feat: set namespace connectionStringSecret per user (mongodb#1463)

---------

Co-authored-by: Alexander Heinrich <[email protected]>

Author: irajdeep

api/v1/mongodbcommunity_types.go

@@ -471,6 +471,10 @@ type MongoDBUser struct {
 	// +optional
 	ConnectionStringSecretName string `json:"connectionStringSecretName,omitempty"`
 
+	// ConnectionStringSecretNamespace is the namespace of the secret object created by the operator which exposes the connection strings for the user.
+	// +optional
+	ConnectionStringSecretNamespace string `json:"connectionStringSecretNamespace,omitempty"`
+
 	// Additional options to be appended to the connection string.
 	// These options apply only to this user and will override any existing options in the resource.
 	// +kubebuilder:validation:Type=object
@@ -503,6 +507,16 @@ func (m MongoDBUser) GetConnectionStringSecretName(resourceName string) string {
 	return normalizeName(fmt.Sprintf("%s-%s-%s", resourceName, m.DB, m.Name))
 }
 
+// GetConnectionStringSecretNamespace gets the connection string secret namespace provided by the user or generated
+// from the SCRAM user configuration.
+func (m MongoDBUser) GetConnectionStringSecretNamespace(resourceNamespace string) string {
+	if m.ConnectionStringSecretNamespace != "" {
+		return m.ConnectionStringSecretNamespace
+	}
+
+	return resourceNamespace
+}
+
 // normalizeName returns a string that conforms to RFC-1123
 func normalizeName(name string) string {
 	errors := validation.IsDNS1123Subdomain(name)
@@ -761,11 +775,12 @@ func (m *MongoDBCommunity) GetAuthUsers() []authtypes.User {
 		}
 
 		users[i] = authtypes.User{
-			Username:                   u.Name,
-			Database:                   u.DB,
-			Roles:                      roles,
-			ConnectionStringSecretName: u.GetConnectionStringSecretName(m.Name),
-			ConnectionStringOptions:    u.AdditionalConnectionStringConfig.Object,
+			Username:                        u.Name,
+			Database:                        u.DB,
+			Roles:                           roles,
+			ConnectionStringSecretName:      u.GetConnectionStringSecretName(m.Name),
+			ConnectionStringSecretNamespace: u.GetConnectionStringSecretNamespace(m.Namespace),
+			ConnectionStringOptions:         u.AdditionalConnectionStringConfig.Object,
 		}
 
 		if u.DB != constants.ExternalDB {

api/v1/mongodbcommunity_types_test.go

@@ -328,6 +328,16 @@ func TestGetConnectionStringSecretName(t *testing.T) {
 			},
 			"connection-string-secret",
 		},
+		{
+			MongoDBUser{
+				Name:                            "mdb-2",
+				DB:                              "admin",
+				ScramCredentialsSecretName:      "scram-credential-secret-name-2",
+				ConnectionStringSecretName:      "connection-string-secret-2",
+				ConnectionStringSecretNamespace: "other-namespace",
+			},
+			"connection-string-secret-2",
+		},
 	}
 
 	for _, tt := range testusers {
@@ -521,11 +531,12 @@ func TestMongoDBCommunity_GetAuthUsers(t *testing.T) {
 			Database: "admin",
 			Name:     "readWriteAnyDatabase",
 		}},
-		PasswordSecretKey:          "password",
-		PasswordSecretName:         "my-user-password",
-		ScramCredentialsSecretName: "my-scram-scram-credentials",
-		ConnectionStringSecretName: "mdb-admin-my-user",
-		ConnectionStringOptions:    nil,
+		PasswordSecretKey:               "password",
+		PasswordSecretName:              "my-user-password",
+		ScramCredentialsSecretName:      "my-scram-scram-credentials",
+		ConnectionStringSecretName:      "mdb-admin-my-user",
+		ConnectionStringSecretNamespace: mdb.Namespace,
+		ConnectionStringOptions:         nil,
 	}, authUsers[0])
 	assert.Equal(t, authtypes.User{
 		Username: "CN=my-x509-authenticated-user,OU=organizationalunit,O=organization",
@@ -534,11 +545,12 @@ func TestMongoDBCommunity_GetAuthUsers(t *testing.T) {
 			Database: "admin",
 			Name:     "readWriteAnyDatabase",
 		}},
-		PasswordSecretKey:          "",
-		PasswordSecretName:         "",
-		ScramCredentialsSecretName: "",
-		ConnectionStringSecretName: "mdb-external-cn-my-x509-authenticated-user-ou-organizationalunit-o-organization",
-		ConnectionStringOptions:    nil,
+		PasswordSecretKey:               "",
+		PasswordSecretName:              "",
+		ScramCredentialsSecretName:      "",
+		ConnectionStringSecretName:      "mdb-external-cn-my-x509-authenticated-user-ou-organizationalunit-o-organization",
+		ConnectionStringSecretNamespace: mdb.Namespace,
+		ConnectionStringOptions:         nil,
 	}, authUsers[1])
 }
 

