fix tls tests

Author: filipcirtog

.evergreen-tasks.yml

@@ -759,7 +759,7 @@ tasks:
     commands:
       - func: "e2e_test"
 
-  - name: e2e_configure_tls_and_x509_simultaneously_st
+  - name: e2e_enable_standalone_tls
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"

.evergreen.yml

@@ -744,7 +744,7 @@ task_groups:
       - e2e_disable_tls_and_scale
       - e2e_replica_set_tls_require_and_disable
       # e2e_x509_task_group
-      - e2e_configure_tls_and_x509_simultaneously_st
+      - e2e_enable_standalone_tls
       - e2e_configure_tls_and_x509_simultaneously_rs
       - e2e_configure_tls_and_x509_simultaneously_sc
       - e2e_tls_x509_rs

docker/mongodb-kubernetes-tests/tests/multicluster/multi_2_cluster_clusterwide_replicaset.py

@@ -2,7 +2,7 @@
 
 import kubernetes
 import pytest
-from kubetester import create_or_update_configmap, create_or_update_secret, read_configmap, read_secret
+from kubetester import create_or_update_configmap, create_or_update_secret, read_configmap, read_secret, try_load
 from kubetester.certs_mongodb_multi import create_multi_cluster_mongodb_tls_certs
 from kubetester.kubetester import ensure_ent_version
 from kubetester.kubetester import fixture as yaml_fixture
@@ -31,34 +31,25 @@ def mdbb_ns(namespace: str):
 
 @pytest.fixture(scope="module")
 def mongodb_multi_a_unmarshalled(
-    central_cluster_client: kubernetes.client.ApiClient,
     mdba_ns: str,
     member_cluster_names: List[str],
     custom_mdb_version: str,
 ) -> MongoDBMulti:
     resource = MongoDBMulti.from_yaml(yaml_fixture("mongodb-multi.yaml"), "multi-replica-set", mdba_ns)
-
     resource["spec"]["clusterSpecList"] = cluster_spec_list(member_cluster_names, [2, 1])
     resource.set_version(ensure_ent_version(custom_mdb_version))
-
-    resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
-    resource.update()
     return resource
 
 
 @pytest.fixture(scope="module")
 def mongodb_multi_b_unmarshalled(
-    central_cluster_client: kubernetes.client.ApiClient,
     mdbb_ns: str,
     member_cluster_names: List[str],
     custom_mdb_version: str,
 ) -> MongoDBMulti:
     resource = MongoDBMulti.from_yaml(yaml_fixture("mongodb-multi.yaml"), "multi-replica-set", mdbb_ns)
     resource["spec"]["clusterSpecList"] = cluster_spec_list(member_cluster_names, [2, 1])
     resource.set_version(ensure_ent_version(custom_mdb_version))
-
-    resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
-    resource.update()
     return resource
 
 
@@ -108,8 +99,6 @@ def mongodb_multi_a(
 ) -> MongoDBMulti:
     ca = open(issuer_ca_filepath).read()
 
-    # The operator expects the CA that validates Ops Manager is contained in
-    # an entry with a name of "mms-ca.crt"
     data = {"ca-pem": ca, "mms-ca.crt": ca}
     name = "issuer-ca"
 
@@ -123,7 +112,7 @@ def mongodb_multi_a(
         },
     }
     resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
-    resource.update()
+    try_load(resource)
     return resource
 
 
@@ -137,8 +126,6 @@ def mongodb_multi_b(
 ) -> MongoDBMulti:
     ca = open(issuer_ca_filepath).read()
 
-    # The operator expects the CA that validates Ops Manager is contained in
-    # an entry with a name of "mms-ca.crt"
     data = {"ca-pem": ca, "mms-ca.crt": ca}
     name = "issuer-ca"
 
@@ -152,7 +139,7 @@ def mongodb_multi_b(
         },
     }
     resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client)
-    resource.update()
+    try_load(resource)
     return resource
 
 
@@ -249,21 +236,22 @@ def test_copy_configmap_and_secret_across_ns(
 
 @pytest.mark.e2e_multi_cluster_2_clusters_clusterwide
 def test_create_mongodb_multi_nsa(mongodb_multi_a: MongoDBMulti):
+    mongodb_multi_a.update()
     mongodb_multi_a.assert_reaches_phase(Phase.Running, timeout=800)
 
