CLOUDP-303965 - remove legacy min version check (#4145)

# Summary

- We did not account for `AlwaysMatchVersion` minVersionDetection for
setting auth
- Instead of fixing this, we can fully remove the code, as we don't
support <=MDB5 anymore:
https://www.mongodb.com/legal/support-policy/lifecycles

## Proof of Work

- passing ci suite

## Checklist
- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you checked for release_note changes?

Author: nammn

RELEASE_NOTES.md

@@ -14,6 +14,7 @@
 * Fixes the bug when status of `MongoDBUser` was being set to `Updated` prematurely. For example, new users were not immediately usable following `MongoDBUser` creation despite the operator reporting `Updated` state.
 * Fixed a bug causing cluster health check issues when ordering of users and tokens differed in Kubeconfig.
 * Fixed a bug when deploying a Multi-Cluster sharded resource with an external access configuration could result in pods not being able to reach each others.
+* Fixed a bug when setting `spec.fcv = AlwaysMatchVersion` and `agentAuth` to be `SCRAM` causes the operator to set the auth value to be `SCRAM-SHA-1` instead of `SCRAM-SHA-256`.
 
 # MongoDB Enterprise Kubernetes Operator 1.31.0
 

api/v1/mdb/mongodb_types.go

@@ -140,10 +140,6 @@ func (m *MongoDB) GetPrometheus() *mdbcv1.Prometheus {
 	return m.Spec.Prometheus
 }
 
-func (m *MongoDB) GetMinimumMajorVersion() uint64 {
-	return m.Spec.MinimumMajorVersion()
-}
-
 func (m *MongoDB) GetBackupSpec() *Backup {
 	return m.Spec.Backup
 }

api/v1/mdbmulti/mongodb_multi_types.go

@@ -118,10 +118,6 @@ func (m *MongoDBMultiCluster) GetPrometheus() *mdbc.Prometheus {
 	return m.Spec.Prometheus
 }
 
-func (m *MongoDBMultiCluster) GetMinimumMajorVersion() uint64 {
-	return m.Spec.MinimumMajorVersion()
-}
-
 func (m *MongoDBMultiCluster) IsLDAPEnabled() bool {
 	if m.Spec.Security == nil || m.Spec.Security.Authentication == nil {
 		return false

controllers/operator/authentication/authentication.go

@@ -21,14 +21,11 @@ type AuthResource interface {
 	GetSecurity() *mdbv1.Security
 	IsLDAPEnabled() bool
 	GetLDAP(password, caContents string) *ldap.Ldap
-	GetMinimumMajorVersion() uint64
 }
 
 // Options contains all the required values that are required to configure authentication
 // for a set of processes
 type Options struct {
-	// MinimumMajorVersion is required in order to determine if we will be enabling SCRAM-SHA-1 or SCRAM-SHA-256
-	MinimumMajorVersion uint64
 	// Mechanisms is a list of strings coming from MongoDB.Spec.Security.Authentication.Modes, these strings
 	// are mapped to the corresponding mechanisms in the Automation Config
 	Mechanisms []string
@@ -84,7 +81,7 @@ type UserOptions struct {
 // Configure will configure all the specified authentication Mechanisms. We need to ensure we wait for
 // the agents to reach ready state after each operation as prematurely updating the automation config can cause the agents to get stuck.
 func Configure(conn om.Connection, opts Options, isRecovering bool, log *zap.SugaredLogger) error {
-	log.Infow("ensuring correct deployment mechanisms", "MinimumMajorVersion", opts.MinimumMajorVersion, "ProcessNames", opts.ProcessNames, "Mechanisms", opts.Mechanisms)
+	log.Infow("ensuring correct deployment mechanisms", "ProcessNames", opts.ProcessNames, "Mechanisms", opts.Mechanisms)
 
 	// In case we're recovering, we can push all changes at once, because the mechanism is triggered after 20min by default.
 	// Otherwise, we might unnecessarily enter this waiting loop 7 times, and waste >10 min
@@ -257,7 +254,7 @@ func Disable(conn om.Connection, opts Options, deleteUsers bool, log *zap.Sugare
 	return nil
 }
 
