Merge branch 'custom-roles' into feature/mk-custom-roles-telemetry

# Conflicts:
#	go.sum

Author: MaciejKaras

.evergreen-functions.yml

@@ -160,13 +160,6 @@ functions:
         - ${workdir}/bin
       binary: scripts/evergreen/setup_kind.sh
 
-  setup_docker_datadir: &setup_docker_datadir
-    command: subprocess.exec
-    type: setup
-    params:
-      working_dir: src/github.com/mongodb/mongodb-kubernetes
-      binary: scripts/evergreen/configure-docker-datadir.sh
-
   setup_preflight:
     - command: subprocess.exec
       type: setup
@@ -227,6 +220,15 @@ functions:
         - ${workdir}/bin
       binary: scripts/dev/configure_docker_auth.sh
 
+  setup_evg_host: &setup_evg_host
+    command: subprocess.exec
+    type: setup
+    params:
+      working_dir: src/github.com/mongodb/mongodb-kubernetes
+      add_to_path:
+        - ${workdir}/bin
+      binary: scripts/dev/setup_evg_host.sh
+
   lint_repo:
     - command: subprocess.exec
       type: setup
@@ -249,7 +251,7 @@ functions:
     - *switch_context
     - *setup_aws
     - *configure_docker_auth
-    - *setup_docker_datadir
+    - *setup_evg_host
     - *python_venv
 
   prune_docker_resources:
@@ -447,7 +449,20 @@ functions:
         aws_secret: ${enterprise_aws_secret_access_key}
         local_files_include_filter:
           - src/github.com/mongodb/mongodb-kubernetes/public/architectures/**/*.log
+          - src/github.com/mongodb/mongodb-kubernetes/docs/**/*.log
+        remote_file: logs/${task_id}/${execution}/
+        bucket: operator-e2e-artifacts
+        permissions: private
+        visibility: signed
+        content_type: text/plain
+    - command: s3.put
+      params:
+        aws_key: ${enterprise_aws_access_key_id}
+        aws_secret: ${enterprise_aws_secret_access_key}
+        local_files_include_filter:
           - src/github.com/mongodb/mongodb-kubernetes/public/architectures/**/*.out
+          - src/github.com/mongodb/mongodb-kubernetes/docs/**/*.out
+        preserve_path: true
         remote_file: logs/${task_id}/${execution}/
         bucket: operator-e2e-artifacts
         permissions: private

.evergreen.yml

@@ -216,8 +216,8 @@ patch_aliases:
     variant_tags: [ "release_all_agents_manually" ]
     task: ".*"
   - alias: "release"
-    variant_tags: [ "release" ]
-    task_tags: [ "image_release", "image_preflight", "openshift_bundles", "code_snippets" ]
+    variant_tags: [ "release", "e2e_smoke_release_test_suite" ]
+    task_tags: [ "image_release", "image_preflight", "openshift_bundles", "code_snippets", "patch-run" ]
   - alias: "smoke_test_release"
     variant_tags: [ "e2e_smoke_release_test_suite" ]
     task_tags: [ "patch-run" ]
@@ -247,8 +247,8 @@ github_checks_aliases:
 # Triggered on git tag
 git_tag_aliases:
   - git_tag: "^(\\d+\\.)?(\\d+\\.)?(\\d+)$"
-    variant_tags: [ "release" ]
-    task_tags: [ "image_release", "image_preflight", "openshift_bundles", "code_snippets" ]
+    variant_tags: [ "release", "e2e_smoke_release_test_suite" ]
+    task_tags: [ "image_release", "image_preflight", "openshift_bundles", "code_snippets", "patch-run" ]
 
 tasks:
   - name: unit_tests_golang
@@ -587,7 +587,6 @@ tasks:
       - func: clone
       - func: setup_aws
       - func: configure_docker_auth
-      - func: quay_login
       - func: setup_prepare_openshift_bundles
       - func: prepare_openshift_bundles
       - func: update_evergreen_expansions
@@ -1390,9 +1389,10 @@ buildvariants:
 
