diff --git a/.evergreen-tasks.yml b/.evergreen-tasks.yml index b88435d77..069a695e9 100644 --- a/.evergreen-tasks.yml +++ b/.evergreen-tasks.yml @@ -1266,6 +1266,16 @@ tasks: commands: - func: e2e_test + - name: e2e_multi_cluster_oidc_m2m_group + tags: [ "patch-run" ] + commands: + - func: e2e_test + + - name: e2e_multi_cluster_oidc_m2m_user + tags: [ "patch-run" ] + commands: + - func: e2e_test + - name: e2e_search_community_basic tags: ["patch-run"] commands: diff --git a/.evergreen.yml b/.evergreen.yml index 749dc39bd..03fc5be8f 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -911,6 +911,10 @@ task_groups: - e2e_tls_x509_configure_all_options_sc - e2e_tls_x509_sc - e2e_meko_mck_upgrade + - e2e_sharded_cluster_oidc_m2m_group + - e2e_sharded_cluster_oidc_m2m_user + - e2e_multi_cluster_oidc_m2m_group + - e2e_multi_cluster_oidc_m2m_user <<: *teardown_group diff --git a/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py b/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py index 01ea134b3..da03cfa85 100644 --- a/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py +++ b/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py @@ -4,10 +4,15 @@ from kubetester.automation_config_tester import AutomationConfigTester from kubetester.kubetester import KubernetesTester, ensure_ent_version from kubetester.kubetester import fixture as load_fixture +from kubetester.kubetester import is_multi_cluster, skip_if_multi_cluster from kubetester.mongodb import MongoDB from kubetester.mongotester import ShardedClusterTester from kubetester.phase import Phase from pytest import fixture +from tests.shardedcluster.conftest import ( + enable_multi_cluster_deployment, + get_mongos_service_names, +) MDB_RESOURCE = "oidc-sharded-cluster-replica-set" @@ -26,6 +31,14 @@ def sharded_cluster(namespace: str, custom_mdb_version: str) -> MongoDB: resource.set_oidc_provider_configs(oidc_provider_configs) + if is_multi_cluster(): + enable_multi_cluster_deployment( + resource=resource, + shard_members_array=[1, 1, 1], + mongos_members_array=[1, 1, None], + configsrv_members_array=[1, 1, 1], + ) + return resource.update() @@ -33,10 +46,13 @@ def sharded_cluster(namespace: str, custom_mdb_version: str) -> MongoDB: class TestCreateOIDCShardedCluster(KubernetesTester): def test_create_sharded_cluster(self, sharded_cluster: MongoDB): - sharded_cluster.assert_reaches_phase(Phase.Running, timeout=600) + sharded_cluster.assert_reaches_phase(Phase.Running, timeout=800) def test_assert_connectivity(self, sharded_cluster: MongoDB): - tester = ShardedClusterTester(MDB_RESOURCE, 2) + service_names = None + if is_multi_cluster(): + service_names = get_mongos_service_names(sharded_cluster) + tester = sharded_cluster.tester(service_names=service_names) tester.assert_oidc_authentication() def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB): @@ -75,6 +91,8 @@ def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB): tester.assert_oidc_configuration(expected_oidc_configs) +# Skipping the test for multi-cluster setups as we want to focus on testing only connectivity for OIDC in multi-cluster setups. +@skip_if_multi_cluster() @pytest.mark.e2e_sharded_cluster_oidc_m2m_group class TestAddNewOIDCProviderAndRole(KubernetesTester): def test_add_oidc_provider_and_role(self, sharded_cluster: MongoDB): diff --git a/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py b/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py index c68c33220..98413ae1b 100644 --- a/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py +++ b/docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py @@ -4,11 +4,16 @@ from kubetester.automation_config_tester import AutomationConfigTester from kubetester.kubetester import KubernetesTester, ensure_ent_version from kubetester.kubetester import fixture as load_fixture +from kubetester.kubetester import is_multi_cluster from kubetester.mongodb import MongoDB from kubetester.mongodb_user import MongoDBUser from kubetester.mongotester import ShardedClusterTester from kubetester.phase import Phase from pytest import fixture +from tests.shardedcluster.conftest import ( + enable_multi_cluster_deployment, + get_mongos_service_names, +) MDB_RESOURCE = "oidc-sharded-cluster-replica-set" @@ -25,6 +30,14 @@ def sharded_cluster(namespace: str, custom_mdb_version: str) -> MongoDB: resource.set_oidc_provider_configs(oidc_provider_configs) + if is_multi_cluster(): + enable_multi_cluster_deployment( + resource=resource, + shard_members_array=[1, 1, 1], + mongos_members_array=[1, 1, None], + configsrv_members_array=[1, 1, 1], + ) + if try_load(resource): return resource @@ -44,13 +57,16 @@ def oidc_user(namespace) -> MongoDBUser: @pytest.mark.e2e_sharded_cluster_oidc_m2m_user class TestCreateOIDCShardedCluster(KubernetesTester): def test_create_sharded_cluster(self, sharded_cluster: MongoDB): - sharded_cluster.assert_reaches_phase(Phase.Running, timeout=600) + sharded_cluster.assert_reaches_phase(Phase.Running, timeout=800) def test_create_user(self, oidc_user: MongoDBUser): oidc_user.assert_reaches_phase(Phase.Updated, timeout=400) def test_assert_connectivity(self, sharded_cluster: MongoDB): - tester = ShardedClusterTester(MDB_RESOURCE, 2) + service_names = None + if is_multi_cluster(): + service_names = get_mongos_service_names(sharded_cluster) + tester = sharded_cluster.tester(service_names=service_names) tester.assert_oidc_authentication() def test_ops_manager_state_updated_correctly(self, sharded_cluster: MongoDB): diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-group.yaml b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-group.yaml new file mode 100644 index 000000000..1d5284b3f --- /dev/null +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-group.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: mongodb.com/v1 +kind: MongoDBMultiCluster +metadata: + name: oidc-multi-replica-set +spec: + version: 7.0.5-ent + type: ReplicaSet + duplicateServiceObjects: false + credentials: my-credentials + opsManager: + configMapRef: + name: my-project + clusterSpecList: + - clusterName: kind-e2e-cluster-1 + members: 1 + - clusterName: kind-e2e-cluster-2 + members: 1 + - clusterName: kind-e2e-cluster-3 + members: 2 + security: + authentication: + agents: + mode: SCRAM + enabled: true + modes: + - SCRAM + - OIDC + oidcProviderConfigs: + - audience: "" + clientId: "" + issuerURI: "" + requestedScopes: [ ] + userClaim: "sub" + groupsClaim: "cognito:groups" + authorizationMethod: "WorkloadIdentityFederation" + authorizationType: "GroupMembership" + configurationName: "OIDC-test" + roles: + - role: "OIDC-test/test" + db: "admin" + roles: + - role: "readWriteAnyDatabase" + db: "admin" diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-user.yaml b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-user.yaml new file mode 100644 index 000000000..99b34011a --- /dev/null +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-user.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: mongodb.com/v1 +kind: MongoDBMultiCluster +metadata: + name: oidc-multi-replica-set +spec: + version: 7.0.5-ent + type: ReplicaSet + duplicateServiceObjects: false + credentials: my-credentials + opsManager: + configMapRef: + name: my-project + clusterSpecList: + - clusterName: kind-e2e-cluster-1 + members: 1 + - clusterName: kind-e2e-cluster-2 + members: 1 + - clusterName: kind-e2e-cluster-3 + members: 2 + security: + authentication: + agents: + mode: SCRAM + enabled: true + modes: + - SCRAM + - OIDC + oidcProviderConfigs: + - audience: "" + clientId: "" + issuerURI: "" + requestedScopes: [ ] + userClaim: "sub" + authorizationMethod: "WorkloadIdentityFederation" + authorizationType: "UserID" + configurationName: "OIDC-test-user" diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/oidc-user-multi.yaml b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/oidc-user-multi.yaml new file mode 100644 index 000000000..ebaedbc7f --- /dev/null +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/oidc-user-multi.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: mongodb.com/v1 +kind: MongoDBUser +metadata: + name: oidc-user-1 +spec: + username: "" + db: "$external" + mongodbResourceRef: + name: oidc-multi-replica-set + roles: + - db: "admin" + name: "readWriteAnyDatabase" diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_group.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_group.py new file mode 100644 index 000000000..ef8a2c582 --- /dev/null +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_group.py @@ -0,0 +1,58 @@ +import kubernetes +import kubetester.oidc as oidc +import pytest +from kubetester import try_load +from kubetester.automation_config_tester import AutomationConfigTester +from kubetester.kubetester import KubernetesTester, ensure_ent_version +from kubetester.kubetester import fixture as yaml_fixture +from kubetester.mongodb import MongoDB, Phase +from kubetester.mongodb_multi import MongoDBMulti, MultiClusterClient +from kubetester.mongotester import ReplicaSetTester +from kubetester.operator import Operator +from pytest import fixture + +MDB_RESOURCE = "oidc-multi-replica-set" + + +@fixture(scope="module") +def mongodb_multi( + central_cluster_client: kubernetes.client.ApiClient, + namespace: str, + member_cluster_names, + custom_mdb_version: str, +) -> MongoDBMulti: + resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-group.yaml"), MDB_RESOURCE, namespace) + if try_load(resource): + return resource + + oidc_provider_configs = resource.get_oidc_provider_configs() + + oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id() + oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id() + oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url() + + resource.set_oidc_provider_configs(oidc_provider_configs) + + resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client) + + return resource.update() + + +@pytest.mark.e2e_multi_cluster_oidc_m2m_group +class TestOIDCMultiCluster(KubernetesTester): + def test_deploy_operator(self, multi_cluster_operator: Operator): + multi_cluster_operator.assert_is_running() + + def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti): + mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800) + + def test_assert_connectivity(self, mongodb_multi: MongoDBMulti): + tester = mongodb_multi.tester() + tester.assert_oidc_authentication() + + def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti): + tester = mongodb_multi.get_automation_config_tester() + tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False) + tester.assert_authentication_enabled(2) + tester.assert_expected_users(0) + tester.assert_authoritative_set(True) diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_user.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_user.py new file mode 100644 index 000000000..3faa266f4 --- /dev/null +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_user.py @@ -0,0 +1,72 @@ +import kubernetes +import kubetester.oidc as oidc +import pytest +from kubetester import try_load +from kubetester.automation_config_tester import AutomationConfigTester +from kubetester.kubetester import KubernetesTester, ensure_ent_version +from kubetester.kubetester import fixture as yaml_fixture +from kubetester.mongodb import MongoDB, Phase +from kubetester.mongodb_multi import MongoDBMulti +from kubetester.mongodb_user import MongoDBUser +from kubetester.mongotester import ReplicaSetTester +from kubetester.operator import Operator +from pytest import fixture + +MDB_RESOURCE = "oidc-multi-replica-set" + + +@fixture(scope="module") +def mongodb_multi( + central_cluster_client: kubernetes.client.ApiClient, + namespace: str, + member_cluster_names, + custom_mdb_version: str, +) -> MongoDBMulti: + resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-user.yaml"), MDB_RESOURCE, namespace) + if try_load(resource): + return resource + + oidc_provider_configs = resource.get_oidc_provider_configs() + + oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id() + oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id() + oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url() + + resource.set_oidc_provider_configs(oidc_provider_configs) + + resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client) + + return resource.update() + + +@fixture(scope="module") +def oidc_user(namespace) -> MongoDBUser: + resource = MongoDBUser.from_yaml(yaml_fixture("oidc/oidc-user-multi.yaml"), namespace=namespace) + + resource["spec"]["username"] = f"OIDC-test-user/{oidc.get_cognito_workload_user_id()}" + resource["spec"]["mongodbResourceRef"]["name"] = MDB_RESOURCE + + return resource.update() + + +@pytest.mark.e2e_multi_cluster_oidc_m2m_user +class TestOIDCMultiCluster(KubernetesTester): + def test_deploy_operator(self, multi_cluster_operator: Operator): + multi_cluster_operator.assert_is_running() + + def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti): + mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800) + + def test_create_user(self, oidc_user: MongoDBUser): + oidc_user.assert_reaches_phase(Phase.Updated, timeout=800) + + def test_assert_connectivity(self, mongodb_multi: MongoDBMulti): + tester = mongodb_multi.tester() + tester.assert_oidc_authentication() + + def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti): + tester = mongodb_multi.get_automation_config_tester() + tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False) + tester.assert_authentication_enabled(2) + tester.assert_expected_users(1) + tester.assert_authoritative_set(True) diff --git a/docs/mongodbcommunity/users.md b/docs/mongodbcommunity/users.md index 8dca7569b..47d9fe75e 100644 --- a/docs/mongodbcommunity/users.md +++ b/docs/mongodbcommunity/users.md @@ -44,7 +44,6 @@ You cannot disable SCRAM authentication. | `spec.users.roles.role.db` | string | Database that the role applies to. | Yes | | `spec.users.connectionStringSecretAnnotations` | object | Annotations of the secret object created by the operator which exposes the connection strings for the user. | No | - ```yaml --- apiVersion: mongodbcommunity.mongodb.com/v1