Merge branch 'master' into feature/mk-oidc-crd-propagation

Author: anandsyncs

.github/dependabot.yml

@@ -5,14 +5,27 @@ updates:
  schedule:
  interval: weekly
  day: monday
+ groups:
+ go-deps:
+ applies-to: "version-updates"
+ patterns:
+ - "*"
  ignore:
  - dependency-name: k8s.io/api
  - dependency-name: k8s.io/apimachinery
  - dependency-name: k8s.io/client-go
  - dependency-name: k8s.io/code-generator
  - dependency-name: sigs.k8s.io/controller-runtime
+
  - package-ecosystem: pip
  directory: "/"
  schedule:
  interval: weekly
  day: monday
+ groups:
+ pip-deps:
+ applies-to: "version-updates"
+ patterns:
+ - "*"
+ ignore:
+ - dependency-name: kubernetes

api/v1/mdb/mongodb_validation.go

@@ -113,6 +113,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 
 authentication := db.Security.Authentication
 validators = append(validators, oidcAuthModeValidator(authentication))
+validators = append(validators, oidcAuthRequiresEnterprise)
 
 providerConfigs := authentication.OIDCProviderConfigs
 if len(providerConfigs) == 0 {
@@ -122,6 +123,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 validators = append(validators,
 oidcProviderConfigsUniqueNameValidation(providerConfigs),
 oidcProviderConfigsSingleWorkforceIdentityFederationValidation(providerConfigs),
+oidcProviderConfigUniqueIssuerURIValidation(providerConfigs),
 )
 
 for _, config := range providerConfigs {
@@ -130,13 +132,58 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 oidcProviderConfigClientIdValidator(config),
 oidcProviderConfigRequestedScopesValidator(config),
 oidcProviderConfigAuthorizationTypeValidator(config),
-oidcAuthRequiresEnterprise,
 )
 }
 
 return validators
 }
 
+// oidcProviderConfigUniqueIssuerURIValidation is based on the documentation here:
+// https://www.mongodb.com/docs/manual/reference/parameters/#oidcidentityproviders-fields
+func oidcProviderConfigUniqueIssuerURIValidation(configs []OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
+return func(d DbCommonSpec) v1.ValidationResult {
+if len(configs) == 0 {
+return v1.ValidationSuccess()
+}
+
+// Check if version supports duplicate issuers (7.0, 7.3, or 8.0+)
+versionParts := strings.Split(strings.TrimSuffix(d.Version, "-ent"), ".")
+supportsMultipleIssuers := false
+if len(versionParts) >= 2 {
+major := versionParts[0]
+minor := versionParts[1]
+if major == "8" || (major == "7" && (minor == "0" || minor == "3")) {
+supportsMultipleIssuers = true
+}
+}
+
+if supportsMultipleIssuers {
+// Track issuer+audience combinations
+issuerAudienceCombos := make(map[string]string)
+for _, config := range configs {
+comboKey := config.IssuerURI + ":" + config.Audience
+if previousConfig, exists := issuerAudienceCombos[comboKey]; exists {
+return v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
+previousConfig, config.ConfigurationName)
+}
+issuerAudienceCombos[comboKey] = config.ConfigurationName
+}
+} else {
+// For older versions, require unique issuers
+uris := make(map[string]string)
+for _, config := range configs {
+if previousConfig, exists := uris[config.IssuerURI]; exists {
+return v1.ValidationError("OIDC provider configs %q and %q have duplicate IssuerURI: %s",
+previousConfig, config.ConfigurationName, config.IssuerURI)
+}
+uris[config.IssuerURI] = config.ConfigurationName
+}
+}
+
+return v1.ValidationSuccess()
+}
+}
+
 func oidcAuthModeValidator(authentication *Authentication) func(DbCommonSpec) v1.ValidationResult {
 return func(spec DbCommonSpec) v1.ValidationResult {
 // OIDC cannot be used for agent authentication so other auth mode has to enabled as well

api/v1/mdb/mongodb_validation_test.go

@@ -497,3 +497,131 @@ func TestOIDCAuthValidation(t *testing.T) {
 })
 }
 }
+
+func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
+tests := []struct {
+name string
+mongoVersion string
+configs []OIDCProviderConfig
+expectedResult v1.ValidationResult
+}{
+{
+name: "MongoDB 6.0 with duplicate issuer URIs - error",
+mongoVersion: "6.0.0",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience2",
+},
+},
+expectedResult: v1.ValidationError("OIDC provider configs %q and %q have duplicate IssuerURI: %s",
+"config1", "config2", "https://provider.com"),
+},
+{
+name: "MongoDB 7.0 with unique issuer+audience combinations",
+mongoVersion: "7.0.0",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience2",
+},
+},
+expectedResult: v1.ValidationSuccess(),
+},
+{
+name: "MongoDB 7.0 with duplicate issuer+audience combinations - warning",
+mongoVersion: "7.0.0",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+},
+expectedResult: v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
+"config1", "config2"),
+},
+{
+name: "MongoDB 7.3 with unique issuer+audience combinations",
+mongoVersion: "7.3.0",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience2",
+},
+},
+expectedResult: v1.ValidationSuccess(),
+},
+{
+name: "MongoDB 8.0 with unique issuer+audience combinations",
+mongoVersion: "8.0.0",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience2",
+},
+},
+expectedResult: v1.ValidationSuccess(),
+},
+{
+name: "MongoDB enterprise version with -ent suffix",
+mongoVersion: "7.0.0-ent",
+configs: []OIDCProviderConfig{
+{
+ConfigurationName: "config1",
+IssuerURI: "https://provider.com",
+Audience: "audience1",
+},
+{
+ConfigurationName: "config2",
+IssuerURI: "https://provider.com",
+Audience: "audience2",
+},
+},
+expectedResult: v1.ValidationSuccess(),
+},
+}
+
+for _, tt := range tests {
+t.Run(tt.name, func(t *testing.T) {
+validationFunc := oidcProviderConfigUniqueIssuerURIValidation(tt.configs)
+
+dbSpec := DbCommonSpec{
+Version: tt.mongoVersion,
+}
+
+result := validationFunc(dbSpec)
+
+assert.Equal(t, tt.expectedResult, result)
+})
+}
+}