   - name: e2e_smoke
     display_name: e2e_smoke
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
     run_on:
       - ubuntu2204-large
+    allowed_requesters: [ "patch", "github_tag" ]
     depends_on:
       - name: build_test_image
         variant: init_test_run
@@ -1401,30 +1401,7 @@ buildvariants:
 
   - name: e2e_static_smoke
     display_name: e2e_static_smoke
-    tags: [ "e2e_test_suite" ]
-    run_on:
-      - ubuntu2204-large
-    depends_on:
-      - name: build_test_image
-        variant: init_test_run
-    tasks:
-      - name: e2e_smoke_task_group
-
-  - name: e2e_smoke_release
-    display_name: e2e_smoke_release
-    tags: [ "e2e_smoke_release_test_suite" ]
-    run_on:
-      - ubuntu2204-large
-    allowed_requesters: [ "patch", "github_tag" ]
-    depends_on:
-      - name: build_test_image
-        variant: init_test_run
-    tasks:
-      - name: e2e_smoke_task_group
-
-  - name: e2e_static_smoke_release
-    display_name: e2e_static_smoke_release
-    tags: [ "e2e_smoke_release_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
     run_on:
       - ubuntu2204-large
     allowed_requesters: [ "patch", "github_tag" ]
@@ -1863,13 +1840,30 @@ buildvariants:
 
   - name: private_kind_code_snippets
     display_name: private_kind_code_snippets
-    allowed_requesters: ["patch"]
+    tags: [ "e2e_test_suite" ]
+    allowed_requesters: ["patch", "github_pr"]
     run_on:
       - ubuntu2204-large
     <<: *base_om8_dependency
     tasks:
       - name: kind_code_snippets_task_group
 
+  - name: prerelease_kind_code_snippets
+    display_name: prerelease_kind_code_snippets
+    allowed_requesters: ["patch"]
+    run_on:
+      - ubuntu2204-large
+    tasks:
+      - name: kind_code_snippets_task_group
+
+  - name: public_kind_code_snippets
+    display_name: public_kind_code_snippets
+    allowed_requesters: ["patch"]
+    run_on:
+      - ubuntu2204-large
+    tasks:
+      - name: kind_code_snippets_task_group
+
   ### Build variants for manual patch only
 
   - name: publish_om60_images

.githooks/pre-commit

@@ -3,6 +3,8 @@
 set -Eeou pipefail
 
 source scripts/dev/set_env_context.sh
+source scripts/funcs/printing
+
 if [ -f "${PROJECT_DIR}"/venv/bin/activate ]; then
   source "${PROJECT_DIR}"/venv/bin/activate
 fi
@@ -107,55 +109,64 @@ function update_release_json() {
   git add release.json
 }
 
-function pre_commit() {
-  # Update release.json first in case there is a newer version
-  update_release_json
-  # Generate operator manifests (CRDs, etc)
-  generate_manifests
-  # We need to generate the values files first
-  update_values_yaml_files
-  # The values files are used for generating the standalone yaml
-  generate_standalone_yaml
-  # Run black on python files that have changed
-  python_formatting
-  # Generate MCO evergreen tests
-  update_mco_tests
-
-  source scripts/evergreen/lint_code.sh
+function regenerate_public_rbac_multi_cluster() {
+    if echo "$git_last_changed" | grep -q 'public/tools/multicluster'; then
+      echo 'regenerating multicluster RBAC public example'
+      pushd public/tools/multicluster
+      EXPORT_RBAC_SAMPLES="true" go test -run TestPrintingOutRolesServiceAccountsAndRoleBindings
+      popd
+      git add public/samples/multi-cluster-cli-gitops
+    fi
+}
 
-  echo 'regenerating licenses.csv'
-  scripts/evergreen/update_licenses.sh
-  git add LICENSE-THIRD-PARTY
+function update_licenses() {
+    echo 'regenerating licenses'
+    time scripts/evergreen/update_licenses.sh 2>&1 | prepend "update_licenses"
+    git add LICENSE-THIRD-PARTY
+}
 