config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml

@@ -1,3 +1,4 @@
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -486,6 +487,11 @@ spec:
                         strings for the user. If provided, this secret must be different
                         for each user in a deployment.
                       type: string
+                    connectionStringSecretNamespace:
+                      description: ConnectionStringSecretNamespace is the namespace
+                        of the secret object created by the operator which exposes
+                        the connection strings for the user.
+                      type: string
                     db:
                       default: admin
                       description: DB is the database the user is stored in. Defaults

config/samples/mongodb.com_v1_mongodbcommunity_connection_string_secret_namespace.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: example-mongodb
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "6.0.5"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: my-user
+      db: admin
+      passwordSecretRef: # a reference to the secret that will be used to generate the user's password
+        name: my-user-password
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: userAdminAnyDatabase
+          db: admin
+      scramCredentialsSecretName: my-scram
+      connectionStringSecretNamespace: other-namespace
+  additionalMongodConfig:
+    storage.wiredTiger.engineConfig.journalCompressor: zlib
+
+# the user credentials will be generated from this secret
+# once the credentials are generated, this secret is no longer required
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-user-password
+type: Opaque
+stringData:
+  password: <your-password-here>

controllers/mongodb_users.go

@@ -41,9 +41,15 @@ func (r ReplicaSetReconciler) ensureUserResources(mdb mdbv1.MongoDBCommunity) er
 func (r ReplicaSetReconciler) updateConnectionStringSecrets(mdb mdbv1.MongoDBCommunity, clusterDomain string) error {
 	for _, user := range mdb.GetAuthUsers() {
 		secretName := user.ConnectionStringSecretName
+
+		secretNamespace := mdb.Namespace
+		if user.ConnectionStringSecretNamespace != "" {
+			secretNamespace = user.ConnectionStringSecretNamespace
+		}
+
 		existingSecret, err := r.client.GetSecret(types.NamespacedName{
 			Name:      secretName,
-			Namespace: mdb.Namespace,
+			Namespace: secretNamespace,
 		})
 		if err != nil && !apiErrors.IsNotFound(err) {
 			return err
@@ -55,7 +61,7 @@ func (r ReplicaSetReconciler) updateConnectionStringSecrets(mdb mdbv1.MongoDBCom
 		pwd := ""
 
 		if user.Database != constants.ExternalDB {
-			secretNamespacedName := types.NamespacedName{Name: user.PasswordSecretName, Namespace: mdb.Namespace}
+			secretNamespacedName := types.NamespacedName{Name: user.PasswordSecretName, Namespace: secretNamespace}
 			pwd, err = secret.ReadKey(r.client, user.PasswordSecretKey, secretNamespacedName)
 			if err != nil {
 				return err
@@ -64,7 +70,7 @@ func (r ReplicaSetReconciler) updateConnectionStringSecrets(mdb mdbv1.MongoDBCom
 
 		connectionStringSecret := secret.Builder().
 			SetName(secretName).
-			SetNamespace(mdb.Namespace).
+			SetNamespace(secretNamespace).
 			SetField("connectionString.standard", mdb.MongoAuthUserURI(user, pwd, clusterDomain)).
 			SetField("connectionString.standardSrv", mdb.MongoAuthUserSRVURI(user, pwd, clusterDomain)).
 			SetField("username", user.Username).

controllers/replicaset_controller_test.go

@@ -4,12 +4,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/x509"
 	"os"
 	"reflect"
 	"testing"
 	"time"
 
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/x509"
+
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/util/constants"
 