docker/mongodb-kubernetes-tests/kubetester/certs.py

@@ -804,16 +804,16 @@ def create_x509_agent_tls_certs(issuer: str, namespace: str, name: str, secret_b
 
 def approve_certificate(name: str) -> None:
  """Approves the CertificateSigningRequest with the provided name"""
- body = client.CertificatesV1beta1Api().read_certificate_signing_request_status(name)
- conditions = client.V1beta1CertificateSigningRequestCondition(
+ body = client.CertificatesV1Api().read_certificate_signing_request_status(name)
+ conditions = client.V1CertificateSigningRequestCondition(
  last_update_time=datetime.now(timezone.utc).astimezone(),
  message="This certificate was approved by E2E testing framework",
  reason="E2ETestingFramework",
  type="Approved",
  )
 
  body.status.conditions = [conditions]
- client.CertificatesV1beta1Api().replace_certificate_signing_request_approval(name, body)
+ client.CertificatesV1Api().replace_certificate_signing_request_approval(name, body)
 
 
 def create_x509_user_cert(issuer: str, namespace: str, path: str):
@@ -876,7 +876,7 @@ def yield_existing_csrs(csr_names: List[str], timeout: int = 300) -> Generator[s
  while len(csr_names) > 0 and time.time() < stop_time:
  csr = random.choice(csr_names)
  try:
- client.CertificatesV1beta1Api().read_certificate_signing_request_status(csr)
+ client.CertificatesV1Api().read_certificate_signing_request_status(csr)
  except ApiException:
  time.sleep(3)
  continue

docker/mongodb-kubernetes-tests/kubetester/crypto.py

@@ -50,7 +50,7 @@ def generate_csr(namespace: str, host: str, servicename: str):
 
 
 def get_pem_certificate(name: str) -> Optional[str]:
- body = client.CertificatesV1beta1Api().read_certificate_signing_request_status(name)
+ body = client.CertificatesV1Api().read_certificate_signing_request_status(name)
  if body.status.certificate is None:
  return None
  return base64.b64decode(body.status.certificate)

docker/mongodb-kubernetes-tests/kubetester/kubetester.py

@@ -325,7 +325,7 @@ def clients(name, api_client: Optional[client.ApiClient] = None):
  "appsv1": client.AppsV1Api(api_client=api_client),
  "storagev1": client.StorageV1Api(api_client=api_client),
  "customv1": client.CustomObjectsApi(api_client=api_client),
- "certificates": client.CertificatesV1beta1Api(api_client=api_client),
+ "certificates": client.CertificatesV1Api(api_client=api_client),
  "namespace": KubernetesTester.get_namespace(),
  }[name]
 
@@ -807,7 +807,7 @@ def setup_method(self):
  self.client = client
  self.corev1 = client.CoreV1Api()
  self.appsv1 = client.AppsV1Api()
- self.certificates = client.CertificatesV1beta1Api()
+ self.certificates = client.CertificatesV1Api()
  self.customv1 = client.CustomObjectsApi()
  self.namespace = KubernetesTester.get_namespace()
  self.name = None
@@ -1224,19 +1224,19 @@ def generate_certfile(
  if namespace is None:
  namespace = self.namespace
 
- csr_body = client.V1beta1CertificateSigningRequest(
+ csr_body = client.V1CertificateSigningRequest(
  metadata=client.V1ObjectMeta(name=csr_name, namespace=namespace),
- spec=client.V1beta1CertificateSigningRequestSpec(
+ spec=client.V1CertificateSigningRequestSpec(
  groups=["system:authenticated"],
  usages=["digital signature", "key encipherment", "client auth"],
  request=encoded_request,
  ),
  )
 
- client.CertificatesV1beta1Api().create_certificate_signing_request(csr_body)
+ client.CertificatesV1Api().create_certificate_signing_request(csr_body)
  self.approve_certificate(csr_name)
  wait_for_certs_to_be_issued([csr_name])
- csr = client.CertificatesV1beta1Api().read_certificate_signing_request(csr_name)
+ csr = client.CertificatesV1Api().read_certificate_signing_request(csr_name)
  certificate = b64decode(csr.status.certificate)
 
  tmp = tempfile.NamedTemporaryFile()
@@ -1383,7 +1383,7 @@ def get_csr_sans(csr_name: str) -> List[str]:
  Return all of the subject alternative names for a given Kubernetes
  certificate signing request.
  """
- csr = client.CertificatesV1beta1Api().read_certificate_signing_request_status(csr_name)
+ csr = client.CertificatesV1Api().read_certificate_signing_request_status(csr_name)
  base64_csr_request = csr.spec.request
  csr_pem_string = b64decode(base64_csr_request)
  csr = x509.load_pem_x509_csr(csr_pem_string, default_backend())