-  if echo "$git_last_changed" | grep -q 'public/tools/multicluster'; then
-    echo 'regenerating multicluster RBAC public example'
-    pushd public/tools/multicluster
-    EXPORT_RBAC_SAMPLES="true" go test -run TestPrintingOutRolesServiceAccountsAndRoleBindings
-    popd
-    git add public/samples/multi-cluster-cli-gitops
+function check_erroneous_kubebuilder_annotations() {
+  # Makes sure there are not erroneous kubebuilder annotations that can
+  # end up in CRDs as descriptions.
+  if grep "// kubebuilder" ./* -r --exclude-dir=vendor --include=\*.go; then
+    echo "Found an erroneous kubebuilder annotation"
+    exit 1
   fi
+}
 
+function check_incorrect_makefile_variable_brackets() {
   if find . -name "Makefile" | grep -v vendor | xargs grep "\${"; then
     echo 'ERROR: Makefiles should NEVER contain curly brackets variables'
     exit 1
   fi
+}
 
-  # Makes sure there are not erroneous kubebuilder annotations that can
-  # end up in CRDs as descriptions.
-  if grep "// kubebuilder" ./* -r --exclude-dir=vendor --include=\*.go; then
-    echo "Found an erroneous kubebuilder annotation"
-    exit 1
-  fi
+function pre_commit() {
+  # Update release.json first in case there is a newer version
+  (time update_release_json) 2>&1 | prepend "update_release_json"
+  # We need to generate the values files first
+  (time update_values_yaml_files) 2>&1 | prepend "update_values_yaml_files"
+  # The values files are used for generating the standalone yaml
+  (time generate_standalone_yaml) 2>&1 | prepend "generate_standalone_yaml"
+  # Run black on python files that have changed
+  (time python_formatting) 2>&1 | prepend "python_formatting"
 
-  start_shellcheck
+  (time regenerate_public_rbac_multi_cluster) 2>&1 | prepend "regenerate_public_rbac_multi_cluster"
+
+  (time start_shellcheck) 2>&1 | prepend "shellcheck"
+
+  (time check_erroneous_kubebuilder_annotations) 2>&1 | prepend "check_erroneous_kubebuilder_annotations"
+
+  (time scripts/evergreen/lint_code.sh) 2>&1 | prepend "lint_code.sh"
 
+  (time update_licenses) 2>&1 | prepend "update_licenses"
 }
 
 # Function to run shellcheck on a single file
 run_shellcheck() {
   local file="$1"
   echo "Running shellcheck on $file"
-  if ! shellcheck -x "$file" -e SC2154 -e SC1091 -e SC1090 -e SC2148 -o require-variable-braces -P "scripts"; then
+  if ! shellcheck --color=always -x "$file" -e SC2154 -e SC1091 -e SC1090 -e SC2148 -o require-variable-braces -P "scripts"; then
     echo "shellcheck failed on $file"
     exit 1
   fi

.github/dependabot.yml

@@ -5,14 +5,27 @@ updates:
     schedule:
       interval: weekly
       day: monday
+    groups:
+      go-deps:
+        applies-to: "version-updates"
+        patterns:
+          - "*"
     ignore:
       - dependency-name: k8s.io/api
       - dependency-name: k8s.io/apimachinery
       - dependency-name: k8s.io/client-go
       - dependency-name: k8s.io/code-generator
       - dependency-name: sigs.k8s.io/controller-runtime
+
   - package-ecosystem: pip
     directory: "/"
     schedule:
       interval: weekly
       day: monday
+    groups:
+      pip-deps:
+        applies-to: "version-updates"
+        patterns:
+          - "*"
+    ignore:
+       - dependency-name: kubernetes

