Invalid SCRAM Credentials Secret Name

[terem42]

What did you do to encounter the bug?
Steps to reproduce the behavior:

• Deploy MongoDB Community Operator version 0.13.0
• Create a Secret with MongoDB admin password
• Create a MongoDBCommunity resource with SCRAM authentication without explicitly setting scramCredentialsSecretName

Apply the configuration and observe the failure

Example configuration used:

apiVersion: v1
kind: Secret
metadata:
  name: mgadminpassword
  namespace: mg-test
type: Opaque
stringData:
  password: "test1234567"
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: mg-test
  namespace: mg-test
spec:
  members: 3
  type: ReplicaSet
  version: "8.0.13"
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: admin
      db: admin
      passwordSecretRef:
        name: mgadminpassword
        key: password
      roles:
        - name: root
          db: admin

What did you expect?
I expected the MongoDB operator to automatically generate a valid Kubernetes Secret name for SCRAM credentials and successfully deploy the MongoDB replica set.

What happened instead?
The operator failed to deploy with an error indicating it tried to create a Secret with an invalid name -scram-credentials. The name starts with a hyphen, which violates Kubernetes naming conventions that require DNS subdomain format (must start and end with alphanumeric characters).

Error from operator logs:

2025-10-15T13:06:27.737Z        DEBUG   scram/scram.go:129      No existing credentials found, generating new credentials
2025-10-15T13:06:27.737Z        DEBUG   scram/scram.go:107      Generating new credentials and storing in secret/-scram-credentials
2025-10-15T13:06:27.763Z        ERROR   controllers/mongodb_status_options.go:104       Error deploying MongoDB ReplicaSet: failed to ensure AutomationConfig: could not build automation config: could not configure scram authentication: could not convert users to Automation Config users: failed to convert scram user admin to Automation Config user: could not ensure scram credentials: faild to create scram credentials secret -scram-credentials: Secret "-scram-credentials" is invalid: metadata.name: Invalid value: "-scram-credentials": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
github.com/mongodb/mongodb-kubernetes-operator/controllers.messageOption.ApplyOption
        /workspace/controllers/mongodb_status_options.go:104
github.com/mongodb/mongodb-kubernetes-operator/pkg/util/status.Update
        /workspace/pkg/util/status/status.go:25
github.com/mongodb/mongodb-kubernetes-operator/controllers.ReplicaSetReconciler.Reconcile
        /workspace/controllers/replica_set_controller.go:192
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.7/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.7/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.7/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.7/pkg/internal/controller/controller.go:222

Workaround:

Explicitly setting scramCredentialsSecretName in the user configuration resolves the issue:

users:
  - name: admin
    db: admin
    passwordSecretRef:
      name: mgadminpassword
      key: password
    scramCredentialsSecretName: mg-test-scram-credentials
    roles:
      - name: root
        db: admin