Merge branch 'master' into lsierant/multi-cloud-qa

Author: lsierant

.evergreen-tasks.yml

@@ -1266,6 +1266,16 @@ tasks:
     commands:
       - func: e2e_test
 
+  - name: e2e_multi_cluster_oidc_m2m_group
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
+  - name: e2e_multi_cluster_oidc_m2m_user
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
   - name: e2e_search_community_basic
     tags: ["patch-run"]
     commands:

.evergreen.yml

@@ -911,6 +911,10 @@ task_groups:
       - e2e_tls_x509_configure_all_options_sc
       - e2e_tls_x509_sc
       - e2e_meko_mck_upgrade
+      - e2e_sharded_cluster_oidc_m2m_group
+      - e2e_sharded_cluster_oidc_m2m_user
+      - e2e_multi_cluster_oidc_m2m_group
+      - e2e_multi_cluster_oidc_m2m_user
 
     <<: *teardown_group
 

docker/mongodb-kubernetes-tests/kubetester/mongodb.py

@@ -427,12 +427,7 @@ def set_oidc_provider_configs(self, oidc_provider_configs: Dict):
     def append_oidc_provider_config(self, new_config: Dict):
         if "oidcProviderConfigs" not in self["spec"]["security"]["authentication"]:
             self["spec"]["security"]["authentication"]["oidcProviderConfigs"] = []
-
-        oidc_configs = self["spec"]["security"]["authentication"]["oidcProviderConfigs"]
-
-        oidc_configs.append(new_config)
-
-        self["spec"]["security"]["authentication"]["oidcProviderConfigs"] = oidc_configs
+        self["spec"]["security"]["authentication"]["oidcProviderConfigs"].append(new_config)
 
         return self
 

docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py

@@ -4,10 +4,15 @@
 from kubetester.automation_config_tester import AutomationConfigTester
 from kubetester.kubetester import KubernetesTester, ensure_ent_version
 from kubetester.kubetester import fixture as load_fixture
+from kubetester.kubetester import is_multi_cluster, skip_if_multi_cluster
 from kubetester.mongodb import MongoDB
 from kubetester.mongotester import ShardedClusterTester
 from kubetester.phase import Phase
 from pytest import fixture
+from tests.shardedcluster.conftest import (
+    enable_multi_cluster_deployment,
+    get_mongos_service_names,
+)
 
 MDB_RESOURCE = "oidc-sharded-cluster-replica-set"
 
@@ -26,17 +31,28 @@ def sharded_cluster(namespace: str, custom_mdb_version: str) -> MongoDB:
 
     resource.set_oidc_provider_configs(oidc_provider_configs)
 
+    if is_multi_cluster():
+        enable_multi_cluster_deployment(
+            resource=resource,
+            shard_members_array=[1, 1, 1],
+            mongos_members_array=[1, 1, None],
+            configsrv_members_array=[1, 1, 1],
+        )
+
     return resource.update()
 
 
 @pytest.mark.e2e_sharded_cluster_oidc_m2m_group
 class TestCreateOIDCShardedCluster(KubernetesTester):
 
     def test_create_sharded_cluster(self, sharded_cluster: MongoDB):
-        sharded_cluster.assert_reaches_phase(Phase.Running, timeout=600)
+        sharded_cluster.assert_reaches_phase(Phase.Running, timeout=800)
 
     def test_assert_connectivity(self, sharded_cluster: MongoDB):
-        tester = ShardedClusterTester(MDB_RESOURCE, 2)
+        service_names = None
+        if is_multi_cluster():
+            service_names = get_mongos_service_names(sharded_cluster)
+        tester = sharded_cluster.tester(service_names=service_names)
         tester.assert_oidc_authentication()
 
     def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB):
@@ -75,6 +91,8 @@ def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB):
         tester.assert_oidc_configuration(expected_oidc_configs)
 
 
+# Skipping the test for multi-cluster setups as we want to focus on testing only connectivity for OIDC in multi-cluster setups.
+@skip_if_multi_cluster()
 @pytest.mark.e2e_sharded_cluster_oidc_m2m_group
 class TestAddNewOIDCProviderAndRole(KubernetesTester):
     def test_add_oidc_provider_and_role(self, sharded_cluster: MongoDB):

docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py

@@ -4,11 +4,16 @@
 from kubetester.automation_config_tester import AutomationConfigTester
 from kubetester.kubetester import KubernetesTester, ensure_ent_version
 from kubetester.kubetester import fixture as load_fixture
+from kubetester.kubetester import is_multi_cluster
 from kubetester.mongodb import MongoDB
 from kubetester.mongodb_user import MongoDBUser
 from kubetester.mongotester import ShardedClusterTester
 from kubetester.phase import Phase
 from pytest import fixture
+from tests.shardedcluster.conftest import (
+    enable_multi_cluster_deployment,
+    get_mongos_service_names,
+)
 
