
+	},
+		&mdbv1.LocalObjectReference{
+			Name: "certificateKeySecret",
+		})
+}
+
+func newTestReplicaSetWithTLSCaCertificateReferences(caConfigMap, caCertificateSecret *mdbv1.LocalObjectReference) mdbv1.MongoDBCommunity {
 	return mdbv1.MongoDBCommunity{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "my-rs",
@@ -101,10 +110,9 @@ func newTestReplicaSetWithTLS() mdbv1.MongoDBCommunity {
 					Modes: []mdbv1.AuthMode{"SCRAM"},
 				},
 				TLS: mdbv1.TLS{
-					Enabled: true,
-					CaConfigMap: &mdbv1.LocalObjectReference{
-						Name: "caConfigMap",
-					},
+					Enabled:             true,
+					CaConfigMap:         caConfigMap,
+					CaCertificateSecret: caCertificateSecret,
 					CertificateKeySecret: mdbv1.LocalObjectReference{
 						Name: "certificateKeySecret",
 					},