Merge branch 'master' into custom-roles

lucian-tosa · lucian-tosa · commit a396b1c5af2b · 2025-06-16T15:01:10.000+03:00
diff --git a/api/v1/mdb/mongodb_types.go b/api/v1/mdb/mongodb_types.go
@@ -1086,7 +1086,7 @@ type OIDCProviderConfig struct {
 
 	// Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
 	// Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-	// For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+	// For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
 	// For other MongoDB versions, the issuerURI itself must be unique.
 	// +kubebuilder:validation:Required
 	IssuerURI string `json:"issuerURI"`
diff --git a/api/v1/mdb/mongodb_validation.go b/api/v1/mdb/mongodb_validation.go
@@ -2,6 +2,7 @@ package mdb
 
 import (
 	"errors"
+	"strconv"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -150,18 +151,18 @@ func oidcProviderConfigUniqueIssuerURIValidation(configs []OIDCProviderConfig) f
 			return v1.ValidationSuccess()
 		}
 
-		// Check if version supports duplicate issuers (7.0, 7.3, or 8.0+)
+		// Check if version supports duplicate issuers (8.0+)
 		versionParts := strings.Split(strings.TrimSuffix(d.Version, "-ent"), ".")
-		supportsMultipleIssuers := false
-		if len(versionParts) >= 2 {
+		supportsMultipleIssuerURIs := false
+		if len(versionParts) >= 1 {
 			major := versionParts[0]
-			minor := versionParts[1]
-			if major == "8" || (major == "7" && (minor == "0" || minor == "3")) {
-				supportsMultipleIssuers = true
+			majorVersion, err := strconv.Atoi(major)
+			if err == nil && majorVersion >= 8 {
+				supportsMultipleIssuerURIs = true
 			}
 		}
 
