CLOUDP-303643: Enable TLS certificate verification for e2e tests#795
Draft
filipcirtog wants to merge 2 commits intomasterfrom
Draft
CLOUDP-303643: Enable TLS certificate verification for e2e tests#795filipcirtog wants to merge 2 commits intomasterfrom
filipcirtog wants to merge 2 commits intomasterfrom
Conversation
filipcirtog
changed the title
MCK 1.7.1 Release NotesOther Changes
|
filipcirtog
added
the
skip-changelog
There was a problem hiding this comment.
Pull request overview
Enables TLS certificate verification (instead of verify=False / invalid cert allowances) across several e2e test suites by wiring in the issuer CA bundle and ensuring Prometheus endpoints for sharded clusters have certificates valid for all component hostnames.
Changes:
- Switch Prometheus endpoint checks to verify TLS using
issuer_ca_filepath(requestsverifypath) across Ops Manager + Vault integration tests. - Add
create_mongodb_sharded_tls_certs()to generate a single cert covering all sharded cluster component DNS names (mongos/shards/configsvr), and use it for Prometheus TLS secrets. - Refresh CA fixture material and update the
make certtarget to generate a CA cert with explicit CA extensions.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| docker/mongodb-kubernetes-tests/tests/vaultintegration/om_backup_vault.py | Uses issuer CA bundle for Prometheus HTTPS reachability checks; renames Prometheus cert helper for clarity. |
| docker/mongodb-kubernetes-tests/tests/vaultintegration/mongodb_deployment_vault.py | Adds sharded Prometheus TLS cert generation and enables TLS verification for Prometheus scraping checks. |
| docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_ops_manager_appdb_monitoring_tls.py | Switches PyMongo client to validate TLS using issuer CA instead of allowing invalid certs. |
| docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_prometheus.py | Uses sharded-wide cert helper for sharded Prometheus endpoints and enables TLS verification in tests. |
| docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/ca-tls.key | Updates test CA private key fixture used by cert-manager issuer in e2e. |
| docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/ca-tls.crt | Updates test CA certificate fixture. |
| docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/ca-tls-full-chain.crt | Updates full-chain bundle used as issuer CA bundle in tests. |
| docker/mongodb-kubernetes-tests/kubetester/http.py | Allows passing a CA bundle path to requests verify for HTTPS reachability checks. |
| docker/mongodb-kubernetes-tests/kubetester/certs.py | Adds create_mongodb_sharded_tls_certs() to build a single cert SAN list spanning all sharded component hostnames. |
| Makefile | Updates cert target to generate CA cert with explicit CA extensions and key usage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
|
|
||
| def https_endpoint_is_reachable(url: str, auth: Tuple[str], *, tls_verify: bool) -> bool: | ||
| def https_endpoint_is_reachable(url: str, auth: Tuple[str], *, tls_verify: Union[bool, str]) -> bool: |
There was a problem hiding this comment.
Type annotation for auth should reflect the actual (username, password) tuple that callers pass. Tuple[str] describes a single-element tuple; consider changing it to Tuple[str, str] (or tuple[str, str]) to avoid misleading hints / mypy issues.
Suggested change
| def https_endpoint_is_reachable(url: str, auth: Tuple[str], *, tls_verify: Union[bool, str]) -> bool: | |
| def https_endpoint_is_reachable(url: str, auth: Tuple[str, str], *, tls_verify: Union[bool, str]) -> bool: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The existing tests were skipping TLS verification entirely, which meant they could silently pass even with misconfigured certificates or hostname mismatches. To resolve this, I replaced
tls_verify=Falsewithtls_verify=issuer_ca_filepathacross all e2e tests so that TLS certificates are actually validated against the issuer CA during testing.Proof of Work
create_mongodb_sharded_tls_certsincerts.pywhich generates a single TLS certificate covering all sharded cluster components (mongos, shards, config servers), needed for Prometheus.tls_verify=Falsetotls_verify=issuer_ca_filepathtlsAllowInvalidCertificates=TruewithtlsCAFile=issuer_ca_filepathfor the PyMongo connection.Checklist
skip-changeloglabel if not needed