-
Notifications
You must be signed in to change notification settings - Fork 9
CLOUDP-314916: e2e OIDC multicluster tests #155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
120 commits
Select commit
Hold shift + click to select a range
f0b6a96
CRD changes
MaciejKaras d344589
Authorization package refactor - part 1
MaciejKaras 99479f1
Authorization package refactor - part 2
MaciejKaras 7c23143
Added validation logic + tests
MaciejKaras 8cba1c1
Add URL test validation
MaciejKaras 2528892
Fixed MDB Multi code
MaciejKaras 1eaf9ab
Merge branch 'feature/mk-authorization-refactor' into feature/mk-oidc…
MaciejKaras 6d27458
Propagating CRD values
MaciejKaras 81e6107
Moved OIDCProviderConfigs to Deployment.Auth where it belongs
MaciejKaras 024fa63
Fixed migrating to mongodb-kubernetes repository
MaciejKaras 7a53fd7
Fixed unit tests + CRD generation
MaciejKaras 97a5c99
Add unit tests
MaciejKaras 6dd4976
Temporal fix for AC
MaciejKaras 8b34222
Fix kubebuilder validation rules
MaciejKaras 1cbe97a
Fixes for util.ParseURL
MaciejKaras 0ce0874
Proper OIDC AC merging
MaciejKaras e4cfb11
Unit test fixes
MaciejKaras 1667045
Fixed issue with disabling OIDC
MaciejKaras e882a8c
Resolve review comments
MaciejKaras 8f5ff0a
Added getMechanismByName() func and removed global variables
MaciejKaras e533976
Review fixes
MaciejKaras 279886f
Merge branch 'master' into feature/mk-oidc-crd-validations
MaciejKaras a8306a7
Add one more validation test
MaciejKaras 866d6ae
Merge branch 'master' into feature/mk-authorization-refactor
MaciejKaras 09e4628
Merge branch 'feature/mk-oidc-crd-validations' into feature/mk-oidc-c…
MaciejKaras 23de25e
Merge branch 'feature/mk-authorization-refactor' into feature/mk-oidc…
MaciejKaras bcc1136
Fix bug
lucian-tosa 2c08662
Merge remote-tracking branch 'origin/master' into feature/mk-oidc-crd…
lucian-tosa 68750a4
Fix linter
lucian-tosa e7d3d06
Merge branch 'master' into feature/mk-oidc-crd-propagation
lucian-tosa 2b306f5
remove refs
anandsyncs e4743bf
add more validations
anandsyncs d6e6ce7
lint fix
anandsyncs fe5cdef
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs db52705
lint fix
anandsyncs 2fb5a96
Merge remote-tracking branch 'origin/anandsingh/oidc-e2e-tests' into …
anandsyncs efacc00
make sure env vars are included
anandsyncs 715c627
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs 764d3d5
Merge branch 'master' into feature/mk-oidc-crd-propagation
anandsyncs 21647a0
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 63927a0
upgrade pymongo
anandsyncs bec3f6b
Merge remote-tracking branch 'origin/anandsingh/oidc-e2e-tests' into …
anandsyncs e6b16f4
lint fix
anandsyncs 1b82b29
env vars tracer
anandsyncs ce6eb85
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs 9d2a304
env vars tracer
anandsyncs 0b86f84
Merge remote-tracking branch 'origin/anandsingh/oidc-e2e-tests' into …
anandsyncs cb7cd70
fix lint
anandsyncs 8da5102
env vars tracer
anandsyncs 890fb13
env vars tracer
anandsyncs 8b396d6
change version in the config
anandsyncs a5e357b
run separate e2e tests for different oidc flavors
anandsyncs b4db2e6
lint-fix
anandsyncs db45441
add sharded cluster tests to evergreen run
anandsyncs 1bce820
Merge branch 'master' into feature/mk-oidc-crd-propagation
anandsyncs f7ec0f1
implement the authentication_mechanism interface correctly for oidc
anandsyncs c1f54a5
lint-fix
anandsyncs f271051
Merge branch 'master' into feature/mk-oidc-crd-propagation
anandsyncs 390998c
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 3eed7fa
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs bca4aa2
fix duplicate issuer uri problem
anandsyncs 8dc9bd5
Merge remote-tracking branch 'origin/anandsingh/oidc-e2e-tests' into …
anandsyncs 6ec6905
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs 92078b7
multi cluster test
anandsyncs cd30227
fix lint
anandsyncs 17c4933
run same tests for single cluster and multicluster
anandsyncs d5f406a
cleanup
anandsyncs cfa628e
resolve conflicts
anandsyncs 4593b6f