-func getMechanismName(mongodbResourceMode string, ac *om.AutomationConfig, minimumMajorVersion uint64) MechanismName {
+func getMechanismName(mongodbResourceMode string, ac *om.AutomationConfig) MechanismName {
 	switch mongodbResourceMode {
 	case util.X509:
 		return MongoDBX509
@@ -278,12 +275,7 @@ func getMechanismName(mongodbResourceMode string, ac *om.AutomationConfig, minim
 		if ac.Auth.AutoAuthMechanism == string(MongoDBCR) && ac.Auth.IsEnabled() {
 			return MongoDBCR
 		}
-
-		if minimumMajorVersion < 4 {
-			return MongoDBCR
-		} else {
-			return ScramSha256
-		}
+		return ScramSha256
 	}
 	// this should never be reached as validation of this string happens at the CR level
 	panic(fmt.Sprintf("unknown mechanism name %s", mongodbResourceMode))
@@ -316,7 +308,7 @@ func removeUnusedAuthenticationMechanisms(conn om.Connection, opts Options, log
 		return xerrors.Errorf("error reading automation config: %w", err)
 	}
 
-	automationConfigAuthMechanismNames := getMechanismNames(ac, opts.MinimumMajorVersion, opts.Mechanisms)
+	automationConfigAuthMechanismNames := getMechanismNames(ac, opts.Mechanisms)
 
 	unrequiredMechanisms := mechanismsToDisable(automationConfigAuthMechanismNames)
 
@@ -344,7 +336,7 @@ func enableAgentAuthentication(conn om.Connection, opts Options, log *zap.Sugare
 	}
 
 	// we then configure the agent authentication for that type
-	agentAuthMechanism := getMechanismName(opts.AgentMechanism, ac, opts.MinimumMajorVersion)
+	agentAuthMechanism := getMechanismName(opts.AgentMechanism, ac)
 	if err := ensureAgentAuthenticationIsConfigured(conn, opts, ac, agentAuthMechanism, log); err != nil {
 		return xerrors.Errorf("error ensuring agent authentication is configured: %w", err)
 	}
@@ -381,7 +373,7 @@ func ensureDeploymentsMechanismsExist(conn om.Connection, opts Options, log *zap
 
 	// "opts.Mechanisms" is the list of mechanism names passed through from the MongoDB resource.
 	// We need to convert this to the list of strings the automation config expects.
-	automationConfigMechanismNames := getMechanismNames(ac, opts.MinimumMajorVersion, opts.Mechanisms)
+	automationConfigMechanismNames := getMechanismNames(ac, opts.Mechanisms)
 
 	log.Debugf("Automation config authentication mechanisms: %+v", automationConfigMechanismNames)
 	if err := ensureDeploymentMechanisms(conn, ac, automationConfigMechanismNames, opts, log); err != nil {
@@ -401,7 +393,7 @@ func removeUnrequiredDeploymentMechanisms(conn om.Connection, opts Options, log
 
 	// "opts.Mechanisms" is the list of mechanism names passed through from the MongoDB resource.
 	// We need to convert this to the list of strings the automation config expects.
-	automationConfigAuthMechanismNames := getMechanismNames(ac, opts.MinimumMajorVersion, opts.Mechanisms)
+	automationConfigAuthMechanismNames := getMechanismNames(ac, opts.Mechanisms)
 
 	toDisable := mechanismsToDisable(automationConfigAuthMechanismNames)
 	log.Infow("Removing unrequired deployment authentication mechanisms", "Mechanisms", toDisable)
@@ -420,7 +412,7 @@ func addOrRemoveAgentClientCertificate(conn om.Connection, opts Options, log *za
 	// If x509 is not enabled but still Client Certificates are, this automation config update
 	// will add the required configuration.
 	return conn.ReadUpdateAutomationConfig(func(ac *om.AutomationConfig) error {
-		if getMechanismName(opts.AgentMechanism, ac, opts.MinimumMajorVersion) == MongoDBX509 {
+		if getMechanismName(opts.AgentMechanism, ac) == MongoDBX509 {
 			// If TLS client authentication is managed by x509, we won't disable or enable it
 			// in here.
 			return nil
@@ -442,10 +434,10 @@ func addOrRemoveAgentClientCertificate(conn om.Connection, opts Options, log *za
 	}, log)
 }
 
-func getMechanismNames(ac *om.AutomationConfig, minimumMajorVersion uint64, mechanisms []string) []MechanismName {
+func getMechanismNames(ac *om.AutomationConfig, mechanisms []string) []MechanismName {
 	automationConfigMechanismNames := make([]MechanismName, 0)
 	for _, m := range mechanisms {
-		automationConfigMechanismNames = append(automationConfigMechanismNames, getMechanismName(m, ac, minimumMajorVersion))
+		automationConfigMechanismNames = append(automationConfigMechanismNames, getMechanismName(m, ac))
 	}
 	return automationConfigMechanismNames
 }

