Merge branch 'master' of github.com:mongodb/mongodb-kubernetes into fix-openshift-tests

Author: nammn

.evergreen.yml

@@ -236,7 +236,7 @@ patch_aliases:
     variant_tags: [ "e2e_smoke_release_test_suite" ]
     task_tags: [ "patch-run" ]
   - alias: "patch-run-cloudqa"
-    variant_tags: [ "cloudqa" ]
+    variant_tags: [ "cloudqa_non_static" ]
     task: ".*"
 
 # Triggered whenever the GitHub PR is created
@@ -1296,7 +1296,7 @@ buildvariants:
   ## MongoDB build variants
   - name: e2e_mdb_kind_ubi_cloudqa
     display_name: e2e_mdb_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static" ]
     run_on:
       - ubuntu2204-medium
     <<: *base_no_om_image_dependency
@@ -1305,7 +1305,7 @@ buildvariants:
 
   - name: e2e_custom_domain_mdb_kind_ubi_cloudqa
     display_name: e2e_custom_domain_mdb_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static" ]
     run_on:
       - ubuntu2204-large
     <<: *base_no_om_image_dependency
@@ -1314,7 +1314,7 @@ buildvariants:
 
   - name: e2e_static_mdb_kind_ubi_cloudqa
     display_name: e2e_static_mdb_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "static" ]
     run_on:
       - ubuntu2204-medium
     <<: *base_no_om_image_dependency
@@ -1323,7 +1323,7 @@ buildvariants:
 
   - name: e2e_static_custom_domain_mdb_kind_ubi_cloudqa
     display_name: e2e_static_custom_domain_mdb_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "static" ]
     run_on:
       - ubuntu2204-large
     depends_on:
@@ -1343,7 +1343,7 @@ buildvariants:
 
   - name: e2e_mdb_openshift_ubi_cloudqa
     display_name: e2e_mdb_openshift_ubi_cloudqa
-    tags: [ "e2e_openshift_test_suite", "cloudqa" ]
+    tags: [ "e2e_openshift_test_suite", "cloudqa", "cloudqa_non_static" ]
     depends_on:
       - name: build_operator_ubi
         variant: init_test_run
@@ -1363,7 +1363,7 @@ buildvariants:
   # in evergreen for all variants matching e2e_static-*, but we do not want to run openshift variants on every pr.
   - name: e2e_openshift_static_mdb_ubi_cloudqa
     display_name: e2e_openshift_static_mdb_ubi_cloudqa
-    tags: [ "e2e_openshift_test_suite", "cloudqa" ]
+    tags: [ "e2e_openshift_test_suite", "cloudqa", "static" ]
     depends_on:
       - name: build_operator_ubi
         variant: init_test_run
@@ -1394,7 +1394,7 @@ buildvariants:
   # Isolated Ops Manager Tests for 6.0 version
   - name: e2e_static_om60_kind_ubi
     display_name: e2e_static_om60_kind_ubi
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "static" ]
     run_on:
       - ubuntu2204-medium
     <<: *base_om6_dependency
@@ -1416,7 +1416,7 @@ buildvariants:
 
   - name: e2e_static_om70_kind_ubi
     display_name: e2e_static_om70_kind_ubi
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "static" ]
     run_on:
       - ubuntu2204-medium
     <<: *base_om7_dependency
@@ -1439,7 +1439,7 @@ buildvariants:
 
   - name: e2e_static_om80_kind_ubi
     display_name: e2e_static_om80_kind_ubi
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "static" ]
     run_on:
       - ubuntu2204-medium
     <<: *base_om8_dependency
@@ -1527,7 +1527,7 @@ buildvariants:
 
   - name: e2e_static_smoke_arm
     display_name: e2e_smoke_arm
-    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite", "static" ]
     run_on:
       - ubuntu2204-arm64-large
     allowed_requesters: [ "patch", "github_tag" ]
@@ -1537,7 +1537,7 @@ buildvariants:
 
