CLOUDP-314916: OIDC e2e test single cluster

.evergreen-functions.yml

@@ -1,6 +1,13 @@
 variables:
   - &e2e_include_expansions_in_env
     include_expansions_in_env:
+      - cognito_user_pool_id
+      - cognito_workload_federation_client_id
+      - cognito_user_name
+      - cognito_workload_federation_client_secret
+      - cognito_user_password
+      - cognito_workload_url
+      - cognito_workload_user_id
       - ARTIFACTORY_PASSWORD
       - ARTIFACTORY_USERNAME
       - GRS_PASSWORD

.evergreen-tasks.yml

@@ -1240,6 +1240,32 @@ tasks:
     commands:
       - func: e2e_test
 
+  # OIDC tests
+  - name: e2e_replica_set_oidc_m2m_group
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
+  - name: e2e_replica_set_oidc_m2m_user
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
+  - name: e2e_replica_set_oidc_workforce
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
+  - name: e2e_sharded_cluster_oidc_m2m_group
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
+  - name: e2e_sharded_cluster_oidc_m2m_user
+    tags: [ "patch-run" ]
+    commands:
+      - func: e2e_test
+
   - name: e2e_search_community_basic
     tags: ["patch-run"]
     commands:

.evergreen.yml

@@ -759,6 +759,12 @@ task_groups:
       - e2e_replica_set_pv_resize
       - e2e_sharded_cluster_pv_resize
       - e2e_community_and_meko_replicaset_scale
+      # OIDC test group
+      - e2e_replica_set_oidc_m2m_group
+      - e2e_replica_set_oidc_m2m_user
+      - e2e_replica_set_oidc_workforce
+      - e2e_sharded_cluster_oidc_m2m_group
+      - e2e_sharded_cluster_oidc_m2m_user
     <<: *teardown_group
 
   # this task group contains just a one task, which is smoke testing whether the operator

api/v1/mdb/mongodb_types.go

@@ -811,6 +811,7 @@ func (s *Security) IsOIDCEnabled() bool {
 	if s == nil || s.Authentication == nil || !s.Authentication.Enabled {
 		return false
 	}
+
 	return s.Authentication.IsOIDCEnabled()
 }
 
@@ -1092,9 +1093,8 @@ type OIDCProviderConfig struct {
 	// The identifier of the claim that includes the principal's IdP user group membership information.
 	// Accept the default value unless your IdP uses a different claim, or you need a custom claim.
 	// Required when selected GroupMembership as the authorization type, ignored otherwise
-	// +kubebuilder:default=groups
 	// +kubebuilder:validation:Optional
-	GroupsClaim string `json:"groupsClaim,omitempty"`
+	GroupsClaim *string `json:"groupsClaim"`
 
 	// Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
 	// For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
@@ -1106,7 +1106,7 @@ type OIDCProviderConfig struct {
 	// registered with an external Identity Provider.
 	// Required when selected Workforce Identity Federation authorization method
 	// +kubebuilder:validation:Optional
-	ClientId string `json:"clientId,omitempty"`
+	ClientId *string `json:"clientId"`
 
 	// Tokens that give users permission to request data from the authorization endpoint.
 	// Only used for Workforce Identity Federation authorization method

