Skip to content

[CLOUDP-349630] Don't generate scramshacreds if MongoDBUser's password is not changed #628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
viveksinghggits wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[CLOUDP-349630] Don't generate scramshacreds if MongoDBUser's password is not changed #628

viveksinghggits wants to merge 5 commits into from
+168 −10

Conversation

@viveksinghggits
Copy link
Contributor

@viveksinghggits viveksinghggits commented Dec 5, 2025
edited
Loading

Summary

When the reconciliation happens for the MongoDBUser resource (because of controller restart or because of any other reason), for SCRAM authentication mechanism, the scram sha creds are generated and then they are set in the automation config which results into another version getting created for Automation Config.
This workflow can be improved to generated the scram sha creds only when the password of the user is changed. If we do that we will not be changing the user's scram creds and the automation config will not be updated.
To achieve this we are checking if the scram sha creds that are in automation config for a user, match with the scram sha creds generated with the stored salt and new password. If the scram sha creds match it means that the password for the user is not changed and we don't have to generate the new scram sha creds, otherwise new scram sha creds will be generated.

Proof of Work

Unit test:

~/work/opensource/mongodb-kubernetes/controllers/operator/authentication (dont-rotate-scram-creds-mdbu) » go test -timeout 30s -run ^Test_isPasswordChanged$ -v
=== RUN   Test_isPasswordChanged
--- PASS: Test_isPasswordChanged (0.01s)
PASS
ok      github.com/mongodb/mongodb-kubernetes/controllers/operator/authentication       0.472s

I am yet to do some more tests to actually be confident that the automation config is not changed when reconciliation happens.

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you added changelog file?

@viveksinghggits viveksinghggits requested a review from a team as a code owner December 5, 2025 20:29
@viveksinghggits viveksinghggits added the skip-changelog Use this label in Pull Request to not require new changelog entry file label Dec 5, 2025
@github-actions
Copy link

github-actions bot commented Dec 5, 2025

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.6.1 Release Notes

Bug Fixes

  • Backed up the agent password in a secret for SCRAM authentication to prevent unnecessary password rotations.
  • MongoDB Adding missing ownerrefs to ensure proper resource deletion by kubernetes.
  • Single Cluster Deleting resources created by CRD now only happens on multi-cluster deployments. Single Cluster will solely rely on ownerrefs.
  • MongoDB, MongoDBOpsManager: Improve validation for featureCompatibilityVersion field in MongoDB and MongoDBOpsManager spec.
    The field now enforces proper semantic versioning. Previously, invalid semver values could be accepted,
    potentially resulting in incorrect configurations.

@viveksinghggits viveksinghggits marked this pull request as draft December 5, 2025 20:31
@viveksinghggits viveksinghggits marked this pull request as ready for review December 5, 2025 20:34
lsierant
lsierant reviewed Dec 8, 2025
View reviewed changes
lsierant
lsierant approved these changes Dec 8, 2025
View reviewed changes
Copy link
Contributor

@lsierant lsierant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Please look into existing e2e tests which are checking changing passwords and consider adding there a simulated MongoDBUser reconciler to ensure no automation config version is being bumped in the result.

lucian-tosa
lucian-tosa requested changes Dec 9, 2025
View reviewed changes
lucian-tosa
lucian-tosa requested changes Dec 9, 2025
View reviewed changes
lucian-tosa
lucian-tosa approved these changes Dec 10, 2025
View reviewed changes
viveksinghggits
viveksinghggits commented Dec 10, 2025
View reviewed changes
controllers/operator/mongodbuser_controller.go
return r.updateStatus(ctx, user, workflow.OK(), log)
}

func (r *MongoDBUserReconciler) handleExternalAuthUser(ctx context.Context, user *userv1.MongoDBUser, conn om.Connection, log *zap.SugaredLogger) (reconcile.Result, error) {
Copy link
Contributor Author

@viveksinghggits viveksinghggits Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @lucian-tosa,
Before I merge this, I would like to highlight that because we are changing signature of toOmUser it's also affecting handleExternalAuthUser. Even though we were mainly planning to handle the scram sha authentication as part of this change.
Do you think it's an acceptable change even for external users? If yes, I will go ahead and merge the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lsierant lsierant lsierant approved these changes

@lucian-tosa lucian-tosa lucian-tosa approved these changes

@m1kola m1kola Awaiting requested review from m1kola m1kola is a code owner automatically assigned from mongodb/kubernetes-hosted

Assignees

No one assigned

Labels

skip-changelog Use this label in Pull Request to not require new changelog entry file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@viveksinghggits @lsierant @lucian-tosa