   - name: e2e_static_smoke_ibm_z
     display_name: e2e_static_smoke_ibm_z
-    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite", "static" ]
     run_on:
       - rhel9-zseries-small
       - rhel9-zseries-large
@@ -1560,7 +1560,7 @@ buildvariants:
 
   - name: e2e_static_smoke_ibm_power
     display_name: e2e_static_smoke_ibm_power
-    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite", "static" ]
     run_on:
       - rhel9-power-small
       - rhel9-power-large
@@ -1583,7 +1583,7 @@ buildvariants:
 
   - name: e2e_static_smoke
     display_name: e2e_static_smoke
-    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite" ]
+    tags: [ "e2e_test_suite", "e2e_smoke_release_test_suite", "static" ]
     run_on:
       - ubuntu2204-large
     allowed_requesters: [ "patch", "github_tag" ]
@@ -1595,7 +1595,7 @@ buildvariants:
 
   - name: e2e_multi_cluster_kind
     display_name: e2e_multi_cluster_kind
-    tags: [ "e2e_test_suite", "cloudqa"]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static"]
     run_on:
       - ubuntu2204-large
     <<: *base_om6_dependency
@@ -1604,7 +1604,7 @@ buildvariants:
 
   - name: e2e_static_multi_cluster_kind
     display_name: e2e_static_multi_cluster_kind
-    tags: [ "e2e_test_suite", "cloudqa"]
+    tags: [ "e2e_test_suite", "cloudqa", "static"]
     run_on:
       - ubuntu2204-large
     <<: *base_om6_dependency
@@ -1613,7 +1613,7 @@ buildvariants:
 
   - name: e2e_multi_cluster_2_clusters
     display_name: e2e_multi_cluster_2_clusters
-    tags: [ "e2e_test_suite", "cloudqa"]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static"]
     run_on:
       - ubuntu2204-large
     <<: *base_om6_dependency
@@ -1622,7 +1622,7 @@ buildvariants:
 
   - name: e2e_static_multi_cluster_2_clusters
     display_name: e2e_static_multi_cluster_2_clusters
-    tags: [ "e2e_test_suite", "cloudqa"]
+    tags: [ "e2e_test_suite", "cloudqa", "static"]
     run_on:
       - ubuntu2204-large
     <<: *base_om6_dependency
@@ -1640,7 +1640,7 @@ buildvariants:
 
   - name: e2e_static_multi_cluster_om_appdb
     display_name: e2e_static_multi_cluster_om_appdb
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "static" ]
     run_on:
       - ubuntu2204-large
     <<: *base_om6_dependency
@@ -1660,7 +1660,7 @@ buildvariants:
 
   - name: e2e_operator_kind_ubi_cloudqa
     display_name: e2e_operator_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static" ]
     run_on:
       - ubuntu2204-large
     <<: *base_no_om_image_dependency
@@ -1669,7 +1669,7 @@ buildvariants:
 
   - name: e2e_static_operator_kind_ubi_cloudqa
     display_name: e2e_static_operator_kind_ubi_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "static" ]
     run_on:
       - ubuntu2204-large
     <<: *base_no_om_image_dependency
@@ -1678,7 +1678,7 @@ buildvariants:
 
   - name: e2e_operator_no_webhook_roles_cloudqa
     display_name: e2e_operator_no_webhook_roles_cloudqa
-    tags: [ "e2e_test_suite", "cloudqa" ]
+    tags: [ "e2e_test_suite", "cloudqa", "cloudqa_non_static" ]
     run_on:
       - ubuntu2204-large
     <<: *base_no_om_image_dependency
@@ -1712,7 +1712,7 @@ buildvariants:
 
   - name: e2e_static_kind_olm_ubi
     display_name: e2e_static_kind_olm_ubi
-    tags: [ "e2e_test_suite" ]
+    tags: [ "e2e_test_suite", "static" ]
     run_on:
       - ubuntu2204-large
     depends_on:

.github/workflows/preview_release_notes.yml

@@ -29,8 +29,10 @@ jobs:
         id: generate_release_notes
         run: python -m scripts.release.release_notes -s $INITIAL_COMMIT_SHA -v $INITIAL_VERSION -o release_notes_tmp.md
         env:
-          INITIAL_COMMIT_SHA: ${{ vars.RELEASE_INITIAL_COMMIT_SHA }}
-          INITIAL_VERSION: ${{ vars.RELEASE_INITIAL_VERSION }}
+          # We can not use environments set via GitHub UI because they will
+          # not be available in the pull requests running from forks.
+          INITIAL_COMMIT_SHA: 9ed5f98fc70c5b3442f633d2393265fb8a2aba0c
+          INITIAL_VERSION: 1.3.0
       - name: Add disclaimer to release notes preview
         run: |
           echo -e "_:warning: (this preview might not be accurate if the PR is not rebased on current master branch)_\n" > release_notes_preview.md

config/manager/manager.yaml

@@ -87,7 +87,7 @@ spec:
             - name: OPS_MANAGER_IMAGE_PULL_POLICY
               value: Always
             - name: AGENT_IMAGE
-              value: "quay.io/mongodb/mongodb-agent:108.0.2.8729-1"
+              value: "quay.io/mongodb/mongodb-agent:108.0.12.8846-1"
             - name: MDB_AGENT_IMAGE_REPOSITORY
               value: "quay.io/mongodb/mongodb-agent"
             - name: MONGODB_IMAGE

controllers/operator/authentication_test.go

@@ -91,7 +91,8 @@ func TestUpdateOmAuthentication_NoAuthenticationEnabled(t *testing.T) {
 
 	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient(rs)
 	r := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
-	r.updateOmAuthentication(ctx, conn, processNames, rs, "", "", "", false, zap.S())
+	agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name)
+	r.updateOmAuthentication(ctx, conn, processNames, rs, agentCertSecretSelector, "", "", false, zap.S())
 
 	ac, _ := conn.ReadAutomationConfig()
 
@@ -112,7 +113,8 @@ func TestUpdateOmAuthentication_EnableX509_TlsNotEnabled(t *testing.T) {
 
 	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient(rs)
 	r := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
-	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, conn, []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, "", "", "", false, zap.S())
+	agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name)
+	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, conn, []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, agentCertSecretSelector, "", "", false, zap.S())
 
 	assert.True(t, status.IsOK(), "configuring both options at once should not result in a failed status")
 	assert.True(t, isMultiStageReconciliation, "configuring both tls and x509 at once should result in a multi stage reconciliation")
@@ -124,7 +126,8 @@ func TestUpdateOmAuthentication_EnableX509_WithTlsAlreadyEnabled(t *testing.T) {
 	omConnectionFactory := om.NewCachedOMConnectionFactoryWithInitializedConnection(om.NewMockedOmConnection(deployment.CreateFromReplicaSet("fake-mongoDBImage", false, rs)))
 	kubeClient := mock.NewDefaultFakeClientWithOMConnectionFactory(omConnectionFactory, rs)
 	r := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
-	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, "", "", "", false, zap.S())
+	agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name)
+	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, agentCertSecretSelector, "", "", false, zap.S())
 
 	assert.True(t, status.IsOK(), "configuring x509 when tls has already been enabled should not result in a failed status")
 	assert.False(t, isMultiStageReconciliation, "if tls is already enabled, we should be able to configure x509 is a single reconciliation")
@@ -140,7 +143,8 @@ func TestUpdateOmAuthentication_AuthenticationIsNotConfigured_IfAuthIsNotSet(t *
 	kubeClient := mock.NewDefaultFakeClientWithOMConnectionFactory(omConnectionFactory, rs)
 	r := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
 