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs e6ed367
update external auth validation
anandsyncs 8d8bcdc
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 2d8da2a
remove sharded cluster workforce test
anandsyncs 6ffe3f4
fix clean up error
anandsyncs 1190494
Merge branch 'anandsingh/oidc-e2e-tests' of github.com:mongodb/mongod…
anandsyncs a9a2985
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs 727979c
remove sharded cluster workforce test
anandsyncs 8dbc7ae
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs 47da976
clean up tests
anandsyncs 0d8fd6e
Webhook validation tests
lucian-tosa 0f1b385
assert cluster running state before asserting automation config
anandsyncs 158b6de
multi-cluster tracer
anandsyncs 0deca63
fix typo
anandsyncs 37efc12
add service names
anandsyncs c91e652
add test for multi cluster user
anandsyncs a892769
fix typo
anandsyncs 789f21b
Merge branch 'master' into anandsingh/e2e-oidc-multicluster
anandsyncs 356010d
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs ac13987
Merge remote-tracking branch 'origin/anandsingh/e2e-oidc-multicluster…
anandsyncs 2d621b3
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 39c6702
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs eab5a79
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs 5ab81c7
lint fix
anandsyncs 2e2b6c6
Merge remote-tracking branch 'origin/anandsingh/e2e-oidc-multicluster…
anandsyncs 86f0be0
lint fix
anandsyncs 582b95f
Merge branch 'master' into anandsingh/e2e-oidc-multicluster
anandsyncs 19f161b
Merge branch 'master' into feature/mk-oidc-crd-propagation
anandsyncs ca75756
change oidc multi user name
anandsyncs 26e24a0
remove default value for GroupsClaim
anandsyncs 7257b4e
remove default value for GroupsClaim
anandsyncs ed2748d
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 1be8af8
Merge branch 'master' into anandsingh/oidc-e2e-tests
anandsyncs ca42f0b
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs 30bb749
remove default value for GroupsClaim from tests
anandsyncs 5df3e5c
Merge branch 'master' into feature/mk-oidc-crd-propagation
anandsyncs 9d56078
fix test
anandsyncs 0b03de4
Merge branch 'feature/mk-oidc-crd-propagation' into anandsingh/oidc-e…
anandsyncs 00adfc7
remove incorrect field
anandsyncs 95c58de
Merge remote-tracking branch 'origin/anandsingh/oidc-e2e-tests' into …
anandsyncs c4246d8
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs a29f737
add explanation for manual aws setup
anandsyncs 09409f1
lint fix
anandsyncs 965f50d
Merge branch 'anandsingh/oidc-e2e-tests' into anandsingh/e2e-oidc-mul…
anandsyncs feedaba
resolve merge conflicts
anandsyncs e2d5eeb
remove extraneous change
anandsyncs cceeb15
pre-commit
MaciejKaras 5388b70
Merge branch 'master' into anandsingh/e2e-oidc-multicluster
MaciejKaras 66cdb82
Apply suggestions from Copilot
MaciejKaras 44db089
Merge branch 'master' into anandsingh/e2e-oidc-multicluster
anandsyncs de2ad6a
add comment for skip multicluster
anandsyncs 2104dc3
lint fix
anandsyncs File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
...er/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-group.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| --- | ||
| apiVersion: mongodb.com/v1 | ||
| kind: MongoDBMultiCluster | ||
| metadata: | ||
| name: oidc-multi-replica-set | ||
| spec: | ||
| version: 7.0.5-ent | ||
| type: ReplicaSet | ||
| duplicateServiceObjects: false | ||
| credentials: my-credentials | ||
| opsManager: | ||
| configMapRef: | ||
| name: my-project | ||
| clusterSpecList: | ||
| - clusterName: kind-e2e-cluster-1 | ||
| members: 1 | ||
| - clusterName: kind-e2e-cluster-2 | ||
| members: 1 | ||
| - clusterName: kind-e2e-cluster-3 | ||
| members: 2 | ||
| security: | ||
| authentication: | ||
| agents: | ||
| mode: SCRAM | ||
| enabled: true | ||
| modes: | ||
| - SCRAM | ||
| - OIDC | ||
| oidcProviderConfigs: | ||
| - audience: "<filled-in-test>" | ||
| clientId: "<filled-in-test>" | ||
