Merge branch 'master' into feature/mk-oidc-crd-propagation

# Conflicts:
#	api/v1/mdb/mongodb_types.go

Author: MaciejKaras

.github/CODEOWNERS

@@ -1,3 +1 @@
 * @mongodb/kubernetes-hosted
-
-helm_chart/crds/ @dan-mckean @vinilage

api/v1/mdb/mongodb_types.go

@@ -807,14 +807,6 @@ func (s *Security) IsTLSEnabled() bool {
 	return s.CertificatesSecretsPrefix != ""
 }
 
-func (s *Security) IsOIDCEnabled() bool {
-	if s == nil || s.Authentication == nil || !s.Authentication.Enabled {
-		return false
-	}
-
-	return s.Authentication.IsOIDCEnabled()
-}
-
 // GetAgentMechanism returns the authentication mechanism that the agents will be using.
 // The agents will use X509 if it is the only mechanism specified, otherwise they will use SCRAM if specified
 // and no auth if no mechanisms exist.
@@ -1007,16 +999,28 @@ type AgentAuthentication struct {
 // IsX509Enabled determines if X509 is to be enabled at the project level
 // it does not necessarily mean that the agents are using X509 authentication
 func (a *Authentication) IsX509Enabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.X509)
 }
 
 // IsLDAPEnabled determines if LDAP is to be enabled at the project level
 func (a *Authentication) IsLDAPEnabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.LDAP)
 }
 
 // IsOIDCEnabled determines if OIDC is to be enabled at the project level
 func (a *Authentication) IsOIDCEnabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.OIDC)
 }
 

api/v1/mdb/mongodb_types_test.go

@@ -83,10 +83,20 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 			expectedLDAP:   false,
 			expectedOIDC:   false,
 		},
+		{
+			name: "Empty authentication mode list",
+			authentication: &Authentication{
+				Enabled: true,
+			},
+			expectedX509: false,
+			expectedLDAP: false,
+			expectedOIDC: false,
+		},
 		{
 			name: "Authentication with x509 only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.X509},
+				Enabled: true,
+				Modes:   []AuthMode{util.X509},
 			},
 			expectedX509: true,
 			expectedLDAP: false,
@@ -95,7 +105,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with LDAP only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.LDAP},
+				Enabled: true,
+				Modes:   []AuthMode{util.LDAP},
 			},
 			expectedX509: false,
 			expectedLDAP: true,
@@ -104,7 +115,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with OIDC only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.OIDC},
+				Enabled: true,
+				Modes:   []AuthMode{util.OIDC},
 			},
 			expectedX509: false,
 			expectedLDAP: false,
@@ -113,7 +125,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with multiple modes",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.X509, util.LDAP, util.OIDC, util.SCRAM},
+				Enabled: true,
+				Modes:   []AuthMode{util.X509, util.LDAP, util.OIDC, util.SCRAM},
 			},
 			expectedX509: true,
 			expectedLDAP: true,

api/v1/mdb/mongodb_validation.go

@@ -54,7 +54,7 @@ func deploymentsMustHaveTLSInX509Env(d DbCommonSpec) v1.ValidationResult {
 	if authSpec == nil {
 		return v1.ValidationSuccess()
 	}
-	if authSpec.Enabled && authSpec.IsX509Enabled() && !d.GetSecurity().IsTLSEnabled() {
+	if authSpec.IsX509Enabled() && !d.GetSecurity().IsTLSEnabled() {
 		return v1.ValidationError("Cannot have a non-tls deployment when x509 authentication is enabled")
 	}
 	return v1.ValidationSuccess()
@@ -107,11 +107,15 @@ func scramSha1AuthValidation(d DbCommonSpec) v1.ValidationResult {
 
 func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResult {
 	validators := make([]func(DbCommonSpec) v1.ValidationResult, 0)
-	if !db.Security.IsOIDCEnabled() {
+	if db.Security == nil || db.Security.Authentication == nil {
 		return validators
 	}
 
 	authentication := db.Security.Authentication
+	if !authentication.IsOIDCEnabled() {
+		return validators
+	}
+
 	validators = append(validators, oidcAuthModeValidator(authentication))
 	validators = append(validators, oidcAuthRequiresEnterprise)
 

api/v1/om/opsmanager_types.go

@@ -633,7 +633,7 @@ func ensureSecurityWithSCRAM(specSecurity *mdbv1.Security) *mdbv1.Security {
 		specSecurity = &mdbv1.Security{TLSConfig: &mdbv1.TLSConfig{}}
 	}
 	// the only allowed authentication is SCRAM - it's implicit to the user and hidden from him
-	specSecurity.Authentication = &mdbv1.Authentication{Modes: []mdbv1.AuthMode{util.SCRAM}}
+	specSecurity.Authentication = &mdbv1.Authentication{Enabled: true, Modes: []mdbv1.AuthMode{util.SCRAM}}
 	return specSecurity
 }
 

controllers/operator/mongodbshardedcluster_controller.go

@@ -1014,7 +1014,7 @@ func (r *ShardedClusterReconcileHelper) doShardedClusterProcessing(ctx context.C
 	}
 
 	security := sc.Spec.Security
-	if security.Authentication != nil && security.Authentication.Enabled && security.Authentication.IsX509Enabled() && !sc.Spec.GetSecurity().IsTLSEnabled() {
+	if security.Authentication.IsX509Enabled() && !security.IsTLSEnabled() {
 		return workflow.Invalid("cannot have a non-tls deployment when x509 authentication is enabled")
 	}
 

controllers/operator/mongodbstandalone_controller.go

@@ -177,7 +177,7 @@ func (r *ReconcileMongoDbStandalone) Reconcile(ctx context.Context, request reco
 	// cannot have a non-tls deployment in an x509 environment
 	// TODO move to webhook validations
 	security := s.Spec.Security
-	if security.Authentication != nil && security.Authentication.Enabled && security.Authentication.IsX509Enabled() && !s.Spec.GetSecurity().IsTLSEnabled() {
+	if security.Authentication.IsX509Enabled() && !security.IsTLSEnabled() {
 		return r.updateStatus(ctx, s, workflow.Invalid("cannot have a non-tls deployment when x509 authentication is enabled"), log)
 	}
 

docker/mongodb-kubernetes-tests/tests/multicluster_shardedcluster/multi_cluster_sharded_disaster_recovery.py

@@ -11,10 +11,7 @@
     try_load,
     update_configmap,
 )
-from kubetester.kubetester import (
-    KubernetesTester,
-    ensure_ent_version,
-)
+from kubetester.kubetester import KubernetesTester, ensure_ent_version
 from kubetester.kubetester import fixture as yaml_fixture
 from kubetester.kubetester import (
     get_env_var_or_fail,

docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_sharded_cluster.py

@@ -23,9 +23,7 @@
 from tests.shardedcluster.conftest import (
     enable_multi_cluster_deployment as enable_multi_cluster_deployment_mdb,
 )
-from tests.shardedcluster.conftest import (
-    get_mongos_service_names,
-)
+from tests.shardedcluster.conftest import get_mongos_service_names
 
 HEAD_PATH = "/head/"
 S3_SECRET_NAME = "my-s3-secret"

docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_upgrade.py

@@ -7,9 +7,7 @@
 from kubernetes.client.rest import ApiException
 from kubetester import MongoDB, try_load
 from kubetester.awss3client import AwsS3Client
-from kubetester.kubetester import (
-    ensure_ent_version,
-)
+from kubetester.kubetester import ensure_ent_version
 from kubetester.kubetester import fixture as yaml_fixture
 from kubetester.kubetester import (
     is_default_architecture_static,