-	status, _ := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, "", "", "", false, zap.S())
+	agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name)
+	status, _ := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, agentCertSecretSelector, "", "", false, zap.S())
 	assert.True(t, status.IsOK(), "no authentication should have been configured")
 
 	ac, _ := omConnectionFactory.GetConnection().ReadAutomationConfig()
@@ -211,7 +215,8 @@ func TestUpdateOmAuthentication_EnableX509_FromEmptyDeployment(t *testing.T) {
 	r := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
 	createAgentCSRs(t, ctx, 1, r.client, certsv1.CertificateApproved)
 
-	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, "", "", "", false, zap.S())
+	agentCertSecretSelector := rs.GetSecurity().AgentClientCertificateSecretName(rs.Name)
+	status, isMultiStageReconciliation := r.updateOmAuthentication(ctx, omConnectionFactory.GetConnection(), []string{"my-rs-0", "my-rs-1", "my-rs-2"}, rs, agentCertSecretSelector, "", "", false, zap.S())
 	assert.True(t, status.IsOK(), "configuring x509 and tls when there are no processes should not result in a failed status")
 	assert.False(t, isMultiStageReconciliation, "if we are enabling tls and x509 at once, this should be done in a single reconciliation")
 }

controllers/operator/common_controller.go

@@ -407,7 +407,7 @@ func getSubjectFromCertificate(cert string) (string, error) {
 // enables/disables authentication. If the authentication can't be fully configured, a boolean value indicating that
 // an additional reconciliation needs to be queued up to fully make the authentication changes is returned.
 // Note: updateOmAuthentication needs to be called before reconciling other auth related settings.
-func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context, conn om.Connection, processNames []string, ar authentication.AuthResource, agentCertSecretName string, caFilepath string, clusterFilePath string, isRecovering bool, log *zap.SugaredLogger) (status workflow.Status, multiStageReconciliation bool) {
+func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context, conn om.Connection, processNames []string, ar authentication.AuthResource, agentCertSecretSelector corev1.SecretKeySelector, caFilepath string, clusterFilePath string, isRecovering bool, log *zap.SugaredLogger) (status workflow.Status, multiStageReconciliation bool) {
 	// don't touch authentication settings if resource has not been configured with them
 	if ar.GetSecurity() == nil || ar.GetSecurity().Authentication == nil {
 		return workflow.OK(), false
@@ -480,17 +480,13 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 
 	log.Debugf("Using authentication options %+v", authentication.Redact(authOpts))
 
-	agentSecretSelector := ar.GetSecurity().AgentClientCertificateSecretName(ar.GetName())
-	if agentCertSecretName != "" {
-		agentSecretSelector.Name = agentCertSecretName
-	}
 	wantToEnableAuthentication := ar.GetSecurity().Authentication.Enabled
 	if wantToEnableAuthentication && canConfigureAuthentication(ac, ar.GetSecurity().Authentication.GetModes(), log) {
 		log.Info("Configuring authentication for MongoDB resource")
 
 		if ar.GetSecurity().ShouldUseX509(ac.Auth.AutoAuthMechanism) || ar.GetSecurity().ShouldUseClientCertificates() {
 			agentSecret := &corev1.Secret{}
-			if err := r.client.Get(ctx, kube.ObjectKey(ar.GetNamespace(), agentSecretSelector.Name), agentSecret); client.IgnoreNotFound(err) != nil {
+			if err := r.client.Get(ctx, kube.ObjectKey(ar.GetNamespace(), agentCertSecretSelector.Name), agentSecret); client.IgnoreNotFound(err) != nil {
 				return workflow.Failed(err), false
 			}
 			// If the agent secret is of type TLS, we can find the certificate under the standard key,
@@ -500,10 +496,10 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 			//
 			// Important: In multi cluster it is working with the TLS secret in the central cluster, hence below selector update.
 			if agentSecret.Type == corev1.SecretTypeTLS {
-				agentSecretSelector.Key = corev1.TLSCertKey
+				agentCertSecretSelector.Key = corev1.TLSCertKey
 			}
 