-		if supportsMultipleIssuers {
+		if supportsMultipleIssuerURIs {
 			// Track issuer+audience combinations
 			issuerAudienceCombos := make(map[string]string)
 			for _, config := range configs {
diff --git a/api/v1/mdb/mongodb_validation_test.go b/api/v1/mdb/mongodb_validation_test.go
@@ -506,8 +506,8 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 		expectedResult v1.ValidationResult
 	}{
 		{
-			name:         "MongoDB 6.0 with duplicate issuer URIs - error",
-			mongoVersion: "6.0.0",
+			name:         "MongoDB 7.0.11 with duplicate issuer URIs - error",
+			mongoVersion: "7.0.11",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
@@ -524,25 +524,8 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 				"config1", "config2", "https://provider.com"),
 		},
 		{
-			name:         "MongoDB 7.0 with unique issuer+audience combinations",
-			mongoVersion: "7.0.0",
-			configs: []OIDCProviderConfig{
-				{
-					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience1",
-				},
-				{
-					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience2",
-				},
-			},
-			expectedResult: v1.ValidationSuccess(),
-		},
-		{
-			name:         "MongoDB 7.0 with duplicate issuer+audience combinations - warning",
-			mongoVersion: "7.0.0",
+			name:         "MongoDB 8.0 with duplicate issuer+audience combinations - warning",
+			mongoVersion: "8.0.0",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
@@ -558,23 +541,6 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 			expectedResult: v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
 				"config1", "config2"),
 		},
-		{
-			name:         "MongoDB 7.3 with unique issuer+audience combinations",
-			mongoVersion: "7.3.0",
-			configs: []OIDCProviderConfig{
-				{
-					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience1",
-				},
-				{
-					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
-					Audience:          "audience2",
-				},
-			},
-			expectedResult: v1.ValidationSuccess(),
-		},
 		{
 			name:         "MongoDB 8.0 with unique issuer+audience combinations",
 			mongoVersion: "8.0.0",
@@ -594,16 +560,16 @@ func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
 		},
 		{
 			name:         "MongoDB enterprise version with -ent suffix",
-			mongoVersion: "7.0.0-ent",
+			mongoVersion: "7.0.11-ent",
 			configs: []OIDCProviderConfig{
 				{
 					ConfigurationName: "config1",
-					IssuerURI:         "https://provider.com",
+					IssuerURI:         "https://provider-1.com",
 					Audience:          "audience1",
 				},
 				{
 					ConfigurationName: "config2",
-					IssuerURI:         "https://provider.com",
+					IssuerURI:         "https://provider-2.com",
 					Audience:          "audience2",
 				},
 			},
diff --git a/config/crd/bases/mongodb.com_mongodb.yaml b/config/crd/bases/mongodb.com_mongodb.yaml
@@ -1573,7 +1573,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/config/crd/bases/mongodb.com_mongodbmulticluster.yaml b/config/crd/bases/mongodb.com_mongodbmulticluster.yaml
@@ -833,7 +833,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/config/crd/bases/mongodb.com_opsmanagers.yaml b/config/crd/bases/mongodb.com_opsmanagers.yaml
@@ -895,7 +895,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
diff --git a/config/manifests/bases/mongodb-kubernetes.clusterserviceversion.yaml b/config/manifests/bases/mongodb-kubernetes.clusterserviceversion.yaml
@@ -8,9 +8,9 @@ metadata:
     certified: "true"
     containerImage: quay.io/mongodb/mongodb-kubernetes:1.1.0
     createdAt: ""
-    description: The MongoDB Controllers for Kubernetes enable easy deploys of MongoDB
-      into Kubernetes clusters, using our management, monitoring and backup platforms,
-      Ops Manager and Cloud Manager.
+    description: The MongoDB Controllers for Kubernetes enable easy deploys of 
+      MongoDB into Kubernetes clusters, using our management, monitoring and 
+      backup platforms, Ops Manager and Cloud Manager.
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "false"
     features.operators.openshift.io/proxy-aware: "false"
@@ -51,7 +51,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldGroup:ClusterConfiguration
-      - description: In a Replica Set deployment type, specifies the amount of members.
+      - description: In a Replica Set deployment type, specifies the amount of 
+          members.
         displayName: Members of a Replica Set
         path: members
         x-descriptors:
@@ -65,7 +66,8 @@ spec:
       - description: Project configuration for this deployment
         displayName: Ops Manager project configuration
         path: opsManager
-      - description: Name of the ConfigMap with the configuration for this project
+      - description: Name of the ConfigMap with the configuration for this 
+          project
         displayName: Ops Manager Project Configuration
         path: opsManager.configMapRef.name
         x-descriptors:
@@ -164,7 +166,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldGroup:ClusterConfiguration
-      - description: In a Replica Set deployment type, specifies the amount of members.
+      - description: In a Replica Set deployment type, specifies the amount of 
+          members.
         displayName: Members of a Replica Set
         path: members
         x-descriptors:
@@ -178,7 +181,8 @@ spec:
       - description: Project configuration for this deployment
         displayName: Ops Manager project configuration
         path: opsManager
-      - description: Name of the ConfigMap with the configuration for this project
+      - description: Name of the ConfigMap with the configuration for this 
+          project
         displayName: Ops Manager Project Configuration
         path: opsManager.configMapRef.name
         x-descriptors:
@@ -190,8 +194,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
         - urn:alm:descriptor:com.tectonic.ui:fieldGroup:ClusterConfiguration
-      - description: Optional. Specify whether to duplicate service objects among
-          different Kubernetes clusters.
+      - description: Optional. Specify whether to duplicate service objects 
+          among different Kubernetes clusters.
         displayName: Duplicate Service Objects
         path: duplicateServiceObjects
         x-descriptors:
@@ -252,7 +256,8 @@ spec:
         path: passwordSecretKeyRef.name
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
-      - displayName: Name of the MongoDB resource to which this user is associated.
+      - displayName: Name of the MongoDB resource to which this user is 
+          associated.
         path: mongodbResourceRef.name
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:mongodb
@@ -308,8 +313,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
         - urn:alm:descriptor:com.tectonic.ui:fieldGroup:OpsManagerConfiguration
-      - displayName: Secret to enable TLS for Ops Manager allowing it to serve traffic
-          over HTTPS.
+      - displayName: Secret to enable TLS for Ops Manager allowing it to serve 
+          traffic over HTTPS.
         path: security.tls.secretRef.name
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
@@ -319,8 +324,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
         - urn:alm:descriptor:com.tectonic.ui:fieldGroup:ApplicationDatabase
-      - displayName: Secret containing the TLS certificate signed by known or custom
-          CA.
+      - displayName: Secret containing the TLS certificate signed by known or 
+          custom CA.
         path: applicationDatabase.security.tls.secretRef.name
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
diff --git a/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_scram_sha_and_x509.py b/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_scram_sha_and_x509.py
@@ -154,7 +154,7 @@ def test_x509_user_reaches_updated_phase(x509_user: MongoDBUser):
 def test_x509_user_exists_in_automation_config(x509_user: MongoDBUser):
     ac = KubernetesTester.get_automation_config()
     users = ac["auth"]["usersWanted"]
-    return x509_user["spec"]["username"] in (user["user"] for user in users)
+    assert x509_user["spec"]["username"] in (user["user"] for user in users)
 
