CLOUDP-66799: Added Types + Password Generation for tests (#111)

Author: chatton

deploy/crds/mongodb.com_v1_mongodb_scram_cr.yaml

@@ -10,3 +10,13 @@ spec:
     authentication:
       enabled: true
       modes: ["SCRAM"]
+  users:
+    - name: my-user
+      db: admin
+      passwordSecretRef:
+        name: my-user-password
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: userAdminAnyDatabase
+          db: admin

pkg/apis/mongodb/v1/mongodb_types.go

@@ -40,6 +40,43 @@ type MongoDBSpec struct {
 	// Security configures security features, such as TLS, and authentication settings for a deployment
 	// +optional
 	Security Security `json:"security"`
+
+	// Users specifies the MongoDB users that should be configured in your deployment
+	// +required
+	Users []MongoDBUser `json:"users"`
+}
+
+type MongoDBUser struct {
+	// Name is the username of the user
+	Name string `json:"name"`
+
+	// DB is the database the user is stored in. Defaults to "admin"
+	// +optional
+	DB string `json:"db"`
+
+	// PasswordSecretRef is a reference to the secret containing this user's password
+	PasswordSecretRef SecretKeyReference `json:"passwordSecretRef"`
+
+	// Roles is an array of roles assigned to this user
+	Roles []Role `json:"roles"`
+}
+
+// SecretKeyReference is a reference to the secret containing the user's password
+type SecretKeyReference struct {
+	// Name is the name of the secret storing this user's password
+	Name string `json:"name"`
+
+	// Key is the key in the secret storing this password. Defaults to "password"
+	// +optional
+	Key string `json:"key"`
+}
+
+// Role is the database role this user should have
+type Role struct {
+	// DB is the database the role can act on
+	DB string `json:"db"`
+	// Name is the name of the role
+	Name string `json:"name"`
 }
 
 type Security struct {
@@ -125,6 +162,17 @@ func (m MongoDB) MongoURI() string {
 	return fmt.Sprintf("mongodb://%s", strings.Join(members, ","))
 }
 
+// TODO: this is a temporary function which will be used in the e2e tests
+// which will be removed in the following PR to clean up our mongo client testing
+func (m MongoDB) SCRAMMongoURI(username, password string) string {
+	members := make([]string, m.Spec.Members)
+	clusterDomain := "svc.cluster.local" // TODO: make this configurable
+	for i := 0; i < m.Spec.Members; i++ {
+		members[i] = fmt.Sprintf("%s-%d.%s.%s.%s:%d", m.Name, i, m.ServiceName(), m.Namespace, clusterDomain, 27017)
+	}
+	return fmt.Sprintf("mongodb://%s:%s@%s/?authMechanism=SCRAM-SHA-256", username, password, strings.Join(members, ","))
+}
+
 // ServiceName returns the name of the Service that should be created for
 // this resource
 func (m MongoDB) ServiceName() string {

pkg/authentication/scram/scram.go

@@ -33,7 +33,7 @@ func EnsureAgentSecret(getUpdateCreator secret.GetUpdateCreator, secretNsName ty
 				SetField(AgentPasswordKey, generatedPassword).
 				SetField(AgentKeyfileKey, generatedContents).
 				Build()
-			return automationConfigModification(generatedPassword, generatedContents), getUpdateCreator.CreateSecret(s)
+			return automationConfigModification(generatedPassword, generatedContents, []automationconfig.MongoDBUser{}), getUpdateCreator.CreateSecret(s)
 		}
 
 		return automationconfig.NOOP(), err
@@ -50,5 +50,6 @@ func EnsureAgentSecret(getUpdateCreator secret.GetUpdateCreator, secretNsName ty
 	return automationConfigModification(
 		string(agentSecret.Data[AgentPasswordKey]),
 		string(agentSecret.Data[AgentKeyfileKey]),
+		[]automationconfig.MongoDBUser{},
 	), getUpdateCreator.UpdateSecret(agentSecret)
 }

pkg/authentication/scram/scram_enabler.go

@@ -14,14 +14,14 @@ const (
 	AgentKeyfileKey                       = "keyfile"
 )
 