api/v1/mdb/mongodb_validation.go

@@ -252,11 +252,11 @@ func oidcProviderConfigIssuerURIValidator(config OIDCProviderConfig) func(DbComm
 func oidcProviderConfigClientIdValidator(config OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
 	return func(_ DbCommonSpec) v1.ValidationResult {
 		if config.AuthorizationMethod == OIDCAuthorizationMethodWorkforceIdentityFederation {
-			if config.ClientId == "" {
+			if config.ClientId == nil || *config.ClientId == "" {
 				return v1.ValidationError("ClientId has to be specified in OIDC provider config %q with Workforce Identity Federation", config.ConfigurationName)
 			}
 		} else if config.AuthorizationMethod == OIDCAuthorizationMethodWorkloadIdentityFederation {
-			if config.ClientId != "" {
+			if config.ClientId != nil {
 				return v1.ValidationWarning("ClientId will be ignored in OIDC provider config %q with Workload Identity Federation", config.ConfigurationName)
 			}
 		}
@@ -280,11 +280,11 @@ func oidcProviderConfigRequestedScopesValidator(config OIDCProviderConfig) func(
 func oidcProviderConfigAuthorizationTypeValidator(config OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
 	return func(_ DbCommonSpec) v1.ValidationResult {
 		if config.AuthorizationType == OIDCAuthorizationTypeGroupMembership {
-			if config.GroupsClaim == "" {
+			if config.GroupsClaim == nil || *config.GroupsClaim == "" {
 				return v1.ValidationError("GroupsClaim has to be specified in OIDC provider config %q when using Group Membership authorization", config.ConfigurationName)
 			}
 		} else if config.AuthorizationType == OIDCAuthorizationTypeUserID {
-			if config.GroupsClaim != "" {
+			if config.GroupsClaim != nil {
 				return v1.ValidationWarning("GroupsClaim will be ignored in OIDC provider config %q when using User ID authorization", config.ConfigurationName)
 			}
 		}

api/v1/mdb/mongodb_validation_test.go

@@ -258,13 +258,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "provider",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "provider",
 						IssuerURI:           "https://example2.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId2",
+						ClientId:            ptr.To("clientId2"),
 					},
 				},
 			},
@@ -281,13 +281,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider1",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "test-provider2",
 						IssuerURI:           "https://example2.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId2",
+						ClientId:            ptr.To("clientId2"),
 					},
 				},
 			},
@@ -304,7 +304,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider-workforce1",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "test-provider-workload2",
@@ -376,7 +376,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider",
 						IssuerURI:           "https://example.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkloadIdentityFederation,
-						ClientId:            "clientId",
+						ClientId:            ptr.To("clientId"),
 					},
 				},
 			},
@@ -410,7 +410,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 					{
 						ConfigurationName: "test-provider2",
@@ -432,7 +432,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeUserID,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 						UserClaim:         "sub",
 					},
 					{
@@ -456,13 +456,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 					{
 						ConfigurationName: "test-provider2",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 				},
 			},

config/crd/bases/mongodb.com_mongodb.yaml

@@ -1566,7 +1566,6 @@ spec:
                               pattern: ^[a-zA-Z0-9-_]+$
                               type: string
                             groupsClaim:
-                              default: groups
                               description: |-
                                 The identifier of the claim that includes the principal's IdP user group membership information.
                                 Accept the default value unless your IdP uses a different claim, or you need a custom claim.

config/crd/bases/mongodb.com_mongodbmulticluster.yaml

@@ -826,7 +826,6 @@ spec:
                               pattern: ^[a-zA-Z0-9-_]+$
                               type: string
                             groupsClaim:
-                              default: groups
                               description: |-
                                 The identifier of the claim that includes the principal's IdP user group membership information.
                                 Accept the default value unless your IdP uses a different claim, or you need a custom claim.

config/crd/bases/mongodb.com_opsmanagers.yaml

@@ -888,7 +888,6 @@ spec:
                                   pattern: ^[a-zA-Z0-9-_]+$
                                   type: string
                                 groupsClaim:
-                                  default: groups
                                   description: |-
                                     The identifier of the claim that includes the principal's IdP user group membership information.
                                     Accept the default value unless your IdP uses a different claim, or you need a custom claim.