controllers/operator/authentication/configure_authentication_test.go

@@ -15,41 +15,15 @@ func init() {
 	zap.ReplaceGlobals(logger)
 }
 
-func TestConfigureScramSha1FallbackToCr(t *testing.T) {
-	dep := om.NewDeployment()
-	conn := om.NewMockedOmConnection(dep)
-
-	opts := Options{
-		MinimumMajorVersion: 3,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM"},
-		AgentMechanism:      "SCRAM",
-	}
-
-	if err := Configure(conn, opts, false, zap.S()); err != nil {
-		t.Fatal(err)
-	}
-
-	ac, err := conn.ReadAutomationConfig()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertAuthenticationEnabled(t, ac.Auth)
-	assertAuthenticationMechanism(t, ac.Auth, "MONGODB-CR")
-}
-
 func TestConfigureScramSha256(t *testing.T) {
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
 
 	opts := Options{
-		MinimumMajorVersion: 4,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM"},
-		AgentMechanism:      "SCRAM",
+		AuthoritativeSet: true,
+		ProcessNames:     []string{"process-1", "process-2", "process-3"},
+		Mechanisms:       []string{"SCRAM"},
+		AgentMechanism:   "SCRAM",
 	}
 
 	if err := Configure(conn, opts, false, zap.S()); err != nil {
@@ -70,12 +44,11 @@ func TestConfigureX509(t *testing.T) {
 	conn := om.NewMockedOmConnection(dep)
 
 	opts := Options{
-		MinimumMajorVersion: 4,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"X509"},
-		AgentMechanism:      "X509",
-		ClientCertificates:  util.RequireClientCertificates,
+		AuthoritativeSet:   true,
+		ProcessNames:       []string{"process-1", "process-2", "process-3"},
+		Mechanisms:         []string{"X509"},
+		AgentMechanism:     "X509",
+		ClientCertificates: util.RequireClientCertificates,
 		UserOptions: UserOptions{
 			AutomationSubject: validSubject("automation"),
 		},
@@ -99,11 +72,10 @@ func TestConfigureScramSha1(t *testing.T) {
 	conn := om.NewMockedOmConnection(dep)
 
 	opts := Options{
-		MinimumMajorVersion: 4,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM-SHA-1"},
-		AgentMechanism:      "SCRAM-SHA-1",
+		AuthoritativeSet: true,
+		ProcessNames:     []string{"process-1", "process-2", "process-3"},
+		Mechanisms:       []string{"SCRAM-SHA-1"},
+		AgentMechanism:   "SCRAM-SHA-1",
 	}
 
 	if err := Configure(conn, opts, false, zap.S()); err != nil {
@@ -122,11 +94,10 @@ func TestConfigureMultipleAuthenticationMechanisms(t *testing.T) {
 	conn := om.NewMockedOmConnection(dep)
 
 	opts := Options{
-		MinimumMajorVersion: 4,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"X509", "SCRAM"},
-		AgentMechanism:      "SCRAM",
+		AuthoritativeSet: true,
+		ProcessNames:     []string{"process-1", "process-2", "process-3"},
+		Mechanisms:       []string{"X509", "SCRAM"},
+		AgentMechanism:   "SCRAM",
 		UserOptions: UserOptions{
 			AutomationSubject: validSubject("automation"),
 		},
@@ -151,90 +122,6 @@ func TestConfigureMultipleAuthenticationMechanisms(t *testing.T) {
 	assert.Contains(t, ac.Auth.DeploymentAuthMechanisms, "MONGODB-X509")
 }
 
