CLOUDP-297401: Handle x509 just like other project resources (#2084)

igor-karpukhin · web-flow · commit 1bf3bf9e2c19 · 2025-02-06T11:35:14.000+01:00
Handle x509 just like other project resources
diff --git a/api/condition.go b/api/condition.go
@@ -50,6 +50,7 @@ const (
 	ProjectTeamsReadyType             ConditionType = "ProjectTeamsReady"
 	SearchIndexesReadyType            ConditionType = "AtlasSearchIndexesReady"
 	BackupComplianceReadyType         ConditionType = "BackupCompliancePolicyReady"
+	X509AuthReadyType                 ConditionType = "X509AuthReady"
 )
 
 // AtlasDeployment condition types
diff --git a/internal/controller/atlasproject/atlasproject_controller.go b/internal/controller/atlasproject/atlasproject_controller.go
@@ -244,6 +244,11 @@ func (r *AtlasProjectReconciler) ensureProjectResources(workflowCtx *workflow.Co
 	}
 	results = append(results, result)
 
+	if result = r.ensureX509(workflowCtx, project); result.IsOk() {
+		r.EventRecorder.Event(project, "Normal", string(api.X509AuthReadyType), "")
+	}
+	results = append(results, result)
+
 	return results
 }
 
diff --git a/internal/controller/atlasproject/project.go b/internal/controller/atlasproject/project.go
@@ -38,18 +38,13 @@ func (r *AtlasProjectReconciler) handleProject(ctx *workflow.Context, orgID stri
 		return r.manage(ctx, atlasProject, projectInAtlas.ID)
 	}
 
-	if err = r.ensureX509(ctx, atlasProject); err != nil {
-		return r.terminate(ctx, workflow.Internal, err)
-	}
-
 	ctx.SetConditionTrue(api.ProjectReadyType)
 	r.EventRecorder.Event(atlasProject, "Normal", string(api.ProjectReadyType), "")
 
 	results := r.ensureProjectResources(ctx, atlasProject, services)
 	for i := range results {
 		if !results[i].IsOk() {
 			logIfWarning(ctx, results[i])
-
 			return results[i].ReconcileResult(), nil
 		}
 	}
diff --git a/internal/controller/atlasproject/project_test.go b/internal/controller/atlasproject/project_test.go
@@ -271,10 +271,74 @@ func TestHandleProject(t *testing.T) {
 		},
 		"should fail to configure authentication modes": {
 			atlasClientMocker: func() *mongodbatlas.Client {
-				return nil
+				integrations := &atlasmocks.ThirdPartyIntegrationsClientMock{
+					ListFunc: func(projectID string) (*mongodbatlas.ThirdPartyIntegrations, *mongodbatlas.Response, error) {
+						return &mongodbatlas.ThirdPartyIntegrations{}, nil, nil
+					},
+				}
+				encryptionAtRest := &atlasmocks.EncryptionAtRestClientMock{
+					GetFunc: func(projectID string) (*mongodbatlas.EncryptionAtRest, *mongodbatlas.Response, error) {
+						return &mongodbatlas.EncryptionAtRest{}, nil, nil
+					},
+				}
+				projectAPI := &atlasmocks.ProjectsClientMock{}
+
+				return &mongodbatlas.Client{
+					Integrations:      integrations,
+					EncryptionsAtRest: encryptionAtRest,
+					Projects:          projectAPI,
+				}
 			},
-			atlasSDKMocker: func() *admin.APIClient {
-				return nil
+			atlasSDKMocker: func() *admin.APIClient { //nolint:dupl
+				ipAccessList := mockadmin.NewProjectIPAccessListApi(t)
+				ipAccessList.EXPECT().ListProjectIpAccessLists(context.Background(), "projectID").
+					Return(admin.ListProjectIpAccessListsApiRequest{ApiService: ipAccessList})
+				ipAccessList.EXPECT().ListProjectIpAccessListsExecute(mock.AnythingOfType("admin.ListProjectIpAccessListsApiRequest")).
+					Return(nil, nil, nil)
+				privateEndpoints := mockadmin.NewPrivateEndpointServicesApi(t)
+				privateEndpoints.EXPECT().ListPrivateEndpointServices(context.Background(), "projectID", mock.Anything).
+					Return(admin.ListPrivateEndpointServicesApiRequest{ApiService: privateEndpoints})
+				privateEndpoints.EXPECT().ListPrivateEndpointServicesExecute(mock.AnythingOfType("admin.ListPrivateEndpointServicesApiRequest")).
+					Return(nil, nil, nil)
+				networkPeering := mockadmin.NewNetworkPeeringApi(t)
+				networkPeering.EXPECT().ListPeeringConnectionsWithParams(context.Background(), mock.AnythingOfType("*admin.ListPeeringConnectionsApiParams")).
+					Return(admin.ListPeeringConnectionsApiRequest{ApiService: networkPeering})
+				networkPeering.EXPECT().ListPeeringConnectionsExecute(mock.AnythingOfType("admin.ListPeeringConnectionsApiRequest")).
+					Return(nil, nil, nil)
+				networkPeering.EXPECT().ListPeeringContainers(context.Background(), "projectID").
+					Return(admin.ListPeeringContainersApiRequest{ApiService: networkPeering})
+				networkPeering.EXPECT().ListPeeringContainersExecute(mock.AnythingOfType("admin.ListPeeringContainersApiRequest")).
+					Return(nil, nil, nil)
+				audit := mockadmin.NewAuditingApi(t)
+				audit.EXPECT().GetAuditingConfiguration(context.Background(), "projectID").
+					Return(admin.GetAuditingConfigurationApiRequest{ApiService: audit})
+				audit.EXPECT().GetAuditingConfigurationExecute(mock.AnythingOfType("admin.GetAuditingConfigurationApiRequest")).
+					Return(nil, nil, nil)
+				customRoles := mockadmin.NewCustomDatabaseRolesApi(t)
+				customRoles.EXPECT().ListCustomDatabaseRoles(context.Background(), "projectID").
+					Return(admin.ListCustomDatabaseRolesApiRequest{ApiService: customRoles})
+				customRoles.EXPECT().ListCustomDatabaseRolesExecute(mock.AnythingOfType("admin.ListCustomDatabaseRolesApiRequest")).
+					Return(nil, nil, nil)
+				projectAPI := mockadmin.NewProjectsApi(t)
+				projectAPI.EXPECT().GetProjectSettings(context.Background(), "projectID").
+					Return(admin.GetProjectSettingsApiRequest{ApiService: projectAPI})
+				projectAPI.EXPECT().GetProjectSettingsExecute(mock.AnythingOfType("admin.GetProjectSettingsApiRequest")).
+					Return(admin.NewGroupSettings(), nil, nil)
+				backup := mockadmin.NewCloudBackupsApi(t)
+				backup.EXPECT().GetDataProtectionSettings(context.Background(), "projectID").
+					Return(admin.GetDataProtectionSettingsApiRequest{ApiService: backup})
+				backup.EXPECT().GetDataProtectionSettingsExecute(mock.AnythingOfType("admin.GetDataProtectionSettingsApiRequest")).
+					Return(nil, nil, nil)
+
+				return &admin.APIClient{
+					ProjectIPAccessListApi:     ipAccessList,
+					PrivateEndpointServicesApi: privateEndpoints,
+					NetworkPeeringApi:          networkPeering,
+					AuditingApi:                audit,
+					CustomDatabaseRolesApi:     customRoles,
+					ProjectsApi:                projectAPI,
+					CloudBackupsApi:            backup,
+				}
 			},
 			projectServiceMocker: func() project.ProjectService {
 				service := translation.NewProjectServiceMock(t)
@@ -284,10 +348,14 @@ func TestHandleProject(t *testing.T) {
 				return service
 			},
 			teamServiceMocker: func() teams.TeamsService {
-				return nil
+				service := translation.NewTeamsServiceMock(t)
+				service.EXPECT().ListProjectTeams(context.Background(), mock.Anything).Return([]teams.AssignedTeam{}, nil)
+				return service
 			},
 			encryptionAtRestMocker: func() encryptionatrest.EncryptionAtRestService {
-				return nil
+				service := translation.NewEncryptionAtRestServiceMock(t)
+				service.EXPECT().Get(context.Background(), mock.Anything).Return(nil, nil)
+				return service
 			},
 			project: &akov2.AtlasProject{
 				ObjectMeta: metav1.ObjectMeta{
@@ -303,10 +371,10 @@ func TestHandleProject(t *testing.T) {
 					ID: "projectID",
 				},
 			},
-			result: reconcile.Result{RequeueAfter: workflow.DefaultRetry},
+			result: reconcile.Result{RequeueAfter: workflow.DefaultRetry, Requeue: false},
 			conditions: []api.Condition{
-				api.FalseCondition(api.ProjectReadyType).
-					WithReason(string(workflow.Internal)).
+				api.TrueCondition(api.ProjectReadyType),
+				api.FalseCondition(api.X509AuthReadyType).
 					WithMessageRegexp("secrets \"invalid-ref\" not found"),
 			},
 			finalizers: []string{customresource.FinalizerLabel},
diff --git a/internal/controller/atlasproject/x509_auth.go b/internal/controller/atlasproject/x509_auth.go
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
+
 	"go.mongodb.org/atlas-sdk/v20231115008/admin"
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
@@ -18,7 +20,21 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/workflow"
 )
 
-func (r *AtlasProjectReconciler) ensureX509(ctx *workflow.Context, atlasProject *akov2.AtlasProject) error {
+func terminateX509(workflowCtx *workflow.Context, err error) workflow.Result {
+	workflowCtx.SetConditionFalseMsg(api.X509AuthReadyType, err.Error())
+	return workflow.Terminate(workflow.ProjectX509NotConfigured, err)
+}
+
+func emptyX509(workflowCtx *workflow.Context) workflow.Result {
+	workflowCtx.UnsetCondition(api.X509AuthReadyType)
+	return idleX509()
+}
+
+func idleX509() workflow.Result {
+	return workflow.OK()
+}
+
+func (r *AtlasProjectReconciler) ensureX509(ctx *workflow.Context, atlasProject *akov2.AtlasProject) workflow.Result {
 	atlasProject.Status.AuthModes.AddAuthMode(authmode.Scram)
 
 	hasAuthModesX509 := atlasProject.Status.AuthModes.CheckAuthMode(authmode.X509)
@@ -32,19 +48,18 @@ func (r *AtlasProjectReconciler) ensureX509(ctx *workflow.Context, atlasProject
 	default:
 		ctx.EnsureStatusOption(status.AtlasProjectAuthModesOption(atlasProject.Status.AuthModes))
 	}
-
-	return nil
+	return idleX509()
 }
 
-func (r *AtlasProjectReconciler) enableX509Authentication(ctx *workflow.Context, atlasProject *akov2.AtlasProject) error {
+func (r *AtlasProjectReconciler) enableX509Authentication(ctx *workflow.Context, atlasProject *akov2.AtlasProject) workflow.Result {
 	specCert, err := readX509CertFromSecret(ctx.Context, r.Client, *atlasProject.X509SecretObjectKey(), r.Log)
 	if err != nil {
-		return err
+		return terminateX509(ctx, err)
 	}
 
 	ldapConfig, _, err := ctx.SdkClient.LDAPConfigurationApi.GetLDAPConfiguration(ctx.Context, atlasProject.ID()).Execute()
 	if err != nil {
-		return err
+		return terminateX509(ctx, err)
 	}
 
 	customerX509 := ldapConfig.GetCustomerX509()
@@ -58,27 +73,27 @@ func (r *AtlasProjectReconciler) enableX509Authentication(ctx *workflow.Context,
 
 		_, _, err = ctx.SdkClient.LDAPConfigurationApi.SaveLDAPConfiguration(ctx.Context, atlasProject.ID(), &conf).Execute()
 		if err != nil {
-			return err
+			return terminateX509(ctx, err)
 		}
 	}
 
 	atlasProject.Status.AuthModes.AddAuthMode(authmode.X509)
 	ctx.EnsureStatusOption(status.AtlasProjectAuthModesOption(atlasProject.Status.AuthModes))
 
-	return nil
+	return idleX509()
 }
 
-func (r *AtlasProjectReconciler) disableX509Authentication(ctx *workflow.Context, atlasProject *akov2.AtlasProject) error {
+func (r *AtlasProjectReconciler) disableX509Authentication(ctx *workflow.Context, atlasProject *akov2.AtlasProject) workflow.Result {
 	r.Log.Infow("Disable x509 auth", "projectID", atlasProject.ID())
 	_, _, err := ctx.SdkClient.X509AuthenticationApi.DisableCustomerManagedX509(ctx.Context, atlasProject.ID()).Execute()
 	if err != nil {
-		return err
+		return terminateX509(ctx, err)
 	}
 
 	atlasProject.Status.AuthModes.RemoveAuthMode(authmode.X509)
 	ctx.EnsureStatusOption(status.AtlasProjectAuthModesOption(atlasProject.Status.AuthModes))
 
-	return nil
+	return emptyX509(ctx)
 }
 
 func readX509CertFromSecret(ctx context.Context, kubeClient client.Client, secretRef client.ObjectKey, log *zap.SugaredLogger) (string, error) {
diff --git a/internal/controller/workflow/reason.go b/internal/controller/workflow/reason.go
@@ -44,6 +44,7 @@ const (
 	ProjectAlertConfigurationIsNotReadyInAtlas ConditionReason = "ProjectAlertConfigurationIsNotReadyInAtlas"
 	ProjectCustomRolesReady                    ConditionReason = "ProjectCustomRolesReady"
 	ProjectTeamUnavailable                     ConditionReason = "ProjectTeamUnavailable"
+	ProjectX509NotConfigured                   ConditionReason = "ProjectX509NotConfigured"
 )
 
 // Atlas Backup Compliance Policy reasons

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ const (`
`50`	`50`	`ProjectTeamsReadyType ConditionType = "ProjectTeamsReady"`
`51`	`51`	`SearchIndexesReadyType ConditionType = "AtlasSearchIndexesReady"`
`52`	`52`	`BackupComplianceReadyType ConditionType = "BackupCompliancePolicyReady"`
	`53`	`+ X509AuthReadyType ConditionType = "X509AuthReady"`
`53`	`54`	`)`
`54`	`55`
`55`	`56`	`// AtlasDeployment condition types`
Original file line number	Diff line number	Diff line change
`@@ -244,6 +244,11 @@ func (r AtlasProjectReconciler) ensureProjectResources(workflowCtx workflow.Co`
`244`	`244`	`}`
`245`	`245`	`results = append(results, result)`
`246`	`246`
	`247`	`+ if result = r.ensureX509(workflowCtx, project); result.IsOk() {`
	`248`	`+ r.EventRecorder.Event(project, "Normal", string(api.X509AuthReadyType), "")`
	`249`	`+ }`
	`250`	`+ results = append(results, result)`
	`251`	`+`
`247`	`252`	`return results`
`248`	`253`	`}`
`249`	`254`
Original file line number	Diff line number	Diff line change
`@@ -38,18 +38,13 @@ func (r AtlasProjectReconciler) handleProject(ctx workflow.Context, orgID stri`
`38`	`38`	`return r.manage(ctx, atlasProject, projectInAtlas.ID)`
`39`	`39`	`}`
`40`	`40`
`41`		`- if err = r.ensureX509(ctx, atlasProject); err != nil {`
`42`		`- return r.terminate(ctx, workflow.Internal, err)`
`43`		`- }`
`44`		`-`
`45`	`41`	`ctx.SetConditionTrue(api.ProjectReadyType)`
`46`	`42`	`r.EventRecorder.Event(atlasProject, "Normal", string(api.ProjectReadyType), "")`
`47`	`43`
`48`	`44`	`results := r.ensureProjectResources(ctx, atlasProject, services)`
`49`	`45`	`for i := range results {`
`50`	`46`	`if !results[i].IsOk() {`
`51`	`47`	`logIfWarning(ctx, results[i])`
`52`		`-`
`53`	`48`	`return results[i].ReconcileResult(), nil`
`54`	`49`	`}`
`55`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ const (`
`44`	`44`	`ProjectAlertConfigurationIsNotReadyInAtlas ConditionReason = "ProjectAlertConfigurationIsNotReadyInAtlas"`
`45`	`45`	`ProjectCustomRolesReady ConditionReason = "ProjectCustomRolesReady"`
`46`	`46`	`ProjectTeamUnavailable ConditionReason = "ProjectTeamUnavailable"`
	`47`	`+ ProjectX509NotConfigured ConditionReason = "ProjectX509NotConfigured"`
`47`	`48`	`)`
`48`	`49`
`49`	`50`	`// Atlas Backup Compliance Policy reasons`