From 8e1d33f1dca22e044836435915ab0acda506ce24 Mon Sep 17 00:00:00 2001 From: Lucian Tosa Date: Thu, 18 Dec 2025 16:51:28 +0100 Subject: [PATCH 1/2] Add validation on horizon domain names --- api/v1/mdb/mongodb_validation.go | 16 +++++++++ api/v1/mdb/mongodb_validation_test.go | 49 +++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/api/v1/mdb/mongodb_validation.go b/api/v1/mdb/mongodb_validation.go index 7476dac48..b069fac85 100644 --- a/api/v1/mdb/mongodb_validation.go +++ b/api/v1/mdb/mongodb_validation.go @@ -2,10 +2,12 @@ package mdb import ( "errors" + "net/url" "strconv" "strings" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/validation" "k8s.io/utils/strings/slices" "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" @@ -51,6 +53,19 @@ func horizonsMustEqualMembers(ms MongoDbSpec) v1.ValidationResult { return v1.ValidationSuccess() } +func horizonDomainNamesMustBeValid(ms MongoDbSpec) v1.ValidationResult { + for _, horizon := range ms.Connectivity.ReplicaSetHorizons { + for _, address := range horizon { + URL := url.URL{Host: address} + errs := validation.IsDNS1123Subdomain(URL.Hostname()) + if len(errs) > 0 { + return v1.ValidationError("Horizons must have valid domain names") + } + } + } + return v1.ValidationSuccess() +} + func deploymentsMustHaveTLSInX509Env(d DbCommonSpec) v1.ValidationResult { authSpec := d.Security.Authentication if authSpec == nil { @@ -456,6 +471,7 @@ func (m *MongoDB) RunValidations(old *MongoDB) []v1.ValidationResult { // Topology field mongoDBValidators := []func(m MongoDbSpec) v1.ValidationResult{ horizonsMustEqualMembers, + horizonDomainNamesMustBeValid, additionalMongodConfig, replicasetMemberIsSpecified, } diff --git a/api/v1/mdb/mongodb_validation_test.go b/api/v1/mdb/mongodb_validation_test.go index 69ff77ce9..bd165ab12 100644 --- a/api/v1/mdb/mongodb_validation_test.go +++ b/api/v1/mdb/mongodb_validation_test.go @@ -1,6 +1,7 @@ package mdb import ( + "strings" "testing" "github.com/stretchr/testify/assert" @@ -39,6 +40,54 @@ func TestMongoDB_ProcessValidations_HorizonsWithoutTLS(t *testing.T) { assert.Equal(t, "TLS must be enabled in order to use replica set horizons", err.Error()) } +func TestMongoDB_ProcessValidations_InvalidHorizonAddress(t *testing.T) { + tests := []struct { + name string + invalidAddress string + }{ + { + name: "Empty address", + invalidAddress: ":27018", + }, + { + name: "Invalid characters in hostname", + invalidAddress: "my_db.com:27018", + }, + { + name: "Hostname too long", + invalidAddress: strings.Repeat("a", 256) + ":27018", + }, + { + name: "Label starts with hyphen", + invalidAddress: "-mydb.com:27018", + }, + { + name: "Label ends with hyphen", + invalidAddress: "mydb-.com:27018", + }, + { + name: "Uppercase letters in hostname", + invalidAddress: "MyDB.com:27018", + }, + { + name: "Consecutive dots", + invalidAddress: "my..db.com:27018", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + replicaSetHorizons := []MongoDBHorizonConfig{ + {"my-horizon": tt.invalidAddress}, + } + rs := NewDefaultReplicaSetBuilder().SetSecurityTLSEnabled().SetMembers(1).Build() + rs.Spec.Connectivity = &MongoDBConnectivity{} + rs.Spec.Connectivity.ReplicaSetHorizons = replicaSetHorizons + err := rs.ProcessValidationsOnReconcile(nil) + assert.Equal(t, "Horizons must have valid domain names", err.Error()) + }) + } +} + func TestMongoDB_ProcessValidationsOnReconcile_X509WithoutTls(t *testing.T) { rs := NewReplicaSetBuilder().Build() rs.Spec.Security.Authentication = &Authentication{Enabled: true, Modes: []AuthMode{"X509"}} From c9a59449cce717d9f47e59d6243f6661dac16ced Mon Sep 17 00:00:00 2001 From: Lucian Tosa Date: Thu, 18 Dec 2025 16:55:10 +0100 Subject: [PATCH 2/2] changelog --- ...51218_fix_fix_panic_when_horizon_domain_name_is_empty.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/20251218_fix_fix_panic_when_horizon_domain_name_is_empty.md diff --git a/changelog/20251218_fix_fix_panic_when_horizon_domain_name_is_empty.md b/changelog/20251218_fix_fix_panic_when_horizon_domain_name_is_empty.md new file mode 100644 index 000000000..5fe1f6e07 --- /dev/null +++ b/changelog/20251218_fix_fix_panic_when_horizon_domain_name_is_empty.md @@ -0,0 +1,6 @@ +--- +kind: fix +date: 2025-12-18 +--- + +* Fixed a panic that occurred when the domain names for a horizon was empty. Now, if the domain names are not valid (RFC 1123), the validation will fail before reconciling.