| issuerURI: "<filled-in-test>" | ||
| requestedScopes: [ ] | ||
| userClaim: "sub" | ||
| groupsClaim: "cognito:groups" | ||
| authorizationMethod: "WorkloadIdentityFederation" | ||
| authorizationType: "GroupMembership" | ||
| configurationName: "OIDC-test" | ||
| roles: | ||
| - role: "OIDC-test/test" | ||
| db: "admin" | ||
| roles: | ||
| - role: "readWriteAnyDatabase" | ||
| db: "admin" |
37 changes: 37 additions & 0 deletions
37
docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/mongodb-multi-m2m-user.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| apiVersion: mongodb.com/v1 | ||
| kind: MongoDBMultiCluster | ||
| metadata: | ||
| name: oidc-multi-replica-set | ||
| spec: | ||
| version: 7.0.5-ent | ||
| type: ReplicaSet | ||
| duplicateServiceObjects: false | ||
| credentials: my-credentials | ||
| opsManager: | ||
| configMapRef: | ||
| name: my-project | ||
| clusterSpecList: | ||
| - clusterName: kind-e2e-cluster-1 | ||
| members: 1 | ||
| - clusterName: kind-e2e-cluster-2 | ||
| members: 1 | ||
| - clusterName: kind-e2e-cluster-3 | ||
| members: 2 | ||
| security: | ||
| authentication: | ||
| agents: | ||
| mode: SCRAM | ||
| enabled: true | ||
| modes: | ||
| - SCRAM | ||
| - OIDC | ||
| oidcProviderConfigs: | ||
| - audience: "<filled-in-test>" | ||
| clientId: "<filled-in-test>" | ||
| issuerURI: "<filled-in-test>" | ||
| requestedScopes: [ ] | ||
| userClaim: "sub" | ||
| authorizationMethod: "WorkloadIdentityFederation" | ||
| authorizationType: "UserID" | ||
| configurationName: "OIDC-test-user" |
13 changes: 13 additions & 0 deletions
13
docker/mongodb-kubernetes-tests/tests/multicluster/fixtures/oidc/oidc-user-multi.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| apiVersion: mongodb.com/v1 | ||
| kind: MongoDBUser | ||
| metadata: | ||
| name: oidc-user-1 | ||
| spec: | ||
| username: "<filled-in-test>" | ||
| db: "$external" | ||
| mongodbResourceRef: | ||
| name: oidc-multi-replica-set | ||
| roles: | ||
| - db: "admin" | ||
| name: "readWriteAnyDatabase" |
58 changes: 58 additions & 0 deletions
58
docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_group.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| import kubernetes | ||
| import kubetester.oidc as oidc | ||
| import pytest | ||
| from kubetester import try_load | ||
| from kubetester.automation_config_tester import AutomationConfigTester | ||
| from kubetester.kubetester import KubernetesTester, ensure_ent_version | ||
| from kubetester.kubetester import fixture as yaml_fixture | ||
| from kubetester.mongodb import MongoDB, Phase | ||
| from kubetester.mongodb_multi import MongoDBMulti, MultiClusterClient | ||
| from kubetester.mongotester import ReplicaSetTester | ||
| from kubetester.operator import Operator | ||
| from pytest import fixture | ||
|
|
||
| MDB_RESOURCE = "oidc-multi-replica-set" | ||
|
|
||
|
|
||
| @fixture(scope="module") | ||
| def mongodb_multi( | ||
| central_cluster_client: kubernetes.client.ApiClient, | ||
| namespace: str, | ||
| member_cluster_names, | ||
| custom_mdb_version: str, | ||
| ) -> MongoDBMulti: | ||
| resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-group.yaml"), MDB_RESOURCE, namespace) | ||
| if try_load(resource): | ||
| return resource | ||
|
|
||
| oidc_provider_configs = resource.get_oidc_provider_configs() | ||
|
|
||
| oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id() | ||
| oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id() | ||
| oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url() | ||
|
|
||
| resource.set_oidc_provider_configs(oidc_provider_configs) | ||
|
|
||
| resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client) | ||
|
|
||
| return resource.update() | ||
|
|
||
|
|
||
| @pytest.mark.e2e_multi_cluster_oidc_m2m_group | ||
| class TestOIDCMultiCluster(KubernetesTester): | ||
| def test_deploy_operator(self, multi_cluster_operator: Operator): | ||
| multi_cluster_operator.assert_is_running() | ||
|
|
