tests: refactoring+improvements

Author: filipcirtog

.evergreen-tasks.yml

@@ -720,6 +720,16 @@ tasks:
     commands:
       - func: "e2e_test"
 
+  - name: e2e_replica_set_ldap_switch_project
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_sharded_cluster_ldap_switch_project
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
   # TODO: not used in any variant
   - name: e2e_replica_set_scram_x509_internal_cluster
     tags: [ "patch-run" ]

.evergreen.yml

@@ -719,6 +719,8 @@ task_groups:
       - e2e_replica_set_scram_sha_256_switch_project
       - e2e_replica_set_scram_sha_1_switch_project
       - e2e_replica_set_x509_switch_project
+      - e2e_replica_set_ldap_switch_project
+      - e2e_sharded_cluster_ldap_switch_project
       # e2e_auth_transitions_task_group
       - e2e_replica_set_scram_sha_and_x509
       - e2e_replica_set_x509_to_scram_transition

controllers/om/automation_config.go

@@ -439,7 +439,7 @@ func (ac *AutomationConfig) EnsureKeyFileContents() error {
 // AuthSecretName for a given mdbName (`mdbName`) returns the name of
 // the secret associated with it.
 func AuthSecretName(mdbName string) string {
-	return fmt.Sprintf("%s-agent-auth-secre", mdbName)
+	return fmt.Sprintf("%s-agent-auth-secret", mdbName)
 }
 
 // EnsurePassword makes sure that there is an Automation Agent password

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/switch-project/replica-set-ldap-switch-project.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: replica-set-ldap-switch-project
+spec:
+  type: ReplicaSet
+  members: 3
+  version: 4.4.0-ent
+
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+
+  security:
+    authentication:
+      agents:
+        mode: "SCRAM"
+      enabled: true
+      # Enabled LDAP and SCRAM Authentication Mode
+      modes: ["LDAP", "SCRAM"]
+      ldap:
+        servers: "<filled-by-test>"
+        transportSecurity: "<filled-by-test>"
+        bindQueryUser: "<filled-by-test>"
+        bindQueryPasswordSecretRef:
+          name: "<filled-by-test>"
+        

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/switch-project/sharded-cluster-ldap-switch-project.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: sharded-cluster-ldap-switch-project
+spec:
+  type: ShardedCluster
+
+  shardCount: 1
+  mongodsPerShardCount: 1
+  mongosCount: 1
+  configServerCount: 1
+
+  version: 4.4.0-ent
+
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+
+  security:
+    authentication:
+      enabled: true
+      # Enabled LDAP Authentication Mode
+      modes: ["LDAP"]
+      ldap:
+        servers: "<ldap-servers>"
+        transportSecurity: "tls"
+        # Specify the LDAP Distinguished Name to which
+        # MongoDB binds when connecting to the LDAP server
+        bindQueryUser: "cn=admin,dc=example,dc=org"
+        bindQueryPasswordSecretRef:
+          name: "<secret-name>"

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/switch-project/sharded-cluster-scram-sha-256-switch-project.yaml

@@ -21,5 +21,3 @@ spec:
     authentication:
       enabled: true
       modes: ["SCRAM"]
-
-

docker/mongodb-kubernetes-tests/tests/authentication/replica_set_ldap_switch_project.py

