@@ -576,7 +576,7 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c
576576 caFilePath := fmt .Sprintf ("%s/ca-pem" , util .TLSCaMountPath )
577577 // If current operation is to Disable TLS, then we should the current members of the Replica Set,
578578 // this is, do not scale them up or down util TLS disabling has completed.
579- shouldLockMembers , err := updateOmDeploymentDisableTLSConfiguration (conn , r .imageUrls [mcoConstruct .MongodbImageEnv ], r .forceEnterprise , membersNumberBefore , rs , log , caFilePath , tlsCertPath )
579+ shouldLockMembers , err := updateOmDeploymentDisableTLSConfiguration (conn , r .imageUrls [mcoConstruct .MongodbImageEnv ], r .forceEnterprise , replicasTarget , rs , log , caFilePath , tlsCertPath )
580580 if err != nil && ! isRecovering {
581581 return workflow .Failed (err )
582582 }
@@ -585,7 +585,12 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c
585585 if shouldLockMembers {
586586 // We should not add or remove members during this run, we'll wait for
587587 // TLS to be completely disabled first.
588- updatedMembers = membersNumberBefore
588+ // However, on first reconciliation when membersNumberBefore=0, we need to use replicasTarget
589+ if membersNumberBefore == 0 {
590+ updatedMembers = replicasTarget
591+ } else {
592+ updatedMembers = membersNumberBefore
593+ }
589594 } else {
590595 updatedMembers = replicasTarget
591596 }
@@ -657,10 +662,18 @@ func (r *ReconcileMongoDbReplicaSet) updateOmDeploymentRs(ctx context.Context, c
657662 return workflow .OK ()
658663}
659664
660- // updateOmDeploymentDisableTLSConfiguration checks if TLS configuration needs
661- // to be disabled. In which case it will disable it and inform to the calling
662- // function.
663- func updateOmDeploymentDisableTLSConfiguration (conn om.Connection , mongoDBImage string , forceEnterprise bool , membersNumberBefore int , rs * mdbv1.MongoDB , log * zap.SugaredLogger , caFilePath , tlsCertPath string ) (bool , error ) {
665+ // updateOmDeploymentDisableTLSConfiguration handles the edge case where TLS is disabled while
666+ // simultaneously scaling the replica set. Without this safeguard, automation agents could fail during the
667+ // transition, or new pods might join with inconsistent TLS configuration.
668+ //
669+ // This function implements a two-phase reconciliation pattern:
670+ // 1. First reconciliation: Disable TLS on existing members (returns shouldLockMembers=true to prevent scaling)
671+ // 2. Second reconciliation: Once TLS is fully disabled, allow scaling operations to proceed
672+ //
673+ // Related ticket: CLOUDP-80768 (March 2021)
674+ // See also: e2e_tls_disable_and_scale_up.py test
675+ // See also: e2e_tls_disable_and_scale_down.py test
676+ func updateOmDeploymentDisableTLSConfiguration (conn om.Connection , mongoDBImage string , forceEnterprise bool , currentMemberCount int , rs * mdbv1.MongoDB , log * zap.SugaredLogger , caFilePath , tlsCertPath string ) (bool , error ) {
664677 tlsConfigWasDisabled := false
665678
666679 err := conn .ReadUpdateDeployment (
@@ -674,7 +687,7 @@ func updateOmDeploymentDisableTLSConfiguration(conn om.Connection, mongoDBImage
674687
675688 // configure as many agents/Pods as we currently have, no more (in case
676689 // there's a scale up change at the same time).
677- replicaSet := replicaset .BuildFromMongoDBWithReplicas (mongoDBImage , forceEnterprise , rs , membersNumberBefore , rs .CalculateFeatureCompatibilityVersion (), tlsCertPath )
690+ replicaSet := replicaset .BuildFromMongoDBWithReplicas (mongoDBImage , forceEnterprise , rs , currentMemberCount , rs .CalculateFeatureCompatibilityVersion (), tlsCertPath )
678691
679692 lastConfig , err := rs .GetLastAdditionalMongodConfigByType (mdbv1 .ReplicaSetConfig )
680693 if err != nil {
0 commit comments