 
 @pytest.mark.e2e_multi_cluster_2_clusters_clusterwide
 def test_enable_mongodb_multi_nsa_auth(mongodb_multi_a: MongoDBMulti):
-    mongodb_multi_a.reload()
-    mongodb_multi_a["spec"]["authentication"] = (
-        {
-            "agents": {"mode": "SCRAM"},
-            "enabled": True,
-            "modes": ["SCRAM"],
-        },
-    )
+    mongodb_multi_a["spec"]["security"]["authentication"] = {
+        "agents": {"mode": "SCRAM"},
+        "enabled": True,
+        "modes": ["SCRAM"],
+    }
+    mongodb_multi_a.update()
+    mongodb_multi_a.assert_reaches_phase(Phase.Running, timeout=800)
 
 
 @pytest.mark.e2e_multi_cluster_2_clusters_clusterwide
 def test_create_mongodb_multi_nsb(mongodb_multi_b: MongoDBMulti):
+    mongodb_multi_b.update()
     mongodb_multi_b.assert_reaches_phase(Phase.Running, timeout=800)

docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_rs.py

@@ -8,24 +8,26 @@
 from kubetester.phase import Phase
 
 MDB_RESOURCE = "my-replica-set"
+CERT_SECRET_PREFIX = "prefix"
 
 
 @pytest.fixture(scope="module")
 def server_certs(issuer: str, namespace: str):
-    return create_mongodb_tls_certs(ISSUER_CA_NAME, namespace, MDB_RESOURCE, f"{MDB_RESOURCE}-cert")
+    return create_mongodb_tls_certs(
+        ISSUER_CA_NAME, namespace, MDB_RESOURCE, f"{CERT_SECRET_PREFIX}-{MDB_RESOURCE}-cert"
+    )
 
 
 @pytest.fixture(scope="module")
-def mdb(namespace: str, server_certs: str, issuer_ca_configmap: str) -> MongoDB:
+def mdb(namespace: str, server_certs: str) -> MongoDB:
     resource = MongoDB.from_yaml(load_fixture("replica-set.yaml"), namespace=namespace)
-    resource["spec"]["security"] = {"tls": {"ca": issuer_ca_configmap}}
     try_load(resource)
     return resource
 
 
 @pytest.fixture(scope="module")
 def agent_certs(issuer: str, namespace: str) -> str:
-    return create_agent_tls_certs(issuer, namespace, MDB_RESOURCE)
+    return create_agent_tls_certs(issuer, namespace, MDB_RESOURCE, secret_prefix=CERT_SECRET_PREFIX)
 
 
 @pytest.mark.e2e_configure_tls_and_x509_simultaneously_rs
@@ -46,11 +48,27 @@ def test_connectivity():
 
 
 @pytest.mark.e2e_configure_tls_and_x509_simultaneously_rs
-def test_enable_x509(mdb: MongoDB, agent_certs: str):
-    mdb.load()
+def test_enable_tls(mdb: MongoDB, issuer_ca_configmap: str):
     mdb["spec"]["security"] = {
-        "authentication": {"enabled": True},
-        "modes": ["X509"],
+        "certsSecretPrefix": CERT_SECRET_PREFIX,
+        "tls": {"ca": issuer_ca_configmap},
     }
-
+    mdb.update()
     mdb.assert_reaches_phase(Phase.Running, timeout=400)
+
+
+@pytest.mark.e2e_configure_tls_and_x509_simultaneously_rs
+def test_connectivity_with_ssl(mdb: MongoDB, ca_path: str):
+    tester = mdb.tester(use_ssl=True, ca_path=ca_path)
+    tester.assert_connectivity()
+
+
+@pytest.mark.e2e_configure_tls_and_x509_simultaneously_rs
+def test_enable_x509(mdb: MongoDB, agent_certs: str):
+    mdb["spec"]["security"]["authentication"] = {
+        "agents": {"mode": "X509"},
+        "enabled": True,
+        "modes": ["X509"],
+    }
+    mdb.update()
+    mdb.assert_reaches_phase(Phase.Running, timeout=1200)

docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_sc.py

@@ -10,6 +10,7 @@
 from tests.shardedcluster.conftest import enable_multi_cluster_deployment, get_mongos_service_names
 
 MDB_RESOURCE = "test-ssl-with-x509-sc"
+CERT_SECRET_PREFIX = "prefix"
 
 
 @pytest.fixture(scope="module")
@@ -29,18 +30,18 @@ def server_certs(issuer: str, namespace: str):
         mongod_per_shard=3,
         config_servers=3,
         mongos=2,
+        secret_prefix=f"{CERT_SECRET_PREFIX}-",
         shard_distribution=shard_distribution,
         mongos_distribution=mongos_distribution,
         config_srv_distribution=config_srv_distribution,
     )
 