@@ -0,0 +1,174 @@
+import tempfile
+from typing import List
+
+import pytest
+from kubetester import (
+    create_or_update_configmap,
+    create_secret,
+    find_fixture,
+    random_k8s_name,
+    read_configmap,
+)
+from kubetester.certs import create_mongodb_tls_certs, create_x509_user_cert
+from kubetester.kubetester import KubernetesTester
+from kubetester.ldap import LDAP_AUTHENTICATION_MECHANISM, LDAPUser, OpenLDAP
+from kubetester.mongodb import MongoDB
+from kubetester.mongodb_user import MongoDBUser, Role, generic_user
+from kubetester.phase import Phase
+
+MDB_RESOURCE_NAME = "replica-set-ldap-switch-project"
+MDB_FIXTURE_NAME = MDB_RESOURCE_NAME
+
+CONFIG_MAP_KEYS = {
+    "BASE_URL": "baseUrl",
+    "PROJECT_NAME": "projectName",
+    "ORG_ID": "orgId",
+}
+
+
+@pytest.fixture(scope="module")
+def project_name_prefix(namespace: str) -> str:
+    """
+    Generates a random Kubernetes project name prefix based on the namespace.
+
+    Ensures test isolation in a multi-namespace test environment.
+    """
+    return random_k8s_name(f"{namespace}-project-")
+
+
+@pytest.fixture(scope="module")
+def server_certs(namespace: str, issuer: str):
+    create_mongodb_tls_certs(issuer, namespace, MDB_RESOURCE_NAME, "certs-" + MDB_RESOURCE_NAME + "-cert")
+    return "certs"
+
+
+@pytest.fixture(scope="module")
+def replica_set(
+    openldap: OpenLDAP,
+    issuer_ca_configmap: str,
+    ldap_mongodb_agent_user: LDAPUser,
+    server_certs: str,
+    namespace: str,
+) -> MongoDB:
+    resource = MongoDB.from_yaml(find_fixture(f"switch-project/{MDB_FIXTURE_NAME}.yaml"), namespace=namespace)
+
+    secret_name = "bind-query-password"
+    create_secret(namespace, secret_name, {"password": openldap.admin_password})
+    ac_secret_name = "automation-config-password"
+    create_secret(
+        namespace,
+        ac_secret_name,
+        {"automationConfigPassword": ldap_mongodb_agent_user.password},
+    )
+
+    resource["spec"]["security"] = {
+        "tls": {
+            "enabled": True,
+            "ca": issuer_ca_configmap,
+        },
+        "certsSecretPrefix": server_certs,
+        "authentication": {
+            "enabled": True,
+            "modes": ["LDAP", "SCRAM", "X509"],
+            "ldap": {
+                "servers": [openldap.servers],
+                "bindQueryUser": "cn=admin,dc=example,dc=org",
+                "bindQueryPasswordSecretRef": {"name": secret_name},
+            },
+            "agents": {
+                "mode": "LDAP",
+                "automationPasswordSecretRef": {
+                    "name": ac_secret_name,
+                    "key": "automationConfigPassword",
+                },
+                "automationUserName": ldap_mongodb_agent_user.uid,
+            },
+        },
+    }
+
+    return resource
+
+
+@pytest.fixture(scope="module")
+def user_ldap(replica_set: MongoDB, namespace: str, ldap_mongodb_users: List[LDAPUser]) -> MongoDBUser:
+    mongodb_user = ldap_mongodb_users[0]
+    user = generic_user(
+        namespace,
+        username=mongodb_user.username,
+        db="$external",
+        password=mongodb_user.password,
+        mongodb_resource=replica_set,
+    )
+    user.add_roles(
+        [
+            Role(db="admin", role="clusterAdmin"),
+            Role(db="admin", role="readWriteAnyDatabase"),
+            Role(db="admin", role="dbAdminAnyDatabase"),
+        ]
+    )
+
+    return user.create()
+
+
+@pytest.mark.e2e_replica_set_ldap_switch_project
+class TestReplicaSetLDAPProjectSwitch(KubernetesTester):
+
+    def test_create_replica_set(self, replica_set: MongoDB, ldap_mongodb_users: List[LDAPUser]):
+        replica_set.update()
+        replica_set.assert_reaches_phase(Phase.Running, timeout=600)
+
+    def test_create_ldap_user(self, replica_set: MongoDB, user_ldap: MongoDBUser):
+        user_ldap.assert_reaches_phase(Phase.Updated)
+
+        tester = replica_set.get_automation_config_tester()
+        tester.assert_authentication_mechanism_enabled(LDAP_AUTHENTICATION_MECHANISM, active_auth_mechanism=True)
+        tester.assert_expected_users(1)
+
+    def test_new_mdb_users_are_created_and_can_authenticate(
+        self, replica_set: MongoDB, user_ldap: MongoDBUser, ca_path: str
+    ):
+        tester = replica_set.tester()
+
+        tester.assert_ldap_authentication(
+            username=user_ldap["spec"]["username"],
+            password=user_ldap.password,
+            tls_ca_file=ca_path,
+            attempts=10,
+        )
+
+    def test_switch_replica_set_project(
+        self, replica_set: MongoDB, namespace: str, project_name_prefix: str, user_ldap: MongoDBUser
+    ):
+        """
+        Modify the replica set to switch its Ops Manager reference to a new project and verify lifecycle.
+        """
+        original_configmap = read_configmap(namespace=namespace, name="my-project")
+        new_project_name = f"{project_name_prefix}-second"
+        new_project_configmap = create_or_update_configmap(
+            namespace=namespace,
+            name=new_project_name,
+            data={
+                CONFIG_MAP_KEYS["BASE_URL"]: original_configmap[CONFIG_MAP_KEYS["BASE_URL"]],
+                CONFIG_MAP_KEYS["PROJECT_NAME"]: new_project_name,
+                CONFIG_MAP_KEYS["ORG_ID"]: original_configmap[CONFIG_MAP_KEYS["ORG_ID"]],
+            },
+        )
+
+        replica_set.load()
+        replica_set["spec"]["opsManager"]["configMapRef"]["name"] = new_project_configmap
+        replica_set.update()
+
+        replica_set.assert_reaches_phase(Phase.Running, timeout=600)
+
+    def test_ops_manager_state_correctly_updated_in_moved_cluster(self, replica_set: MongoDB,  user_ldap: MongoDBUser, ca_path: str):
+        tester = replica_set.get_automation_config_tester()
+        tester.assert_authentication_mechanism_enabled(LDAP_AUTHENTICATION_MECHANISM, active_auth_mechanism=True)
+        # tester.assert_expected_users(1)
+
+        # tester = replica_set.tester()
+        # tester.assert_ldap_authentication(
+        #     username=user_ldap["spec"]["username"],
+        #     password=user_ldap.password,
+        #     tls_ca_file=ca_path,
+        #     attempts=10,
+        # )