-			authOpts, err = r.configureAgentSubjects(ctx, ar.GetNamespace(), agentSecretSelector, authOpts, log)
+			authOpts, err = r.configureAgentSubjects(ctx, ar.GetNamespace(), agentCertSecretSelector, authOpts, log)
 			if err != nil {
 				return workflow.Failed(xerrors.Errorf("error configuring agent subjects: %w", err)), false
 			}
@@ -534,17 +530,17 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 		return workflow.OK(), true
 	} else {
 		agentSecret := &corev1.Secret{}
-		if err := r.client.Get(ctx, kube.ObjectKey(ar.GetNamespace(), agentSecretSelector.Name), agentSecret); client.IgnoreNotFound(err) != nil {
+		if err := r.client.Get(ctx, kube.ObjectKey(ar.GetNamespace(), agentCertSecretSelector.Name), agentSecret); client.IgnoreNotFound(err) != nil {
 			return workflow.Failed(err), false
 		}
 
 		if agentSecret.Type == corev1.SecretTypeTLS {
-			agentSecretSelector.Name = fmt.Sprintf("%s%s", agentSecretSelector.Name, certs.OperatorGeneratedCertSuffix)
+			agentCertSecretSelector.Name = fmt.Sprintf("%s%s", agentCertSecretSelector.Name, certs.OperatorGeneratedCertSuffix)
 		}
 
 		// Should not fail if the Secret object with agent certs is not found.
 		// It will only exist on x509 client auth enabled deployments.
-		userOpts, err := r.readAgentSubjectsFromSecret(ctx, ar.GetNamespace(), agentSecretSelector, log)
+		userOpts, err := r.readAgentSubjectsFromSecret(ctx, ar.GetNamespace(), agentCertSecretSelector, log)
 		err = client.IgnoreNotFound(err)
 		if err != nil {
 			return workflow.Failed(err), true

controllers/operator/construct/database_construction.go

@@ -466,7 +466,7 @@ func buildDatabaseStatefulSetConfigurationFunction(mdb databaseStatefulSetSource
 		appLabelKey: opts.ServiceName,
 	}
 
-	annotationFunc := statefulset.WithAnnotations(defaultPodAnnotations(opts.CertificateHash))
+	annotationFunc := statefulset.WithAnnotations(defaultStatefulSetAnnotations(opts.CertificateHash))
 	podTemplateAnnotationFunc := podtemplatespec.NOOP()
 
 	annotationFunc = statefulset.Apply(
@@ -1057,11 +1057,8 @@ func DatabaseStartupProbe() probes.Modification {
 	)
 }
 
-func defaultPodAnnotations(certHash string) map[string]string {
+func defaultStatefulSetAnnotations(certHash string) map[string]string {
 	return map[string]string{
-		// This annotation is necessary to trigger a pod restart
-		// if the certificate secret is out of date. This happens if
-		// existing certificates have been replaced/rotated/renewed.
 		certs.CertHashAnnotationKey: certHash,
 	}
 }

controllers/operator/mongodbmultireplicaset_controller.go

@@ -758,9 +758,8 @@ func (r *ReconcileMongoDbMultiReplicaSet) updateOmDeploymentRs(ctx context.Conte
 
 	caFilePath := fmt.Sprintf("%s/ca-pem", util.TLSCaMountPath)
 
-	// We do not provide an agentCertSecretName on purpose because then we will default to the non pem secret on the central cluster.
-	// Below method has special code handling reading certificates from the central cluster in that case.
-	status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, rs.GetProcessNames(), &mrs, "", caFilePath, internalClusterPath, isRecovering, log)
+	agentCertSecretName := mrs.GetSecurity().AgentClientCertificateSecretName(mrs.GetName())
+	status, additionalReconciliationRequired := r.updateOmAuthentication(ctx, conn, rs.GetProcessNames(), &mrs, agentCertSecretName, caFilePath, internalClusterPath, isRecovering, log)
 	if !status.IsOK() && !isRecovering {
 		return xerrors.Errorf("failed to enable Authentication for MongoDB Multi Replicaset")
 	}