-func automationConfigModification(agentPassword, agentKeyFile string) automationconfig.Modification {
+func automationConfigModification(agentPassword, agentKeyFile string, users []automationconfig.MongoDBUser) automationconfig.Modification {
 	return func(config *automationconfig.AutomationConfig) {
-		enableAgentAuthentication(&config.Auth, agentPassword, agentKeyFile)
+		enableAgentAuthentication(&config.Auth, agentPassword, agentKeyFile, users)
 		enableDeploymentMechanisms(&config.Auth)
 	}
 }
 
-func enableAgentAuthentication(auth *automationconfig.Auth, agentPassword, agentKeyFileContents string) {
+func enableAgentAuthentication(auth *automationconfig.Auth, agentPassword, agentKeyFileContents string, users []automationconfig.MongoDBUser) {
 	auth.Disabled = false
 	auth.AuthoritativeSet = true
 	auth.KeyFile = automationAgentKeyFilePathInContainer
@@ -42,6 +42,9 @@ func enableAgentAuthentication(auth *automationconfig.Auth, agentPassword, agent
 	// the contents the keyfile should have, this file is owned and managed
 	// by the agent
 	auth.Key = agentKeyFileContents
+
+	// assign all the users that should be added to the deployment
+	auth.Users = users
 }
 
 func enableDeploymentMechanisms(auth *automationconfig.Auth) {

pkg/authentication/scram/scram_enabler_test.go

@@ -8,7 +8,7 @@ import (
 )
 
 func TestScramAutomationConfig(t *testing.T) {
-	modificationFunc := automationConfigModification("password", "keyfilecontents")
+	modificationFunc := automationConfigModification("password", "keyfilecontents", []automationconfig.MongoDBUser{})
 	config := automationconfig.AutomationConfig{}
 
 	t.Run("Authentication is correctly configured", func(t *testing.T) {

pkg/automationconfig/automation_config.go

@@ -1,6 +1,10 @@
 package automationconfig
 
-import "path"
+import (
+	"path"
+
+	"github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/scramcredentials"
+)
 
 const (
 	Mongod                ProcessType = "mongod"
@@ -9,17 +13,21 @@ const (
 )
 
 type AutomationConfig struct {
-	Version     int          `json:"version"`
-	Processes   []Process    `json:"processes"`
-	ReplicaSets []ReplicaSet `json:"replicaSets"`
-	Auth        Auth         `json:"auth"`
-	TLS         TLS          `json:"tls"`
-
+	Version      int                    `json:"version"`
+	Processes    []Process              `json:"processes"`
+	ReplicaSets  []ReplicaSet           `json:"replicaSets"`
+	Auth         Auth                   `json:"auth"`
+	TLS          TLS                    `json:"tls"`
 	Versions     []MongoDbVersionConfig `json:"mongoDbVersions"`
 	ToolsVersion ToolsVersion           `json:"mongoDbToolsVersion"`
 	Options      Options                `json:"options"`
 }
 
+type Role struct {
+	Role     string `json:"role"`
+	Database string `json:"db"`
+}
+
 type Process struct {
 	Name                        string      `json:"name"`
 	HostName                    string      `json:"hostname"`
@@ -170,6 +178,18 @@ type Auth struct {
 	AutoPwd string `json:"autoPwd,omitempty"`
 }
 
+type MongoDBUser struct {
+	Mechanisms                 []string `json:"mechanisms"`
+	Roles                      []Role   `json:"roles"`
+	Username                   string   `json:"user"`
+	Database                   string   `json:"db"`
+	AuthenticationRestrictions []string `json:"authenticationRestrictions"`
+
+	// ScramShaCreds are generated by the operator.
+	ScramSha256Creds *scramcredentials.ScramCreds `json:"scramSha256Creds"`
+	ScramSha1Creds   *scramcredentials.ScramCreds `json:"scramSha1Creds"`
+}
+
 func disabledAuth() Auth {
 	return Auth{
 		Users:                    make([]MongoDBUser, 0),
@@ -180,9 +200,6 @@ func disabledAuth() Auth {
 	}
 }
 
