-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/mongodb] Enabling TLS using a custom certificate runs into multiple issues. - user creation / current_primary detection / all probes #16719
Comments
My apologies for the rambling length of the issue. I will attempt to edit it down if I have time. |
Hi @dtrts, Thank you very much for reporting this issue and for all the details you provided in the issue description. There is no need to edit and reduce the length of the issue, I think all the information and examples you provided are helpful. I see you put a lot of thought into the issues you encountered in your use case and that you already got to the technical part of the issue. Would you like to contribute with a PR? Otherwise, I will need to move this issue to |
Hi @migruiz4 I have made one PR to enable the configuration of the localhost name during set up: bitnami/containers#34297 I will look at creating a PR for the chart depending on how that PR is received. Will there be any issues with the chart requiring a change in the scripts embedded on the image? |
I've started to look at a PR for these issues and I'm not sure where to start. I notice in the Redis chart a similar issue has been addressed: #8570 This specifically implements options for handling ExternalDNS. This aligns with my current issue and if implemented would give me a great way to solve the above. I can supply the domain suffix to the external DNS options, it would be used to generate the FQDNs in the This approach is specifically geared toward the usage of external DNS, which even though it is a popular option does limit more custom setups. If a user specifies a LoadBalancer service with IPs, or a ClusterIP service and they manage the DNS routing themselves, then they would still run into issues with the TLS certificates I imagine. The other approach is to just provide a list of external domains / an external domain which can get formatted. I think it is also worth noting the hidden node only registers with the initial primary host. If the |
Another thing I don't fully understand is the headless service. Would that ever be used as a way to connect to the pods through a custom DNS address? If we are providing an external access service, and ensuring that all connections are made through that connection string, are we able to disable the headless service? |
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
Bump. I've been unable to find the time to contribute, would it be possible to create an internal task so that these issues don't get lost? We currently have production workarounds in place, but it ould be difficult to translate them to permanent changes I think. |
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
Hi, |
We have this issue - related: #16341 (comment) What we do is:
This process only has run on the initial install. It's really not ideal but it was the best solution I could come up with without sinking a tonne of dev time into the chart. Hopefully someone else has time to fix this. |
Name and Version
bitnami/mongodb 13.9.4
What architecture are you using?
amd64
What steps will reproduce the bug?
*.mongodb.example.com
requireTLS
.a) The root users are unable to be created during the startup
b) New nodes are unable to register with the primary host
c) The probes fail to run commands
d) The metrics server is unable to connect to
mongod
The certificate cannot have
127.0.0.1
,localhost
or any of the k8s domains on there.Are you using any custom parameters or values?
SIDE NOTE: We have enabled autodiscovery to mount the
/shared
volume and populateinfo.txt
.Our in use DNS address does not match the value returned by the autoDiscovery script since we are using the external-dns won AWS.
Our FQDN is
releasename-0.mongodb.example.com
and autoDiscovery returns the AWS load balancer address.If we switch auto-discovery off then the
MONGODB_ADVERTISED_HOSTNAME
reverts to the loadbalancer IPs which we do not want.What is the expected behavior?
The mongodb database initializes correctly:
The probes are able to connect to mongod using tls
The metrics server connects to mongod using tls
What do you see instead?
mongosh
time out since the TLS requirements are not met.Additional information
We have implemented significant workarounds to get the chart working. I think these are good candidates for being included in the Chart (and additionally the Container)
Below I will describe the various points where the restrictions
Current Primary / Mongodb Advertised Hostname / Mongodb Initial Primary Host.
Description
The
MONGODB_ADVERTISED_HOSTNAME
envar is populated throughautoDiscovery.sh
and takes a default through the container envvars. It is used as the hostname when configuring the replica set and also used to compare against the hostname returned from an existing replica set to verify if the current node is a primary.The
MONGODB_INITIAL_PRIMARY_HOST
env var is used as the host when configuring a new secondary node onto an existing replicaset.The
current_primary
variable is used in thesetup.sh
script and populated through a mongosh function. The chart only uses the hostnames for the headless service.The environment variables can be overwritten through the chart
extraEnvVars:
but this is not sufficient.MONGODB_ADVERTISED_HOSTNAME
is overwritten in thesetup.sh
script, either through the autoDiscover.sh initi container or using other details for the load balancer.Issues
All three of these variables cause issues with our TLS set-up.