 	"github.com/mongodb/mongodb-kubernetes-operator/pkg/kube/statefulset"
@@ -673,7 +674,7 @@ func assertConnectionStringSecretPorts(t *testing.T, c k8sClient.Client, mdb mdb
 	connectionStringSecret := corev1.Secret{}
 	scramUsers := mdb.GetAuthUsers()
 	require.Len(t, scramUsers, 1)
-	secretNamespacedName := types.NamespacedName{Name: scramUsers[0].ConnectionStringSecretName, Namespace: mdb.Namespace}
+	secretNamespacedName := types.NamespacedName{Name: scramUsers[0].ConnectionStringSecretName, Namespace: scramUsers[0].ConnectionStringSecretNamespace}
 	err := c.Get(context.TODO(), secretNamespacedName, &connectionStringSecret)
 	require.NoError(t, err)
 	require.Contains(t, connectionStringSecret.Data, "connectionString.standard")

docs/install-upgrade.md

@@ -76,8 +76,8 @@ Use one of the following procedures to install the Operator using Helm:
 
 ##### Install in the Default Namespace using Helm
 
-To install the Custom Resource Definitions and the Community Operator in 
-the `default` namespace using Helm, run the install command from the 
+To install the Custom Resource Definitions and the Community Operator in
+the `default` namespace using Helm, run the install command from the
 terminal:
    ```
    helm install community-operator mongodb/community-operator
@@ -91,9 +91,9 @@ include `--set community-operator-crds.enabled=false` when installing the Operat
 
 ##### Install in a Different Namespace using Helm
 
-To install the Custom Resource Definitions and the Community Operator in 
-a different namespace using Helm, run the install 
-command with the `--namespace` flag from the terminal. Include the `--create-namespace` 
+To install the Custom Resource Definitions and the Community Operator in
+a different namespace using Helm, run the install
+command with the `--namespace` flag from the terminal. Include the `--create-namespace`
 flag if you are creating a new namespace.
    ```
    helm install community-operator mongodb/community-operator --namespace mongodb [--create-namespace]
@@ -159,6 +159,10 @@ To configure the Operator to watch resources in other namespaces:
    kubectl apply -k config/rbac --namespace <my-namespace>
    ```
 
+   *Note: If you need the operator to have permission over multiple namespaces, for ex: when configuring the operator to have the `connectionStringSecret` in a different `namespace`, make sure
+   to apply the `RBAC` in all the relevant namespaces.*
+
+
 5. [Install the operator](#procedure-using-kubectl).
 
 ##### Configure the MongoDB Docker Image or Container Registry
@@ -170,11 +174,11 @@ for MongoDB Docker images:
 
 1. In the Operator [resource definition](../config/manager/manager.yaml), set the `MONGODB_IMAGE` and `MONGODB_REPO_URL` environment variables:
 
-   **NOTE:** Use the official 
-   [MongoDB Community Server images](https://hub.docker.com/r/mongodb/mongodb-community-server). 
+   **NOTE:** Use the official
+   [MongoDB Community Server images](https://hub.docker.com/r/mongodb/mongodb-community-server).
    Official images provide the following advantages:
 
-   - They are rebuilt daily for the latest upstream 
+   - They are rebuilt daily for the latest upstream
      vulnerability fixes.
    - MongoDB tests, maintains, and supports them.
 
@@ -290,7 +294,7 @@ Make sure you run commands in the correct namespace.
       ```
       kubectl delete pod <sts-name>-0
       ```
-   d. You're done. Now Kubernetes will create the pod fresh, causing the migration to run and then the pod to start up. Then kubernetes will proceed creating the next pod until it reaches the number specified in your cr.   
+   d. You're done. Now Kubernetes will create the pod fresh, causing the migration to run and then the pod to start up. Then kubernetes will proceed creating the next pod until it reaches the number specified in your cr.
 
 ## Rotating TLS certificate for the MongoDB deployment
 
@@ -306,4 +310,4 @@ kubectl apply -f -
 *`secret_name` is what you've specified under `Spec.Security.TLS.CertificateKeySecret.Name`*.
 
 If you're using a tool like cert-manager, you can follow [these instructions](https://cert-manager.io/docs/usage/certificate/#renewal) to rotate the certificate.
-The operator should would watch the secret change and re-trigger a reconcile process. 
+The operator should would watch the secret change and re-trigger a reconcile process.

pkg/authentication/authtypes/authtypes.go

@@ -70,6 +70,9 @@ type User struct {
 	// Note: there will be one secret with connection strings per user created.
 	ConnectionStringSecretName string
 
+	// ConnectionStringSecretNamespace is the namespace of the secret object created by the operator which exposes the connection strings for the user.
+	ConnectionStringSecretNamespace string `json:"connectionStringSecretNamespace,omitempty"`
+
 	// ConnectionStringOptions contains connection string options for this user
 	// These options will be appended at the end of the connection string and
 	// will override any existing options from the resources.