controllers/om/automation_config.go

@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/ldap"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/oidc"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/generate"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/maputil"
@@ -20,10 +21,11 @@ import (
 // configuration which are merged into the `Deployment` object before sending it back to Ops Manager.
 // As of right now only support configuring LogRotate for monitoring and backup via dedicated endpoints.
 type AutomationConfig struct {
-	Auth       *Auth
-	AgentSSL   *AgentSSL
-	Deployment Deployment
-	Ldap       *ldap.Ldap
+	Auth                *Auth
+	AgentSSL            *AgentSSL
+	Deployment          Deployment
+	Ldap                *ldap.Ldap
+	OIDCProviderConfigs []oidc.ProviderConfig
 }
 
 // Apply merges the state of all concrete structs into the Deployment (map[string]interface{})
@@ -58,9 +60,66 @@ func applyInto(a AutomationConfig, into *Deployment) error {
 		}
 		(*into)["ldap"] = mergedLdap
 	}
+
+	if len(a.OIDCProviderConfigs) > 0 {
+		updateOIDCProviderConfigs(a, into)
+	} else {
+		// Clear oidcProviderConfigs if no configs are provided
+		delete(*into, "oidcProviderConfigs")
+	}
+
 	return nil
 }
 
+func updateOIDCProviderConfigs(a AutomationConfig, into *Deployment) {
+	deploymentConfigs := make(map[string]map[string]any)
+	if configs, ok := a.Deployment["oidcProviderConfigs"]; ok {
+		configsSliceAny := cast.ToSlice(configs)
+		for _, configAny := range configsSliceAny {
+			config := configAny.(map[string]any)
+			configName := config["authNamePrefix"].(string)
+			deploymentConfigs[configName] = config
+		}
+	}
+
+	result := make([]map[string]any, 0)
+	for _, config := range a.OIDCProviderConfigs {
+		deploymentConfig, ok := deploymentConfigs[config.AuthNamePrefix]
+		if !ok {
+			deploymentConfig = make(map[string]any)
+		}
+
+		deploymentConfig["authNamePrefix"] = config.AuthNamePrefix
+		deploymentConfig["audience"] = config.Audience
+		deploymentConfig["issuerUri"] = config.IssuerUri
+		deploymentConfig["userClaim"] = config.UserClaim
+		deploymentConfig["supportsHumanFlows"] = config.SupportsHumanFlows
+		deploymentConfig["useAuthorizationClaim"] = config.UseAuthorizationClaim
+
+		if config.ClientId == nil {
+			delete(deploymentConfig, "clientId")
+		} else {
+			deploymentConfig["clientId"] = config.ClientId
+		}
+
+		if len(config.RequestedScopes) == 0 {
+			delete(deploymentConfig, "requestedScopes")
+		} else {
+			deploymentConfig["requestedScopes"] = config.RequestedScopes
+		}
+
+		if config.GroupsClaim == nil {
+			delete(deploymentConfig, "groupsClaim")
+		} else {
+			deploymentConfig["groupsClaim"] = config.GroupsClaim
+		}
+
+		result = append(result, deploymentConfig)
+	}
+
+	(*into)["oidcProviderConfigs"] = result
+}
+
 // EqualsWithoutDeployment returns true if two AutomationConfig objects are meaningful equal by following the following conditions:
 // - Not taking AutomationConfig.Deployment into consideration.
 // - Serializing ac A and ac B to ensure that we remove util.MergoDelete before comparing those two.
@@ -432,6 +491,19 @@ func BuildAutomationConfigFromDeployment(deployment Deployment) (*AutomationConf
 		finalAutomationConfig.Ldap = acLdap
 	}
 
+	oidcConfigsArray, ok := deployment["oidcProviderConfigs"]
+	if ok {
+		oidcMarshalled, err := json.Marshal(oidcConfigsArray)
+		if err != nil {
+			return nil, err
+		}
+		providerConfigs := make([]oidc.ProviderConfig, 0)
+		if err := json.Unmarshal(oidcMarshalled, &providerConfigs); err != nil {
+			return nil, err
+		}
+		finalAutomationConfig.OIDCProviderConfigs = providerConfigs
+	}
+
 	return finalAutomationConfig, nil
 }