The current_primary node is unable to be found. The replicaset configuration is unable to be set, and even if it was able to connect a hostname would be added which would also fail TLS.
Workaround
First we override the environment variables with our domain name:
This sets the defaults to use our Valid Domain name and will ensure that the replicaset config can be done.
We alter the
args:
of the container to run a preparatory script. This script runs first to perform some small changes, it also change the/scripts/setup.sh
file, before running the altered scriptThe preparatory script first inserts our Valid FQDN for that pod into the response from the initContainer.
Next it takes
/scripts/setip.sh
and replaces the connection string for thecurrent_primary
variable with our preferred host list.NOTE: This requires us to mount an additional emptyDir volume since we cannot alter the script in place
We can now run
/alteredScripts/setup.sh
or/alteredScripts/setup-hidden.sh
as required.We have alsorequired a wait to ensure the hostnames we want to reach are ready.
This waits for 3 minutes, if It still fails the pod stops and restarts.
We have increased the startupProdeDelay by 2 minutes to avoid a CrashLoopBackoff from slowing down the startup.
(Perhaps a better balance can be found between the wait in the pod and the risk of triggering a long
crashLoopBackoff
?)BONUS FEATURE - Attach to existing replicaSet
In our prep script we have also added an option to completely overwrite the connection string for current_primary using a hardcoded string from the values.
Ensuring that the replicaset name, key and connection string match an existing replicaset it will deploy all nodes as secondaries for that replica set.
We are using this for migration purposes.
Once the data has been synced we can move the primary to the cluster, update our connection strings, remove the additional value and destroy the old nodes.
Suggested Chart Changes
To implement similar in the chart some / all of these changes could be made:
The environment variable override is working well, some way of tieing these changes together and avoiding bad combinations would be good to find.
TLS Connection over 127.0.0.1
Description
The
libmongodb.sh
script runs commands against localhost (127.0.0.1
) during initialization. These operations createall the users and importantly configure the connection to a replicaset.Issues
All these commands fail through TLS unless
127.0.0.1
is part of the certificate. (Uncommon for external certificates)Workaround
During setup the mongod server is bound to the localhost IP.
There are two options with this work around:
127.0.0.1
using a domain in the certificatemongodb.conf
to bind all ips before the first timemongod
is started allowing connections from outside the pod.We preferred option 1.
Workaround 1
First add a
localhost.mongodb.example.com
domain to our certificate and route that domain to127.0.0.1
We add another step to the prepatory script described above to alters the
libmongodb.sh
file.This file can be altered in place and then you can continue as normal!
Workaround 2:
Similar to the workaround 1 we replace the
127.0.0.1
in libmongo, this time with the advertised hostname.Since this will resolve to an external IP we also need to enable bindAll Ips before mongod start.
Something like:
There is a risk that a bad actor will come along and create a root user before you can since the server is now exposed, but it is minimal.
Suggested Chart Changes
The fix for this will require a change to the scripts in the container.
127.0.0.1
in the libmongo.sh script. (MONGODB_LOCALHOST_NAME
?)It could also be done to ensure that this host only resolves to 127.0.0.1, or use the chart to set it as a default hostalias.
Probes don't work
Description
The probes connect with the TLS options, but do not specify a hostname which defaults to
127.0.0.1
.Workaround
This issue has forced me to provide custom probes which are only altered to provide the hostname of
MONGODB_ADVERTISED_HOSTNAME
We could also use
MONGODB_LOCALHOST_NAME
/localhost.mongodb.example.com
if it is available through the TLS certificate and configured in thehostAliases
.This has the benefit of routing traffic internally, so it is directly checking on the pod health and not implicitly checking network connectivity.
Metrics Cant Connect
Description
The metrics sidecar by default uses the
localhost
as the host in the connection string.The metrics sidecar is unable to connect to mongod as it fails the tls check
Workaround
I have manually defined the args for the side car to use localhost.mongodb.example.com.
Suggested Chart Changes
Having access to
MONGODB_ADVERTISED_HOSTNAME
,/shared/info.txt
orMONGODB_LOCALHOST_NAME
would make a more DRY approach to correcting this connection string.(There are other issues with metrics, but that is outside the scope of this issue)
The text was updated successfully, but these errors were encountered: