CLOUDP-314921 Telemetry for authentication modes (#62)

# Summary

Adds Telemetry support for Authentication mode and Agent Authentication
Mode. New fields `authenticationModes` and `authenticationAgentModes`
will take any value passed from CRD.

Because of the limitations of Telemetry subsystem used (Segment) we need
to send flat `map[string]any` without any nested fields. For multiple
Authentication modes we will flatten the values to
`authenticationMode***` where `***` is one of the possible modes
specified in the CRD. For example when `SCRAM` and `OIDC` are enabled we
will send telemetry output:
```go
{
        [...]
	"authenticationModeOIDC":   true,
	"authenticationModeSCRAM":  true,
	"authenticationAgentMode":  util.SCRAM,
}
```

## Proof of Work

Passing unit tests.

## Checklist
- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you checked for release_note changes?

## Reminder (Please remove this when merging)
- Please try to Approve or Reject Changes the PR, keep PRs in review as
short as possible
- Our Short Guide for PRs:
[Link](https://docs.google.com/document/d/1T93KUtdvONq43vfTfUt8l92uo4e4SEEvFbIEKOxGr44/edit?tab=t.0)
- Remember the following Communication Standards - use comment prefixes
for clarity:
  * **blocking**: Must be addressed before approval.
  * **follow-up**: Can be addressed in a later PR or ticket.
  * **q**: Clarifying question.
  * **nit**: Non-blocking suggestions.
  * **note**: Side-note, non-actionable. Example: Praise 
  * --> no prefix is considered a question

---------

Co-authored-by: Lucian Tosa <[email protected]>
Co-authored-by: Anand <[email protected]>
Co-authored-by: Lucian Tosa <[email protected]>

Author: 3 people

api/v1/mdb/mongodb_types.go

@@ -807,13 +807,6 @@ func (s *Security) IsTLSEnabled() bool {
 	return s.CertificatesSecretsPrefix != ""
 }
 
-func (s *Security) IsOIDCEnabled() bool {
-	if s == nil || s.Authentication == nil || !s.Authentication.Enabled {
-		return false
-	}
-	return s.Authentication.IsOIDCEnabled()
-}
-
 // GetAgentMechanism returns the authentication mechanism that the agents will be using.
 // The agents will use X509 if it is the only mechanism specified, otherwise they will use SCRAM if specified
 // and no auth if no mechanisms exist.
@@ -1006,16 +999,28 @@ type AgentAuthentication struct {
 // IsX509Enabled determines if X509 is to be enabled at the project level
 // it does not necessarily mean that the agents are using X509 authentication
 func (a *Authentication) IsX509Enabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.X509)
 }
 
 // IsLDAPEnabled determines if LDAP is to be enabled at the project level
 func (a *Authentication) IsLDAPEnabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.LDAP)
 }
 
 // IsOIDCEnabled determines if OIDC is to be enabled at the project level
 func (a *Authentication) IsOIDCEnabled() bool {
+	if a == nil || !a.Enabled {
+		return false
+	}
+
 	return stringutil.Contains(a.GetModes(), util.OIDC)
 }
 

api/v1/mdb/mongodb_types_test.go

@@ -83,10 +83,20 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 			expectedLDAP:   false,
 			expectedOIDC:   false,
 		},
+		{
+			name: "Empty authentication mode list",
+			authentication: &Authentication{
+				Enabled: true,
+			},
+			expectedX509: false,
+			expectedLDAP: false,
+			expectedOIDC: false,
+		},
 		{
 			name: "Authentication with x509 only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.X509},
+				Enabled: true,
+				Modes:   []AuthMode{util.X509},
 			},
 			expectedX509: true,
 			expectedLDAP: false,
@@ -95,7 +105,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with LDAP only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.LDAP},
+				Enabled: true,
+				Modes:   []AuthMode{util.LDAP},
 			},
 			expectedX509: false,
 			expectedLDAP: true,
@@ -104,7 +115,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with OIDC only",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.OIDC},
+				Enabled: true,
+				Modes:   []AuthMode{util.OIDC},
 			},
 			expectedX509: false,
 			expectedLDAP: false,
@@ -113,7 +125,8 @@ func TestGetAuthenticationIsEnabledMethods(t *testing.T) {
 		{
 			name: "Authentication with multiple modes",
 			authentication: &Authentication{
-				Modes: []AuthMode{util.X509, util.LDAP, util.OIDC, util.SCRAM},
+				Enabled: true,
+				Modes:   []AuthMode{util.X509, util.LDAP, util.OIDC, util.SCRAM},
 			},
 			expectedX509: true,
 			expectedLDAP: true,

api/v1/mdb/mongodb_validation.go

@@ -54,7 +54,7 @@ func deploymentsMustHaveTLSInX509Env(d DbCommonSpec) v1.ValidationResult {
 	if authSpec == nil {
 		return v1.ValidationSuccess()
 	}
-	if authSpec.Enabled && authSpec.IsX509Enabled() && !d.GetSecurity().IsTLSEnabled() {
+	if authSpec.IsX509Enabled() && !d.GetSecurity().IsTLSEnabled() {
 		return v1.ValidationError("Cannot have a non-tls deployment when x509 authentication is enabled")
 	}
 	return v1.ValidationSuccess()
@@ -107,11 +107,15 @@ func scramSha1AuthValidation(d DbCommonSpec) v1.ValidationResult {
 
 func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResult {
 	validators := make([]func(DbCommonSpec) v1.ValidationResult, 0)
-	if !db.Security.IsOIDCEnabled() {
+	if db.Security == nil || db.Security.Authentication == nil {
 		return validators
 	}
 
 	authentication := db.Security.Authentication
+	if !authentication.IsOIDCEnabled() {
+		return validators
+	}
+
 	validators = append(validators, oidcAuthModeValidator(authentication))
 	validators = append(validators, oidcAuthRequiresEnterprise)
 

api/v1/om/opsmanager_types.go

@@ -633,7 +633,7 @@ func ensureSecurityWithSCRAM(specSecurity *mdbv1.Security) *mdbv1.Security {
 		specSecurity = &mdbv1.Security{TLSConfig: &mdbv1.TLSConfig{}}
 	}
 	// the only allowed authentication is SCRAM - it's implicit to the user and hidden from him
-	specSecurity.Authentication = &mdbv1.Authentication{Modes: []mdbv1.AuthMode{util.SCRAM}}
+	specSecurity.Authentication = &mdbv1.Authentication{Enabled: true, Modes: []mdbv1.AuthMode{util.SCRAM}}
 	return specSecurity
 }
 

controllers/operator/mongodbshardedcluster_controller.go

@@ -1014,7 +1014,7 @@ func (r *ShardedClusterReconcileHelper) doShardedClusterProcessing(ctx context.C
 	}
 
 	security := sc.Spec.Security
-	if security.Authentication != nil && security.Authentication.Enabled && security.Authentication.IsX509Enabled() && !sc.Spec.GetSecurity().IsTLSEnabled() {
+	if security.Authentication.IsX509Enabled() && !security.IsTLSEnabled() {
 		return workflow.Invalid("cannot have a non-tls deployment when x509 authentication is enabled")
 	}
 

controllers/operator/mongodbstandalone_controller.go

@@ -177,7 +177,7 @@ func (r *ReconcileMongoDbStandalone) Reconcile(ctx context.Context, request reco
 	// cannot have a non-tls deployment in an x509 environment
 	// TODO move to webhook validations
 	security := s.Spec.Security
-	if security.Authentication != nil && security.Authentication.Enabled && security.Authentication.IsX509Enabled() && !s.Spec.GetSecurity().IsTLSEnabled() {
+	if security.Authentication.IsX509Enabled() && !security.IsTLSEnabled() {
 		return r.updateStatus(ctx, s, workflow.Invalid("cannot have a non-tls deployment when x509 authentication is enabled"), log)
 	}
 

pkg/telemetry/collector.go

@@ -24,7 +24,6 @@ import (
 	"github.com/mongodb/mongodb-kubernetes/pkg/images"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/architectures"
-	"github.com/mongodb/mongodb-kubernetes/pkg/util/maputil"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/versionutil"
 )
 
@@ -179,19 +178,13 @@ func collectOperatorSnapshot(ctx context.Context, memberClusterMap map[string]Co
 		OperatorVersion:      versionutil.StaticContainersOperatorVersion(),
 		OperatorType:         MEKO,
 	}
-	operatorProperties, err := maputil.StructToMap(operatorEvent)
-	if err != nil {
-		Logger.Debugf("failed converting properties to map: %s", err)
-		return nil
-	}
 
-	return []Event{
-		{
-			Timestamp:  time.Now(),
-			Source:     Operators,
-			Properties: operatorProperties,
-		},
+	event := createEvent(operatorEvent, time.Now(), Operators)
+	if event == nil {
+		return []Event{}
 	}
+
+	return []Event{*event}
 }
 
 func collectDeploymentsSnapshot(ctx context.Context, operatorClusterMgr manager.Manager, operatorUUID, mongodbImage, databaseNonStaticImage string) []Event {
@@ -234,6 +227,8 @@ func getMdbEvents(ctx context.Context, operatorClusterClient kubeclient.Client,
 				Type:                     string(item.Spec.GetResourceType()),
 				IsRunningEnterpriseImage: images.IsEnterpriseImage(imageURL),
 				ExternalDomains:          getExternalDomainProperty(item),
+				AuthenticationModes:      getAuthenticationModes(item.Spec.Security),
+				AuthenticationAgentMode:  getAuthenticationAgentMode(item.Spec.Security),
 			}
 
 			if numberOfClustersUsed > 0 {
@@ -272,6 +267,8 @@ func addMultiEvents(ctx context.Context, operatorClusterClient kubeclient.Client
 			Type:                     string(item.Spec.GetResourceType()),
 			IsRunningEnterpriseImage: images.IsEnterpriseImage(imageURL),
 			ExternalDomains:          getExternalDomainPropertyForMongoDBMulti(item),
+			AuthenticationModes:      getAuthenticationModes(item.Spec.Security),
+			AuthenticationAgentMode:  getAuthenticationAgentMode(item.Spec.Security),
 		}
 
 		if event := createEvent(properties, now, Deployments); event != nil {
@@ -319,8 +316,8 @@ func addOmEvents(ctx context.Context, operatorClusterClient kubeclient.Client, o
 	return events
 }
 
-func createEvent(properties any, now time.Time, eventType EventType) *Event {
-	convertedProperties, err := maputil.StructToMap(properties)
+func createEvent(properties FlatProperties, now time.Time, eventType EventType) *Event {
+	convertedProperties, err := properties.ConvertToFlatMap()
 	if err != nil {
 		Logger.Debugf("failed to parse %s properties: %v", eventType, err)
 		return nil
@@ -422,13 +419,12 @@ func handleEvents(ctx context.Context, atlasClient *Client, events []Event, even
 		return
 	}
 
-	err = atlasClient.SendEventWithRetry(ctx, events)
-	if err == nil {
-		if err := updateTelemetryConfigMapTimeStamp(ctx, operatorClusterClient, namespace, OperatorConfigMapTelemetryConfigMapName, eventType); err != nil {
-			Logger.Debugf("Failed saving timestamp of successful sending of data for type: %s with error: %s", eventType, err)
+	if sendErr := atlasClient.SendEventWithRetry(ctx, events); sendErr == nil {
+		if updateErr := updateTelemetryConfigMapTimeStamp(ctx, operatorClusterClient, namespace, OperatorConfigMapTelemetryConfigMapName, eventType); updateErr != nil {
+			Logger.Debugf("Failed saving timestamp of successful sending of data for type: %s with error: %s", eventType, updateErr)
 		}
 	} else {
-		Logger.Debugf("Encountered error while trying to send payload to atlas; err: %s", err)
+		Logger.Debugf("Encountered error while trying to send payload to atlas; err: %s", sendErr)
 	}
 }
 
@@ -534,3 +530,27 @@ func isExternalDomainSpecifiedInClusterSpecList(clusterSpecList mdbv1.ClusterSpe
 
 	return clusterSpecList.IsExternalDomainSpecifiedInClusterSpecList()
 }
+
+func getAuthenticationModes(security *mdbv1.Security) []string {
+	if security == nil || security.Authentication == nil {
+		return nil
+	}
+
+	if !security.Authentication.Enabled {
+		return nil
+	}
+
+	return security.Authentication.GetModes()
+}
+
+func getAuthenticationAgentMode(security *mdbv1.Security) string {
+	if security == nil || security.Authentication == nil {
+		return ""
+	}
+
+	if !security.Authentication.Enabled {
+		return ""
+	}
+
+	return security.Authentication.Agents.Mode
+}