docker/mongodb-kubernetes-tests/tests/authentication/replica_set_scram_sha_1_switch_project.py

@@ -1,8 +1,14 @@
 import pytest
-from kubetester import create_or_update_configmap, random_k8s_name, read_configmap
+from kubetester import (
+    create_or_update_configmap,
+    create_or_update_secret,
+    random_k8s_name,
+    read_configmap,
+)
 from kubetester.kubetester import KubernetesTester
 from kubetester.kubetester import fixture as load_fixture
 from kubetester.mongodb import MongoDB
+from kubetester.mongodb_user import MongoDBUser
 from kubetester.mongotester import ReplicaSetTester
 from kubetester.phase import Phase
 
@@ -44,6 +50,10 @@ class TestReplicaSetCreationAndProjectSwitch(KubernetesTester):
     E2E test suite for replica set creation, user connectivity with SCRAM-SHA-1 authentication and switching Ops Manager project reference.
     """
 
+    PASSWORD_SECRET_NAME = "mms-user-1-password"
+    USER_PASSWORD = "my-password"
+    USER_NAME = "mms-user-1"
+
     def test_create_replica_set(self, custom_mdb_version: str, replica_set: MongoDB):
         """
         Test replica set creation ensuring resources are applied correctly and set reaches Running phase.
@@ -68,6 +78,40 @@ def test_ops_manager_state_correctly_updated_in_initial_replica_set(self, replic
         tester.assert_authentication_enabled(2)
         tester.assert_expected_users(0)
 
+    def test_create_secret(self):
+        print(f"creating password for MongoDBUser {self.USER_NAME} in secret/{self.PASSWORD_SECRET_NAME} ")
+
+        create_or_update_secret(
+            KubernetesTester.get_namespace(),
+            self.PASSWORD_SECRET_NAME,
+            {
+                "password": self.USER_PASSWORD,
+            },
+        )
+
+    def test_create_user(self, namespace: str):
+        mdb = MongoDBUser.from_yaml(
+            load_fixture("scram-sha-user.yaml"),
+            namespace=namespace,
+        )
+        mdb["spec"]["mongodbResourceRef"]["name"] = MDB_RESOURCE_NAME
+
+        mdb.update()
+        mdb.assert_reaches_phase(Phase.Updated, timeout=150)
+
+    def test_ops_manager_state_with_users_correctly_updated(self, replica_set: MongoDB):
+        expected_roles = {
+            ("admin", "clusterAdmin"),
+            ("admin", "userAdminAnyDatabase"),
+            ("admin", "readWrite"),
+            ("admin", "userAdminAnyDatabase"),
+        }
+
+        tester = replica_set.get_automation_config_tester()
+        tester.assert_has_user(self.USER_NAME)
+        tester.assert_user_has_roles(self.USER_NAME, expected_roles)
+        tester.assert_expected_users(1)
+
     def test_switch_replica_set_project(
         self, custom_mdb_version: str, replica_set: MongoDB, namespace: str, project_name_prefix: str
     ):
@@ -107,4 +151,16 @@ def test_ops_manager_state_correctly_updated_in_moved_replica_set(self, replica_
         tester.assert_authentication_mechanism_enabled("MONGODB-CR")
         tester.assert_authoritative_set(True)
         tester.assert_authentication_enabled(2)
-        tester.assert_expected_users(0)
+
+    def test_ops_manager_state_with_users_correctly_updated_after_switch(self, replica_set: MongoDB):
+        expected_roles = {
+            ("admin", "clusterAdmin"),
+            ("admin", "userAdminAnyDatabase"),
+            ("admin", "readWrite"),
+            ("admin", "userAdminAnyDatabase"),
+        }
+
+        tester = replica_set.get_automation_config_tester()
+        tester.assert_has_user(self.USER_NAME)
+        tester.assert_user_has_roles(self.USER_NAME, expected_roles)
+        tester.assert_expected_users(1)