Issue connecting to TLS cluster using username and password

Hello,

I’ve deployed minimal config cluster of percona-mongo in openshift. In nutshell, the deploy/cr.yaml have updated metadata.name and spec.platform to start.

Connecting to cluster using username and passwords on non tls works fine, while when setting up to use TLS on client side (mongodb://<url>/?tls=true) it fails to auth.
I’m aware that build in accounts might have enforced mTLS, so I do have newly created account:

db.getSiblingDB("admin").createUser({ user: "<username>", pwd: "<password>", roles:["root"] });

but this account have same issue.

I did compare this to our standalone mongo where it works like this, and I think I found out where the issue is.
Our standalone node is started with only --tlsCertificateKeyFile and --tlsMode, while percona cluster have --tlsCertificateKeyFile, --tlsMode (preferTLS), --tlsAllowInvalidCertificates and --tlsCAFile - I’ve omitted all other params that are not needed here.
Now, seeing that tlsMode is preferTLS, which will permit plan-text connections, and presence of tlsAllowInvalidCertificate pram leads me to thinking that mTLS was not supposed to be enforced.

Official Mongo documentation, states that if only tlsCertificateKeyFile is used, it will enable (forward) TLS, but when tlsCAFile is added it does enable mandatory mTLS. Further, to allow non mandatory mTLS, parameter allowConnectionsWithoutCertificates should be present in mongod/mongos options, which is not in my openshift deployment.

ref: https://www.mongodb.com/docs/manual/tutorial/configure-ssl/

So, now to questions:

  1. was enforced mTLS intended way for percona mongo or this looks like miss-configuration/bug
  2. if this is miss-configuration, I did not see any way of changing this in cr.yaml nor in percona documentation
  3. if this looks like a bug, well, can I kindly ask to get fixed.
  4. any chance to modify mongod/mongos params with out modification of operator code? I’m asking mostly to see if this only issue preventing my TLS connection.

The way I see it, cluster should be able to be configured to allow all 3 types of connections (plain, TLS, mTLS) and limit/disable some of them, per cluster basis. This would be down to:

  • tlsMode to enable/disable plain text connections
  • allowConnectionsWithoutCertificates to permit non mTLS connections.
    … Well, that or I just made some mistake :slight_smile:

Thank You.

1 Like