LICENSE-THIRD-PARTY

@@ -50,7 +50,7 @@ github.com/prometheus/common,v0.62.0,https://github.com/prometheus/common/blob/v
 github.com/prometheus/procfs,v0.15.1,https://github.com/prometheus/procfs/blob/v0.15.1/LICENSE,Apache-2.0
 github.com/r3labs/diff/v3,v3.0.1,https://github.com/r3labs/diff/blob/v3.0.1/LICENSE,MPL-2.0
 github.com/ryanuber/go-glob,v1.0.0,https://github.com/ryanuber/go-glob/blob/v1.0.0/LICENSE,MIT
-github.com/spf13/cast,v1.7.1,https://github.com/spf13/cast/blob/v1.7.1/LICENSE,MIT
+github.com/spf13/cast,v1.8.0,https://github.com/spf13/cast/blob/v1.8.0/LICENSE,MIT
 github.com/spf13/pflag,v1.0.5,https://github.com/spf13/pflag/blob/v1.0.5/LICENSE,BSD-3-Clause
 github.com/stretchr/objx,v0.5.2,https://github.com/stretchr/objx/blob/v0.5.2/LICENSE,MIT
 github.com/stretchr/testify/assert,v1.10.0,https://github.com/stretchr/testify/blob/v1.10.0/LICENSE,MIT

api/v1/mdb/mongodb_validation.go

@@ -113,6 +113,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 
 	authentication := db.Security.Authentication
 	validators = append(validators, oidcAuthModeValidator(authentication))
+	validators = append(validators, oidcAuthRequiresEnterprise)
 
 	providerConfigs := authentication.OIDCProviderConfigs
 	if len(providerConfigs) == 0 {
@@ -122,6 +123,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 	validators = append(validators,
 		oidcProviderConfigsUniqueNameValidation(providerConfigs),
 		oidcProviderConfigsSingleWorkforceIdentityFederationValidation(providerConfigs),
+		oidcProviderConfigUniqueIssuerURIValidation(providerConfigs),
 	)
 
 	for _, config := range providerConfigs {
@@ -130,13 +132,58 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 			oidcProviderConfigClientIdValidator(config),
 			oidcProviderConfigRequestedScopesValidator(config),
 			oidcProviderConfigAuthorizationTypeValidator(config),
-			oidcAuthRequiresEnterprise,
 		)
 	}
 
 	return validators
 }
 
+// oidcProviderConfigUniqueIssuerURIValidation is based on the documentation here:
+// https://www.mongodb.com/docs/manual/reference/parameters/#oidcidentityproviders-fields
+func oidcProviderConfigUniqueIssuerURIValidation(configs []OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
+	return func(d DbCommonSpec) v1.ValidationResult {
+		if len(configs) == 0 {
+			return v1.ValidationSuccess()
+		}
+
+		// Check if version supports duplicate issuers (7.0, 7.3, or 8.0+)
+		versionParts := strings.Split(strings.TrimSuffix(d.Version, "-ent"), ".")
+		supportsMultipleIssuers := false
+		if len(versionParts) >= 2 {
+			major := versionParts[0]
+			minor := versionParts[1]
+			if major == "8" || (major == "7" && (minor == "0" || minor == "3")) {
+				supportsMultipleIssuers = true
+			}
+		}
+
+		if supportsMultipleIssuers {
+			// Track issuer+audience combinations
+			issuerAudienceCombos := make(map[string]string)
+			for _, config := range configs {
+				comboKey := config.IssuerURI + ":" + config.Audience
+				if previousConfig, exists := issuerAudienceCombos[comboKey]; exists {
+					return v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
+						previousConfig, config.ConfigurationName)
+				}
+				issuerAudienceCombos[comboKey] = config.ConfigurationName
+			}
+		} else {
+			// For older versions, require unique issuers
+			uris := make(map[string]string)
+			for _, config := range configs {
+				if previousConfig, exists := uris[config.IssuerURI]; exists {
+					return v1.ValidationError("OIDC provider configs %q and %q have duplicate IssuerURI: %s",
+						previousConfig, config.ConfigurationName, config.IssuerURI)
+				}
+				uris[config.IssuerURI] = config.ConfigurationName
+			}
+		}
+
+		return v1.ValidationSuccess()
+	}
+}
+
 func oidcAuthModeValidator(authentication *Authentication) func(DbCommonSpec) v1.ValidationResult {
 	return func(spec DbCommonSpec) v1.ValidationResult {
 		// OIDC cannot be used for agent authentication so other auth mode has to enabled as well