-type MongoDBUser struct {
-}
-
 type ClientCertificateMode string
 
 const (

pkg/kube/secret/secret.go

@@ -98,3 +98,14 @@ func CreateOrUpdate(getUpdateCreator GetUpdateCreator, secret corev1.Secret) err
 	}
 	return getUpdateCreator.UpdateSecret(newSecret)
 }
+
+// HasAllKeys returns true if the provided secret contains an element for every
+// key provided. False if a single element is absent
+func HasAllKeys(secret corev1.Secret, keys ...string) bool {
+	for _, key := range keys {
+		if _, ok := secret.Data[key]; !ok {
+			return false
+		}
+	}
+	return true
+}

test/e2e/e2eutil.go

@@ -112,8 +112,8 @@ func waitForRuntimeObjectToExist(name string, retryInterval, timeout time.Durati
 	})
 }
 
-func NewTestMongoDB(name string) mdbv1.MongoDB {
-	return mdbv1.MongoDB{
+func NewTestMongoDB(name string) (mdbv1.MongoDB, mdbv1.MongoDBUser) {
+	mdb := mdbv1.MongoDB{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: f.Global.OperatorNamespace,
@@ -123,8 +123,44 @@ func NewTestMongoDB(name string) mdbv1.MongoDB {
 			Type:                        "ReplicaSet",
 			Version:                     "4.0.6",
 			FeatureCompatibilityVersion: "4.0",
+			Security: mdbv1.Security{
+				Authentication: mdbv1.Authentication{
+					Modes: []mdbv1.AuthMode{"SCRAM"},
+				},
+			},
+			Users: []mdbv1.MongoDBUser{
+				{
+					Name: fmt.Sprintf("%s-user", name),
+					DB:   "admin",
+					PasswordSecretRef: mdbv1.SecretKeyReference{
+						Key:  fmt.Sprintf("%s-password", name),
+						Name: fmt.Sprintf("%s-password-secret", name),
+					},
+					Roles: []mdbv1.Role{
+						// roles on testing db for general connectivity
+						{
+							DB:   "testing",
+							Name: "readWrite",
+						},
+						{
+							DB:   "testing",
+							Name: "clusterAdmin",
+						},
+						// admin roles for reading FCV
+						{
+							DB:   "admin",
+							Name: "readWrite",
+						},
+						{
+							DB:   "admin",
+							Name: "clusterAdmin",
+						},
+					},
+				},
+			},
 		},
 	}
+	return mdb, mdb.Spec.Users[0]
 }
 
 func NewTestTLSConfig(optional bool) mdbv1.TLS {

test/e2e/feature_compatibility_version/feature_compatibility_version_test.go

@@ -22,7 +22,13 @@ func TestFeatureCompatibilityVersion(t *testing.T) {
 		defer ctx.Cleanup()
 	}
 
-	mdb := e2eutil.NewTestMongoDB("mdb0")
+	mdb, user := e2eutil.NewTestMongoDB("mdb0")
+
+	_, err := setup.GeneratePasswordForUser(user, ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	t.Run("Create MongoDB Resource", mongodbtests.CreateMongoDBResource(&mdb, ctx))
 	t.Run("Basic tests", mongodbtests.BasicFunctionality(&mdb))
 

test/e2e/feature_compatibility_version_upgrade/feature_compatibility_version_upgrade_test.go

@@ -24,7 +24,13 @@ func TestFeatureCompatibilityVersionUpgrade(t *testing.T) {
 		defer ctx.Cleanup()
 	}
 
-	mdb := e2eutil.NewTestMongoDB("mdb0")
+	mdb, user := e2eutil.NewTestMongoDB("mdb0")
+
+	_, err := setup.GeneratePasswordForUser(user, ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	t.Run("Create MongoDB Resource", mongodbtests.CreateMongoDBResource(&mdb, ctx))
 	t.Run("Basic tests", mongodbtests.BasicFunctionality(&mdb))