Add CRD to control DISABLE/ENABLE automatic creation of SSL-certificate of Operator or CertManager. #1758
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposal
Operator will create SSL-Certificate when there's no user-provided SSL Certificate.
https://github.com/percona/percona-server-mongodb-operator/blob/v1.18.0/pkg/controller/perconaservermongodb/ssl.go#L84-L101
But, sometimes we may lost AWS Secret which provides SSL certificates like following situations.
At this time, Operator creates Manual-certificate or CertManger's automatic certificates and restart all mongodb pods to apply new certificates. and then application can not access mongodb because CA certificate is not matched.
Usually Operator manages a lots of mongodb clusters, this side-effect affect too many mongodb clusters.
I think this is too risky to use production mongodb cluster. And user-secret too (because we manage users and ssl & sslInternal via AWS secret)
So I suggest that CRD support property to control ENABLE or DISABLE CREATING NEW SSL CERTIFICATE AUTOMATICALLY.
Use-Case
Even if operator can not fetch AWS secret,
Operator will not deploy newly auto-created ssl and remain previous user-created SSL.
So applicaitons can access mongodb server.
And after found issues DBA manage operator can access AWS secret without any service issues.
Is this a feature you are interested in implementing yourself?
Maybe
Anything else?
Thanks for percona-server-mongodb-operator.
The text was updated successfully, but these errors were encountered: