CLOUDP-314916: OIDC e2e test single cluster #55
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anandsyncs
changed the base branch from
master
to
feature/mk-oidc-crd-validations
anandsyncs
changed the base branch from
feature/mk-oidc-crd-validations
to
feature/mk-oidc-crd-propagation
…-crd-propagation # Conflicts: # controllers/operator/authentication/authentication_mechanism.go
…anandsingh/oidc-e2e-tests
anandsyncs
changed the base branch from
master
to
feature/mk-oidc-crd-propagation
MaciejKaras
reviewed
May 27, 2025
|
evergreen patch |
1 similar comment
|
evergreen patch |
MaciejKaras
approved these changes
May 28, 2025
anandsyncs
changed the base branch from
feature/mk-oidc-crd-propagation
to
master
anandsyncs
changed the base branch from
master
to
feature/mk-oidc-crd-propagation
|
evergreen patch |
# Conflicts: # api/v1/mdb/mongodb_types.go # docker/mongodb-kubernetes-tests/tests/webhooks/e2e_mongodb_validation_webhook.py
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive end-to-end tests and supporting code to validate OIDC authentication flows (M2M user, group, and workforce) against single-cluster MongoDB deployments (replica sets and sharded clusters).
- Introduces new Python E2E test scripts for OIDC M2M user, M2M group, and workforce identity scenarios.
- Implements a custom OIDC callback handler and extends
kubetesterhelpers to assert OIDC state in the automation config. - Adds YAML fixtures for OIDC-enabled clusters and updates CI (Evergreen) tasks and environment variable expansions.
Reviewed Changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_user.py | E2E tests for M2M user OIDC on a sharded cluster |
| docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py | E2E tests for M2M group OIDC on a sharded cluster |
| docker/mongodb-kubernetes-tests/tests/authentication/replica_set_oidc_workforce.py | E2E tests for workforce (human) OIDC on a replica set |
| docker/mongodb-kubernetes-tests/tests/authentication/replica_set_oidc_m2m_user.py | E2E tests for M2M user OIDC on a replica set |
| docker/mongodb-kubernetes-tests/tests/authentication/replica_set_oidc_m2m_group.py | E2E tests for M2M group OIDC on a replica set |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/sharded-cluster-replica-set.yaml | Fixture for sharded-cluster with OIDC M2M user & group |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/sharded-cluster-m2m-user.yaml | Fixture for sharded-cluster OIDC M2M user |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/replica-set.yaml | Fixture for replica set with OIDC group-based M2M |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/replica-set-workforce.yaml | Fixture for replica set with workforce OIDC |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/replica-set-m2m-user.yaml | Fixture for replica set OIDC M2M user |
| docker/mongodb-kubernetes-tests/tests/authentication/fixtures/oidc/oidc-user.yaml | Fixture for MongoDBUser resource used in OIDC tests |
| docker/mongodb-kubernetes-tests/kubetester/oidc.py | Helper functions to fetch AWS Cognito environment variables |
| docker/mongodb-kubernetes-tests/kubetester/mongotester.py | Adds MyOIDCCallback and assert_oidc_authentication(_fails) |
| docker/mongodb-kubernetes-tests/kubetester/mongodb.py | Adds CRUD helpers: get/set/append OIDC configs and roles |
| docker/mongodb-kubernetes-tests/kubetester/automation_config_tester.py | Adds assertions for OIDC provider count and configuration |
| controllers/operator/authentication/authentication.go | Minor formatting adjustment around agent authentication logic |
| controllers/om/deployment.go | Enhances GetRoles to handle dynamic JSON unmarshalling |
| .evergreen.yml | Registers new OIDC e2e test task groups |
| .evergreen-tasks.yml | Defines individual CI tasks for each OIDC e2e scenario |
| .evergreen-functions.yml | Exposes Cognito-related environment variables to Evergreen tasks |
Comments suppressed due to low confidence (3)
docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_oidc_m2m_group.py:32
- [nitpick] This class name duplicates
TestCreateOIDCShardedClusterinsharded_cluster_oidc_m2m_user.py. Rename it (e.g.,TestCreateOIDCShardedClusterGroup) to avoid test name collisions.
class TestCreateOIDCShardedCluster(KubernetesTester):
docker/mongodb-kubernetes-tests/tests/authentication/replica_set_oidc_workforce.py:44
- [nitpick] The class name is generic and matches other replica set tests. Consider renaming to
TestCreateOIDCReplicaSetWorkforceto clearly reflect the workforce flow.
class TestCreateOIDCReplicaset(KubernetesTester):
docker/mongodb-kubernetes-tests/kubetester/mongotester.py:320
- The module uses
time.sleep(5)but does not import thetimemodule, leading to aNameError. Addimport timeat the top of the file.
time.sleep(5)
3 tasks
anandsyncs
added a commit
that referenced
this pull request
Jun 8, 2025
# Summary Related to this comment on the OIDC test PR. #55 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Test File Summary
replica_set_oidc_m2m_user.py
replica_set_oidc_m2m_group.py
replica_set_oidc_workforce.py
sharded_cluster_oidc_m2m_group.py
sharded_cluster_oidc_m2m_user.py
access restrictions.
Additional PR Changes
OIDC Callback Integration:
Introduced a custom OIDC callback handler utilizing AWS Cognito for token acquisition, allowing automated OIDC authentication in E2E tests.
Automation Config Tester Improvements:
Enhanced assertion helpers to validate OIDC-specific state in the Ops Manager automation config, including provider counts, configuration details, and user propagation.
New OIDC Fixture Files:
Added YAML resource definitions for OIDC-enabled replica sets, sharded clusters, and MongoDB users, supporting a wide range of authentication and authorization test cases.
Core Controller and Logic Adjustments:
Minor changes in Go controller code to ensure robust handling of OIDC provider configs and roles, and to support expanded test coverage.
AWS Setup:
The project uses AWS Cognito in the mongodb-mms-testing AWS account to facilitate OIDC authentication testing. This setup includes:
Environment variables and secrets required for these tests (like client IDs, URLs, and user IDs, as seen in the Python code) are stored in Evergreen and fetched from there during test execution.
Link to the session where I explained the AWS setup for OIDC
Proof of Work
Added tests are passing.
Checklist
Reminder (Please remove this when merging)