-func TestScramSha1MongoDBUpgrade(t *testing.T) {
-	dep := om.NewDeployment()
-	conn := om.NewMockedOmConnection(dep)
-
-	opts := Options{
-		MinimumMajorVersion: 3,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM"},
-		AgentMechanism:      "SCRAM",
-	}
-
-	if err := Configure(conn, opts, false, zap.S()); err != nil {
-		t.Fatal(err)
-	}
-
-	ac, err := conn.ReadAutomationConfig()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertAuthenticationEnabled(t, ac.Auth)
-	assertAuthenticationMechanism(t, ac.Auth, "MONGODB-CR")
-
-	opts = Options{
-		MinimumMajorVersion: 4,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM"},
-		AgentMechanism:      "SCRAM",
-	}
-
-	if err := Configure(conn, opts, false, zap.S()); err != nil {
-		t.Fatal(err)
-	}
-
-	ac, err = conn.ReadAutomationConfig()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertAuthenticationEnabled(t, ac.Auth)
-	assertAuthenticationMechanism(t, ac.Auth, "MONGODB-CR")
-}
-
-func TestConfigureAndDisable(t *testing.T) {
-	dep := om.NewDeployment()
-	conn := om.NewMockedOmConnection(dep)
-
-	opts := Options{
-		MinimumMajorVersion: 3,
-		AuthoritativeSet:    true,
-		ProcessNames:        []string{"process-1", "process-2", "process-3"},
-		Mechanisms:          []string{"SCRAM"},
-		AgentMechanism:      "SCRAM",
-		UserOptions: UserOptions{
-			AutomationSubject: validSubject("automation"),
-		},
-	}
-
-	if err := Configure(conn, opts, false, zap.S()); err != nil {
-		t.Fatal(err)
-	}
-
-	ac, err := conn.ReadAutomationConfig()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertAuthenticationEnabled(t, ac.Auth)
-	assertAuthenticationMechanism(t, ac.Auth, "MONGODB-CR")
-
-	if err := Disable(conn, opts, true, zap.S()); err != nil {
-		t.Fatal(err)
-	}
-
-	ac, err = conn.ReadAutomationConfig()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertAuthenticationDisabled(t, ac.Auth)
-}
-
 func TestDisableAuthentication(t *testing.T) {
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -261,17 +148,12 @@ func TestGetCorrectAuthMechanismFromVersion(t *testing.T) {
 	conn := om.NewMockedOmConnection(om.NewDeployment())
 	ac, _ := conn.ReadAutomationConfig()
 
-	mechanismNames := getMechanismNames(ac, 3, []string{"X509"})
+	mechanismNames := getMechanismNames(ac, []string{"X509"})
 
 	assert.Len(t, mechanismNames, 1)
 	assert.Contains(t, mechanismNames, MechanismName("MONGODB-X509"))
 
-	mechanismNames = getMechanismNames(ac, 3, []string{"SCRAM", "X509"})
-
-	assert.Contains(t, mechanismNames, MechanismName("MONGODB-CR"))
-	assert.Contains(t, mechanismNames, MechanismName("MONGODB-X509"))
-
-	mechanismNames = getMechanismNames(ac, 4, []string{"SCRAM", "X509"})
+	mechanismNames = getMechanismNames(ac, []string{"SCRAM", "X509"})
 
 	assert.Contains(t, mechanismNames, MechanismName("SCRAM-SHA-256"))
 	assert.Contains(t, mechanismNames, MechanismName("MONGODB-X509"))
@@ -280,7 +162,7 @@ func TestGetCorrectAuthMechanismFromVersion(t *testing.T) {
 	ac.Auth.AutoAuthMechanism = "MONGODB-CR"
 	ac.Auth.Enable()
 
-	mechanismNames = getMechanismNames(ac, 4, []string{"SCRAM", "X509"})
+	mechanismNames = getMechanismNames(ac, []string{"SCRAM", "X509"})
 
 	assert.Contains(t, mechanismNames, MechanismName("MONGODB-CR"))
 	assert.Contains(t, mechanismNames, MechanismName("MONGODB-X509"))

controllers/operator/common_controller.go

@@ -503,15 +503,14 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 	}
 
 	authOpts := authentication.Options{
-		MinimumMajorVersion: ar.GetMinimumMajorVersion(),
-		Mechanisms:          mdbv1.ConvertAuthModesToStrings(ar.GetSecurity().Authentication.Modes),
-		ProcessNames:        processNames,
-		AuthoritativeSet:    !ar.GetSecurity().Authentication.IgnoreUnknownUsers,
-		AgentMechanism:      ar.GetSecurity().GetAgentMechanism(ac.Auth.AutoAuthMechanism),
-		ClientCertificates:  clientCerts,
-		AutoUser:            scramAgentUserName,
-		AutoLdapGroupDN:     ar.GetSecurity().Authentication.Agents.AutomationLdapGroupDN,
-		CAFilePath:          caFilepath,
+		Mechanisms:         mdbv1.ConvertAuthModesToStrings(ar.GetSecurity().Authentication.Modes),
+		ProcessNames:       processNames,
+		AuthoritativeSet:   !ar.GetSecurity().Authentication.IgnoreUnknownUsers,
+		AgentMechanism:     ar.GetSecurity().GetAgentMechanism(ac.Auth.AutoAuthMechanism),
+		ClientCertificates: clientCerts,
+		AutoUser:           scramAgentUserName,
+		AutoLdapGroupDN:    ar.GetSecurity().Authentication.Agents.AutomationLdapGroupDN,
+		CAFilePath:         caFilepath,
 	}
 	var databaseSecretPath string
 	if r.VaultClient != nil {