 
 @pytest.mark.e2e_sharded_cluster_scram_sha_and_x509
diff --git a/helm_chart/Chart.yaml b/helm_chart/Chart.yaml
@@ -1,7 +1,8 @@
 apiVersion: v2
 name: mongodb-kubernetes
-description: MongoDB Controllers for Kubernetes translate the human knowledge of creating
-  a MongoDB instance into a scalable, repeatable, and standardized method.
+description: MongoDB Controllers for Kubernetes translate the human knowledge of
+  creating a MongoDB instance into a scalable, repeatable, and standardized 
+  method.
 version: 1.1.0
 kubeVersion: '>=1.16-0'
 type: application
diff --git a/helm_chart/crds/mongodb.com_mongodb.yaml b/helm_chart/crds/mongodb.com_mongodb.yaml
@@ -1573,7 +1573,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/helm_chart/crds/mongodb.com_mongodbmulticluster.yaml b/helm_chart/crds/mongodb.com_mongodbmulticluster.yaml
@@ -833,7 +833,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
diff --git a/helm_chart/crds/mongodb.com_opsmanagers.yaml b/helm_chart/crds/mongodb.com_opsmanagers.yaml
@@ -895,7 +895,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
diff --git a/public/crds.yaml b/public/crds.yaml
@@ -1681,7 +1681,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
@@ -4334,7 +4334,7 @@ spec:
                               description: |-
                                 Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                 Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                 For other MongoDB versions, the issuerURI itself must be unique.
                               type: string
                             requestedScopes:
@@ -5998,7 +5998,7 @@ spec:
                                   description: |-
                                     Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
                                     Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
-                                    For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
+                                    For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
                                     For other MongoDB versions, the issuerURI itself must be unique.
                                   type: string
                                 requestedScopes:
diff --git a/requirements.txt b/requirements.txt
@@ -1,16 +1,16 @@
-requests==2.32.3
+requests==2.32.4
 click==8.1.8
 docker==7.1.0
 Jinja2==3.1.6
-ruamel.yaml==0.18.11
+ruamel.yaml==0.18.14
 dnspython>=2.6.1
 MarkupSafe==3.0.2
 semver==3.0.4
 chardet==5.2.0
 jsonpatch==1.33
 kubernetes==30.1.0
 pymongo==4.13.0
-pytest==8.3.5
+pytest==8.4.0
 pytest-asyncio==0.26.0
 pycognito==2024.5.1
 PyYAML==6.0.2
@@ -31,15 +31,15 @@ isort==6.0.1
 shrub.py==3.10.0
 pytest-mock==3.14.1
 wrapt==1.17.2
-botocore==1.38.23
-boto3==1.38.23
+botocore==1.38.33
+boto3==1.38.33
 
 # from kubeobject
 freezegun==1.5.2
 python-box==7.3.2
 autopep8==2.3.2
 flake8-isort==6.1.2
-mypy==1.15.0
+mypy==1.16.0
 types-freezegun==1.1.10
 types-PyYAML==6.0.12.20250516
 types-pytz==2025.2.0.20250516