||
| def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti): | ||
| mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800) | ||
|
|
||
| def test_assert_connectivity(self, mongodb_multi: MongoDBMulti): | ||
| tester = mongodb_multi.tester() | ||
| tester.assert_oidc_authentication() | ||
|
|
||
| def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti): | ||
| tester = mongodb_multi.get_automation_config_tester() | ||
| tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False) | ||
| tester.assert_authentication_enabled(2) | ||
| tester.assert_expected_users(0) | ||
| tester.assert_authoritative_set(True) |
72 changes: 72 additions & 0 deletions
72
docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_oidc_m2m_user.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| import kubernetes | ||
| import kubetester.oidc as oidc | ||
| import pytest | ||
| from kubetester import try_load | ||
| from kubetester.automation_config_tester import AutomationConfigTester | ||
| from kubetester.kubetester import KubernetesTester, ensure_ent_version | ||
| from kubetester.kubetester import fixture as yaml_fixture | ||
| from kubetester.mongodb import MongoDB, Phase | ||
| from kubetester.mongodb_multi import MongoDBMulti | ||
| from kubetester.mongodb_user import MongoDBUser | ||
| from kubetester.mongotester import ReplicaSetTester | ||
| from kubetester.operator import Operator | ||
| from pytest import fixture | ||
|
|
||
| MDB_RESOURCE = "oidc-multi-replica-set" | ||
|
|
||
|
|
||
| @fixture(scope="module") | ||
| def mongodb_multi( | ||
| central_cluster_client: kubernetes.client.ApiClient, | ||
| namespace: str, | ||
| member_cluster_names, | ||
| custom_mdb_version: str, | ||
| ) -> MongoDBMulti: | ||
| resource = MongoDBMulti.from_yaml(yaml_fixture("oidc/mongodb-multi-m2m-user.yaml"), MDB_RESOURCE, namespace) | ||
| if try_load(resource): | ||
| return resource | ||
|
|
||
| oidc_provider_configs = resource.get_oidc_provider_configs() | ||
|
|
||
| oidc_provider_configs[0]["clientId"] = oidc.get_cognito_workload_client_id() | ||
| oidc_provider_configs[0]["audience"] = oidc.get_cognito_workload_client_id() | ||
| oidc_provider_configs[0]["issuerURI"] = oidc.get_cognito_workload_url() | ||
|
|
||
| resource.set_oidc_provider_configs(oidc_provider_configs) | ||
|
|
||
| resource.api = kubernetes.client.CustomObjectsApi(central_cluster_client) | ||
|
|
||
| return resource.update() | ||
|
|
||
|
|
||
| @fixture(scope="module") | ||
| def oidc_user(namespace) -> MongoDBUser: | ||
| resource = MongoDBUser.from_yaml(yaml_fixture("oidc/oidc-user-multi.yaml"), namespace=namespace) | ||
|
|
||
| resource["spec"]["username"] = f"OIDC-test-user/{oidc.get_cognito_workload_user_id()}" | ||
| resource["spec"]["mongodbResourceRef"]["name"] = MDB_RESOURCE | ||
|
|
||
| return resource.update() | ||
|
|
||
|
|
||
| @pytest.mark.e2e_multi_cluster_oidc_m2m_user | ||
| class TestOIDCMultiCluster(KubernetesTester): | ||
| def test_deploy_operator(self, multi_cluster_operator: Operator): | ||
| multi_cluster_operator.assert_is_running() | ||
|
|
||
| def test_create_oidc_replica_set(self, mongodb_multi: MongoDBMulti): | ||
| mongodb_multi.assert_reaches_phase(Phase.Running, timeout=800) | ||
|
|
||
| def test_create_user(self, oidc_user: MongoDBUser): | ||
| oidc_user.assert_reaches_phase(Phase.Updated, timeout=800) | ||
|
|
||
| def test_assert_connectivity(self, mongodb_multi: MongoDBMulti): | ||
| tester = mongodb_multi.tester() | ||
| tester.assert_oidc_authentication() | ||
|
|
||
| def test_ops_manager_state_updated_correctly(self, mongodb_multi: MongoDBMulti): | ||
| tester = mongodb_multi.get_automation_config_tester() | ||
| tester.assert_authentication_mechanism_enabled("MONGODB-OIDC", active_auth_mechanism=False) | ||
| tester.assert_authentication_enabled(2) | ||
| tester.assert_expected_users(1) | ||
| tester.assert_authoritative_set(True) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.