CLOUDP-382956: fix: use spec.db as authSource in MongoDBUser connection string secret

[filipcirtog]

Summary

The authSource parameter in the connection string secret generated for a MongoDBUser was always set to admin, regardless of which database the user was created in. This meant that users created in non-admin databases could not authenticate using the generated connection string.

Proof of Work

The spec.db field of the MongoDBUser is now passed as authSource when building the connection string, overriding the default admin. The override is only applied when an authMechanism is also present, so connection strings for resources without authentication configured are not affected.

Checklist

• Have you linked a jira ticket and/or is the ticket in the title?
• Have you checked whether your jira ticket required DOCSP changes?
• Have you added changelog file?
  • use skip-changelog label if not needed
  • refer to Changelog files and Release Notes section in CONTRIBUTING.md for more details

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.7.1 Release Notes

Bug Fixes

• MongoDBOpsManager: Correctly handle the edge case where -admin-key was created by user and malformed. Previously the error was only presented in DEBUG log entry.
• MongoDBOpsManager: Improved readiness probe error handling and appDB agent status logging
• MongoDBUser: Correctly set authSource in the generated connection string secret to reflect spec.db instead of hardcoding it to admin.

Other Changes

• Container images: Merged the init-database and init-appdb init container images into a single init-database image. The init-appdb image will no longer be published and does not affect existing deployments.
  • The following Helm chart values have been removed: initAppDb.name, initAppDb.version, and registry.initAppDb. Use initDatabase.name, initDatabase.version, and registry.initDatabase instead.
  • The following environment variables have been removed: INIT_APPDB_IMAGE_REPOSITORY and INIT_APPDB_VERSION. Use INIT_DATABASE_IMAGE_REPOSITORY and INIT_DATABASE_VERSION instead.
• Helm Chart: Removed operator.baseName Helm value. This value was never intended to be consumed by operator users and was never documented. The value controls the prefix for workload RBAC resource names (mongodb-kubernetes default), but changing it could break the operator and workloads because the operator is not aware of custom prefixes. With this change, the Helm chart will no longer allow customisation and the relevant resources will be deployed with predefined names (ServiceAccount with names mongodb-kubernetes-appdb, mongodb-kubernetes-database-pods, mongodb-kubernetes-ops-manager, Role with name mongodb-kubernetes-appdb and RoleBinding with name mongodb-kubernetes-appdb).

[Copilot]

Pull request overview

This PR ensures the MongoDBUser-generated connection string secret sets authSource based on the user’s spec.db (rather than being implicitly admin), and adds coverage for both admin and non-admin database users.

Changes:

• Pass the MongoDBUser spec.db through connection string generation so authSource matches the user’s database.
• Extend e2e connectivity tests (replica set + sharded cluster) to validate authSource in generated secrets, including a non-admin DB user.
• Add a unit test to assert authSource is set from spec.db in the connection string secret.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
docker/mongodb-kubernetes-tests/tests/authentication/sharded_cluster_scram_sha_256_connectivity.py	Adds assertions for authSource in user secret connection strings; adds non-admin DB user coverage.
docker/mongodb-kubernetes-tests/tests/authentication/replica_set_scram_sha_256_connectivity.py	Adds non-admin DB user creation + secret assertions; updates expected user counts accordingly.
docker/mongodb-kubernetes-tests/tests/authentication/fixtures/scram-sha-user-non-admin-db.yaml	New MongoDBUser fixture for a user in a non-admin database.
controllers/operator/mongodbuser_controller_test.go	Adds unit test verifying authSource follows MongoDBUser spec.db.
controllers/operator/mongodbuser_controller.go	Uses user spec.db when building connection strings for the connection string secret.
controllers/operator/mongodbopsmanager_controller.go	Updates BuildConnectionString interface usage to new signature (passes empty authSource).
controllers/operator/connectionstring/connectionstring.go	Extends ConnectionStringBuilder interface signature to include authSource.
api/v1/mdbmulti/mongodb_multi_types.go	Extends BuildConnectionString signature and applies authSource override.
api/v1/mdb/mongodb_types.go	Extends BuildConnectionString signature and applies authSource override.
api/v1/mdb/mongodb_types_test.go	Updates tests for the new BuildConnectionString signature.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new authSource cleanup uses the derived authSource/authMechanism (from authSourceAndMechanism) rather than the final merged query params. If a caller provides authMechanism via connection params (e.g., non-SCRAM mechanisms) along with authSource, this code will still delete authSource, leaving an inconsistent URI. Consider basing the deletion on the merged connectionParams["authMechanism"] (or removing this block) so caller-supplied mechanisms behave correctly.

Suggested change

	if authSource == "" || authMechanism == "" {
	mergedAuthMechanism, hasAuthMechanism := connectionParams["authMechanism"]
	if !hasAuthMechanism || mergedAuthMechanism == "" {

[fealebenpae]

In practice I don't think we ever set authMechanism via the connectionParams map currently, but that might change in the future, so I suppose it doesn't hurt to check the map after merging, instead of relying on just the result of authSourceAndMechanism.

[Copilot]

This test ignores the error returned by client.Create(...). If the replica set object fails to create, the test could proceed and fail later in a less clear way. Please assert require.NoError(t, client.Create(...)) (or similar) here for clearer failures.

[fealebenpae]

Looks good so far! I second Copilot's comment about resolving authMechanism from the merged connectionParams map.

I would like to see an assertion in the e2e test that validates we can actually connect and authenticate with the connection string generated in the secret.

[fealebenpae]

In practice I don't think we ever set authMechanism via the connectionParams map currently, but that might change in the future, so I suppose it doesn't hurt to check the map after merging, instead of relying on just the result of authSourceAndMechanism.