mongodb · nammn · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 17, 2025
@@ -0,0 +1,6 @@
+---
+kind: fix
+date: 2025-12-16
+---
+
+* Fixed an issue where monitoring agents would fail after disabling TLS on a MongoDB deployment.
@@ -317,6 +317,10 @@ func (d Deployment) AddMonitoring(log *zap.SugaredLogger, tls bool, caFilePath s
 			}
 
 			monitoringVersion["additionalParams"] = additionalParams
+		} else {
+			// Clear TLS params when TLS is disabled to prevent monitoring from
+			// trying to use certificate files that no longer exist
+			delete(monitoringVersion, "additionalParams")
 		}
 
 	}

@@ -528,10 +528,39 @@ func TestAddMonitoringTls(t *testing.T) {
 	assert.Equal(t, expectedMonitoringVersions, d.getMonitoringVersions())
 
 	// adding again - nothing changes
-	d.AddMonitoring(zap.S(), false, util.CAFilePathInContainer)
+	d.AddMonitoring(zap.S(), true, util.CAFilePathInContainer)
 	assert.Equal(t, expectedMonitoringVersions, d.getMonitoringVersions())
 }
 
+func TestAddMonitoringTLSDisable(t *testing.T) {
+	d := NewDeployment()
+
+	rs0 := buildRsByProcesses("my-rs", createReplicaSetProcessesCount(3, "my-rs"))
+	d.MergeReplicaSet(rs0, nil, nil, zap.S())
+	d.AddMonitoring(zap.S(), true, util.CAFilePathInContainer)
+
+	// verify TLS is present in additionalParams
+	expectedAdditionalParams := map[string]string{
+		"useSslForAllConnections":      "true",
+		"sslTrustedServerCertificates": util.CAFilePathInContainer,
+	}
+	expectedMonitoringVersionsWithTls := []interface{}{
+		map[string]interface{}{"hostname": "my-rs-0.some.host", "name": MonitoringAgentDefaultVersion, "additionalParams": expectedAdditionalParams},
+		map[string]interface{}{"hostname": "my-rs-1.some.host", "name": MonitoringAgentDefaultVersion, "additionalParams": expectedAdditionalParams},
+		map[string]interface{}{"hostname": "my-rs-2.some.host", "name": MonitoringAgentDefaultVersion, "additionalParams": expectedAdditionalParams},
+	}
+	assert.Equal(t, expectedMonitoringVersionsWithTls, d.getMonitoringVersions())
+
+	// disabling TLS should clear additionalParams (CLOUDP-351614)
+	d.AddMonitoring(zap.S(), false, util.CAFilePathInContainer)
+	expectedMonitoringVersionsWithoutTls := []interface{}{
+		map[string]interface{}{"hostname": "my-rs-0.some.host", "name": MonitoringAgentDefaultVersion},
+		map[string]interface{}{"hostname": "my-rs-1.some.host", "name": MonitoringAgentDefaultVersion},
+		map[string]interface{}{"hostname": "my-rs-2.some.host", "name": MonitoringAgentDefaultVersion},
+	}
+	assert.Equal(t, expectedMonitoringVersionsWithoutTls, d.getMonitoringVersions())
+}
+
 func TestAddBackup(t *testing.T) {
 	d := NewDeployment()
 

@@ -1430,9 +1430,14 @@ func addMonitoring(ac *automationconfig.AutomationConfig, log *zap.SugaredLogger
 	monitoringVersions := ac.MonitoringVersions
 	for _, p := range ac.Processes {
 		found := false
-		for _, m := range monitoringVersions {
+		for i, m := range monitoringVersions {
 			if m.Hostname == p.HostName {
 				found = true
+				if !tls {
+					// Clear TLS params when TLS is disabled to prevent monitoring from
+					// trying to use certificate files that no longer exist
+					monitoringVersions[i].AdditionalParams = nil
+				}
 				break
 			}
 		}

@@ -101,3 +101,34 @@ def test_new_database_is_monitored_after_restart(ops_manager: MongoDBOpsManager)
     # We want to retrieve measurements from "new_database" which will indicate
     # that the monitoring agents are working with the new credentials.
     ops_manager.assert_monitoring_data_exists(database_name=database_name, timeout=1200, all_hosts=False)
+
+
+@mark.e2e_om_appdb_monitoring_tls
+def test_monitoring_works_after_tls_disable(ops_manager: MongoDBOpsManager):
+    """
+    CLOUDP-351614: Verify monitoring continues to work after disabling TLS.
+    When TLS is disabled, the monitoring config should not contain stale TLS params.
+    """
+    ops_manager.load()
+
+    # Transition to allowTLS mode first (required before disabling TLS)
+    ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"] = {
+        "net": {"tls": {"mode": "allowTLS"}}
+    }
+    ops_manager.update()
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
+
+    # Disable TLS on AppDB - must also remove additionalMongodConfig that had allowTLS
+    ops_manager["spec"]["applicationDatabase"]["security"]["certsSecretPrefix"] = None
+    ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
+    del ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"]
+    ops_manager.update()
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
+
+    # Verify monitoring agents are still healthy after TLS disable
+    tester = ops_manager.get_om_tester(ops_manager.app_db_name())
+    agents_after = tester.api_read_monitoring_agents()
+    appdb_hostnames = ops_manager.get_appdb_hostnames_for_monitoring()
+    appdb_agents_after = [a for a in agents_after if a["hostname"] in appdb_hostnames]
+    assert all(a["stateName"] in ["ACTIVE", "STANDBY"] for a in appdb_agents_after), \
+        f"Monitoring agents should be healthy after TLS disable: {appdb_agents_after}"