 
 @pytest.fixture(scope="module")
-def sc(namespace: str, server_certs: str, issuer_ca_configmap: str) -> MongoDB:
+def sc(namespace: str, server_certs: str) -> MongoDB:
     resource = MongoDB.from_yaml(load_fixture("sharded-cluster.yaml"), namespace=namespace, name=MDB_RESOURCE)
 
     resource.set_architecture_annotation()
-    resource["spec"]["security"] = {"tls": {"ca": issuer_ca_configmap}}
 
     if is_multi_cluster():
         enable_multi_cluster_deployment(
@@ -56,7 +57,7 @@ def sc(namespace: str, server_certs: str, issuer_ca_configmap: str) -> MongoDB:
 
 @pytest.fixture(scope="module")
 def agent_certs(issuer: str, namespace: str) -> str:
-    return create_agent_tls_certs(issuer, namespace, MDB_RESOURCE)
+    return create_agent_tls_certs(issuer, namespace, MDB_RESOURCE, secret_prefix=CERT_SECRET_PREFIX)
 
 
 @pytest.mark.e2e_configure_tls_and_x509_simultaneously_sc
@@ -78,10 +79,28 @@ def test_connectivity_without_ssl(sc: MongoDB):
 
 
 @pytest.mark.e2e_configure_tls_and_x509_simultaneously_sc
-def test_enable_x509(sc: MongoDB, agent_certs: str):
+def test_enable_tls(sc: MongoDB, issuer_ca_configmap: str):
     sc["spec"]["security"] = {
-        "authentication": {"enabled": True},
-        "modes": ["X509"],
+        "certsSecretPrefix": CERT_SECRET_PREFIX,
+        "tls": {"ca": issuer_ca_configmap},
     }
+    sc.update()
+    sc.assert_reaches_phase(Phase.Running, timeout=1200)
 
+
+@pytest.mark.e2e_configure_tls_and_x509_simultaneously_sc
+def test_connectivity_with_ssl(sc: MongoDB, ca_path: str):
+    service_names = get_mongos_service_names(sc)
+    tester = sc.tester(use_ssl=True, ca_path=ca_path, service_names=service_names)
+    tester.assert_connectivity()
+
+
+@pytest.mark.e2e_configure_tls_and_x509_simultaneously_sc
+def test_enable_x509(sc: MongoDB, agent_certs: str):
+    sc["spec"]["security"]["authentication"] = {
+        "agents": {"mode": "X509"},
+        "enabled": True,
+        "modes": ["X509"],
+    }
+    sc.update()
     sc.assert_reaches_phase(Phase.Running, timeout=1200)

docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_standalone.py

@@ -0,0 +1,46 @@
+import pytest
+from kubetester import try_load
+from kubetester.kubetester import fixture as load_fixture
+from kubetester.mongodb import MongoDB
+from kubetester.mongotester import StandaloneTester
+from kubetester.operator import Operator
+from kubetester.phase import Phase
+
+MDB_RESOURCE = "my-standalone"
+
+
+@pytest.fixture(scope="module")
+def mdb(namespace: str) -> MongoDB:
+    resource = MongoDB.from_yaml(load_fixture("standalone.yaml"), namespace=namespace)
+    try_load(resource)
+    return resource
+
+
+@pytest.mark.e2e_enable_standalone_tls
+def test_install_operator(operator: Operator):
+    operator.assert_is_running()
+
+
+@pytest.mark.e2e_enable_standalone_tls
+def test_mdb_running(mdb: MongoDB):
+    mdb.update()
+    mdb.assert_reaches_phase(Phase.Running, timeout=400)
+
+
+@pytest.mark.e2e_enable_standalone_tls
+def test_connectivity():
+    tester = StandaloneTester(MDB_RESOURCE)
+    tester.assert_connectivity()
+
+
+@pytest.mark.e2e_enable_standalone_tls
+def test_enable_tls(mdb: MongoDB):
+    mdb["spec"]["security"] = {"tls": {"enabled": True}}
+    mdb.update()
+    mdb.assert_reaches_phase(Phase.Running, timeout=400)
+
+
+@pytest.mark.e2e_enable_standalone_tls
+def test_connectivity_with_tls(mdb: MongoDB):
+    tester = mdb.tester(use_ssl=True)
+    tester.assert_connectivity()