Invalid SCRAM Credentials Secret Name #1744
Description
What did you do to encounter the bug?
Steps to reproduce the behavior:
- Deploy MongoDB Community Operator version 0.13.0
- Create a Secret with MongoDB admin password
- Create a MongoDBCommunity resource with SCRAM authentication without explicitly setting scramCredentialsSecretName
Apply the configuration and observe the failure
Example configuration used:
apiVersion: v1
kind: Secret
metadata:
name: mgadminpassword
namespace: mg-test
type: Opaque
stringData:
password: "test1234567"
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: mg-test
namespace: mg-test
spec:
members: 3
type: ReplicaSet
version: "8.0.13"
security:
authentication:
modes: ["SCRAM"]
users:
- name: admin
db: admin
passwordSecretRef:
name: mgadminpassword
key: password
roles:
- name: root
db: adminWhat did you expect?
I expected the MongoDB operator to automatically generate a valid Kubernetes Secret name for SCRAM credentials and successfully deploy the MongoDB replica set.
What happened instead?
The operator failed to deploy with an error indicating it tried to create a Secret with an invalid name -scram-credentials. The name starts with a hyphen, which violates Kubernetes naming conventions that require DNS subdomain format (must start and end with alphanumeric characters).
Error from operator logs:
2025-10-15T13:06:27.737Z DEBUG scram/scram.go:129 No existing credentials found, generating new credentials
2025-10-15T13:06:27.737Z DEBUG scram/scram.go:107 Generating new credentials and storing in secret/-scram-credentials
2025-10-15T13:06:27.763Z ERROR controllers/mongodb_status_options.go:104 Error deploying MongoDB ReplicaSet: failed to ensure AutomationConfig: could not build automation config: could not configure scram authentication: could not convert users to Automation Config users: failed to convert scram user admin to Automation Config user: could not ensure scram credentials: faild to create scram credentials secret -scram-credentials: Secret "-scram-credentials" is invalid: metadata.name: Invalid value: "-scram-credentials": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
github.com/mongodb/mongodb-kubernetes-operator/controllers.messageOption.ApplyOption
/workspace/controllers/mongodb_status_options.go:104
github.com/mongodb/mongodb-kubernetes-operator/pkg/util/status.Update
/workspace/pkg/util/status/status.go:25
github.com/mongodb/mongodb-kubernetes-operator/controllers.ReplicaSetReconciler.Reconcile
/workspace/controllers/replica_set_controller.go:192
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222
Workaround:
Explicitly setting scramCredentialsSecretName in the user configuration resolves the issue:
users:
- name: admin
db: admin
passwordSecretRef:
name: mgadminpassword
key: password
scramCredentialsSecretName: mg-test-scram-credentials
roles:
- name: root
db: admin