 MDB_RESOURCE = "oidc-sharded-cluster-replica-set"
 
@@ -25,6 +30,14 @@ def sharded_cluster(namespace: str, custom_mdb_version: str) -> MongoDB:
 
     resource.set_oidc_provider_configs(oidc_provider_configs)
 
+    if is_multi_cluster():
+        enable_multi_cluster_deployment(
+            resource=resource,
+            shard_members_array=[1, 1, 1],
+            mongos_members_array=[1, 1, None],
+            configsrv_members_array=[1, 1, 1],
+        )
+
     if try_load(resource):
         return resource
 
@@ -44,13 +57,16 @@ def oidc_user(namespace) -> MongoDBUser:
 @pytest.mark.e2e_sharded_cluster_oidc_m2m_user
 class TestCreateOIDCShardedCluster(KubernetesTester):
     def test_create_sharded_cluster(self, sharded_cluster: MongoDB):
-        sharded_cluster.assert_reaches_phase(Phase.Running, timeout=600)
+        sharded_cluster.assert_reaches_phase(Phase.Running, timeout=800)
 
     def test_create_user(self, oidc_user: MongoDBUser):
         oidc_user.assert_reaches_phase(Phase.Updated, timeout=400)
 
     def test_assert_connectivity(self, sharded_cluster: MongoDB):
-        tester = ShardedClusterTester(MDB_RESOURCE, 2)
+        service_names = None
+        if is_multi_cluster():
+            service_names = get_mongos_service_names(sharded_cluster)
+        tester = sharded_cluster.tester(service_names=service_names)
         tester.assert_oidc_authentication()
 
     def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB):

docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-group.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBMultiCluster
+metadata:
+  name: oidc-multi-replica-set
+spec:
+  version: 7.0.5-ent
+  type: ReplicaSet
+  duplicateServiceObjects: false
+  credentials: my-credentials
+  opsManager:
+    configMapRef:
+      name: my-project
+  clusterSpecList:
+    - clusterName: kind-e2e-cluster-1
+      members: 1
+    - clusterName: kind-e2e-cluster-2
+      members: 1
+    - clusterName: kind-e2e-cluster-3
+      members: 2
+  security:
+    authentication:
+      agents:
+        mode: SCRAM
+      enabled: true
+      modes:
+        - SCRAM
+        - OIDC
+      oidcProviderConfigs:
+        - audience: "<filled-in-test>"
+          clientId: "<filled-in-test>"
+          issuerURI: "<filled-in-test>"
+          requestedScopes: [ ]
+          userClaim: "sub"
+          groupsClaim: "cognito:groups"
+          authorizationMethod: "WorkloadIdentityFederation"
+          authorizationType: "GroupMembership"
+          configurationName: "OIDC-test"
+    roles:
+      - role: "OIDC-test/test"
+        db: "admin"
+        roles:
+          - role: "readWriteAnyDatabase"
+            db: "admin"

docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-user.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBMultiCluster
+metadata:
+  name: oidc-multi-replica-set
+spec:
+  version: 7.0.5-ent
+  type: ReplicaSet
+  duplicateServiceObjects: false
+  credentials: my-credentials
+  opsManager:
+    configMapRef:
+      name: my-project
+  clusterSpecList:
+    - clusterName: kind-e2e-cluster-1
+      members: 1
+    - clusterName: kind-e2e-cluster-2
+      members: 1
+    - clusterName: kind-e2e-cluster-3
+      members: 2
+  security:
+    authentication:
+      agents:
+        mode: SCRAM
+      enabled: true
+      modes:
+        - SCRAM
+        - OIDC
+      oidcProviderConfigs:
+        - audience: "<filled-in-test>"
+          clientId: "<filled-in-test>"
+          issuerURI: "<filled-in-test>"
+          requestedScopes: [ ]
+          userClaim: "sub"
+          authorizationMethod: "WorkloadIdentityFederation"
+          authorizationType: "UserID"
+          configurationName: "OIDC-test-user"

docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/oidc-user-multi.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBUser
+metadata:
+  name: oidc-user-1
+spec:
+  username: "<filled-in-test>"
+  db: "$external"
+  mongodbResourceRef:
+    name: oidc-multi-replica-set
+  roles:
+    - db: "admin"
+      name: "readWriteAnyDatabase"

docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_group.py

@@ -0,0 +1,58 @@
+import kubernetes
+import kubetester.oidc as oidc
+import pytest
+from kubetester import try_load
+from kubetester.automation_config_tester import AutomationConfigTester
+from kubetester.kubetester import KubernetesTester, ensure_ent_version
+from kubetester.kubetester import fixture as yaml_fixture
+from kubetester.mongodb import MongoDB, Phase
+from kubetester.mongodb_multi import MongoDBMulti, MultiClusterClient
+from kubetester.mongotester import ReplicaSetTester
+from kubetester.operator import Operator
+from pytest import fixture
+
+MDB_RESOURCE = "oidc-multi-replica-set"
+
+
+@fixture(scope="module")
+def mongodb_multi(
+    central_cluster_client: kubernetes.client.ApiClient,
+    namespace: str,
+    member_cluster_names,
+    custom_mdb_version: str,
+) -> MongoDBMulti:
+    resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-group.yaml"), MDB_RESOURCE, namespace)
+    if try_load(resource):
+        return resource
+
+    oidc_provider_configs = resource.get_oidc_provider_configs()
+
+    oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id()
+    oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id()
+    oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url()
+
+    resource.set_oidc_provider_configs(oidc_provider_configs)
+
+    resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
+
+    return resource.update()
+
+
+@pytest.mark.e2e_multi_cluster_oidc_m2m_group
+class TestOIDCMultiCluster(KubernetesTester):
+    def test_deploy_operator(self, multi_cluster_operator: Operator):
+        multi_cluster_operator.assert_is_running()
+
+    def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti):
+        mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800)
+
+    def test_assert_connectivity(self, mongodb_multi: MongoDBMulti):
+        tester = mongodb_multi.tester()
+        tester.assert_oidc_authentication()
+
+    def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti):
+        tester = mongodb_multi.get_automation_config_tester()
+        tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False)
+        tester.assert_authentication_enabled(2)
+        tester.assert_expected_users(0)
+        tester.assert_authoritative_set(True)

docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_user.py

@@ -0,0 +1,72 @@
+import kubernetes
+import kubetester.oidc as oidc
+import pytest
+from kubetester import try_load
+from kubetester.automation_config_tester import AutomationConfigTester
+from kubetester.kubetester import KubernetesTester, ensure_ent_version
+from kubetester.kubetester import fixture as yaml_fixture
+from kubetester.mongodb import MongoDB, Phase
+from kubetester.mongodb_multi import MongoDBMulti
+from kubetester.mongodb_user import MongoDBUser
+from kubetester.mongotester import ReplicaSetTester
+from kubetester.operator import Operator
+from pytest import fixture
+
+MDB_RESOURCE = "oidc-multi-replica-set"
+
+
+@fixture(scope="module")
+def mongodb_multi(
+    central_cluster_client: kubernetes.client.ApiClient,
+    namespace: str,
+    member_cluster_names,
+    custom_mdb_version: str,
+) -> MongoDBMulti:
+    resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-user.yaml"), MDB_RESOURCE, namespace)
+    if try_load(resource):
+        return resource
+
+    oidc_provider_configs = resource.get_oidc_provider_configs()
+
+    oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id()
+    oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id()
+    oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url()
+
+    resource.set_oidc_provider_configs(oidc_provider_configs)
+
+    resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
+
+    return resource.update()
+
+
+@fixture(scope="module")
+def oidc_user(namespace) -> MongoDBUser:
+    resource = MongoDBUser.from_yaml(yaml_fixture("oidc/oidc-user-multi.yaml"), namespace=namespace)
+
+    resource["spec"]["username"] = f"OIDC-test-user/{oidc.get_cognito_workload_user_id()}"
+    resource["spec"]["mongodbResourceRef"]["name"] = MDB_RESOURCE
+
+    return resource.update()
+
+
+@pytest.mark.e2e_multi_cluster_oidc_m2m_user
+class TestOIDCMultiCluster(KubernetesTester):
+    def test_deploy_operator(self, multi_cluster_operator: Operator):
+        multi_cluster_operator.assert_is_running()
+
+    def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti):
+        mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800)
+
+    def test_create_user(self, oidc_user: MongoDBUser):
+        oidc_user.assert_reaches_phase(Phase.Updated, timeout=800)
+
+    def test_assert_connectivity(self, mongodb_multi: MongoDBMulti):
+        tester = mongodb_multi.tester()
+        tester.assert_oidc_authentication()
+
+    def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti):
+        tester = mongodb_multi.get_automation_config_tester()
+        tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False)
+        tester.assert_authentication_enabled(2)
+        tester.assert_expected_users(1)
+        tester.assert_authoritative_set(True)

docs/mongodbcommunity/users.md

@@ -44,7 +44,6 @@ You cannot disable SCRAM authentication.
    | `spec.users.roles.role.db` | string | Database that the role applies to. | Yes |
    | `spec.users.connectionStringSecretAnnotations` | object | Annotations of the secret object created by the operator which exposes the connection strings for the user. | No |
 
-
    ```yaml
    ---
    apiVersion: mongodbcommunity.mongodb.com/v1