Upgrade a Cluster to Use TLS

[tsgit]

Report

I am trying to upgrade an existing cluster from spec.tls.mode disabled to preferTLS by first setting the tls.mode to allowTLS following https://www.mongodb.com/docs/manual/tutorial/upgrade-cluster-to-ssl/#upgrade-a-cluster-to-use-tls-ssl

This does not work. The mode allowTLS option is only set in the rs and cfg pods, but not in the mongos pods, i.e. in rs and cfg pods I see the process is started with

--tlsMode allowTLS --sslPEMKeyFile /tmp/tls.pem --tlsAllowInvalidCertificates --tlsClusterFile /tmp/tls-internal.pem --tlsCAFile /etc/mongodb-ssl/ca.crt --tlsClus\
terCAFile /etc/mongodb-ssl-internal/ca.crt

but in the mongos pods it still shows (even after forced restart)

--tlsMode disabled

The operator reports the cluster state as error and shows authentication errors.

More about the problem

I see the comment at https://docs.percona.com/percona-operator-for-mongodb/operator.html#unsafe-flags-section

After switching to unsafe configurations permissive mode you will not be able to switch the cluster back by setting same keys to false, the flags will be ignored.

Does this mean an upgrade to TLS is simply not supported?

Steps to reproduce

1. start with a cluster with spec.tls.mode: disables and unsafeFlags.tls: true
2. change to spec.tls.mode: allowTLS
3. rs, cfg and mongos pods should show the process with commandline flag --tlsMode allowTLS but mongos pods don't.
4. kubectl get psmdb reports status error and the operator shows authentication errors
5. change of spec.tls.mode: preferTLS results in mongos instances to be in crashloop

Versions

1. Kubernetes v1.30.4
2. Operator 1.18.0
3. Database 7.0.15

Anything else?

This may not be supported based on the comment in the unsafeFlags section. If so, the change of tls.mode should also be prevented by the operator. Otherwise the cluster ends up in a non-working state.