Merge branch 'master' into e2e-tests-on-published-chart

# Conflicts:
#	docker/mongodb-kubernetes-tests/kubetester/helm.py
#	docker/mongodb-kubernetes-tests/kubetester/operator.py
#	docker/mongodb-kubernetes-tests/tests/conftest.py

Author: MaciejKaras

.evergreen-functions.yml

@@ -49,6 +49,7 @@ variables:
       - READINESS_PROBE_VERSION
       - VERSION_UPGRADE_HOOK_VERSION
       - BUILD_SCENARIO
+      - MDB_BASH_DEBUG
 
 functions:
 
@@ -523,6 +524,8 @@ functions:
   download_multi_cluster_binary:
     - command: subprocess.exec
       params:
+        include_expansions_in_env:
+          - workdir
         working_dir: src/github.com/mongodb/mongodb-kubernetes
         binary: scripts/release/kubectl_mongodb/download_kubectl_plugin.sh
         env:
@@ -769,18 +772,14 @@ functions:
   #
   # Code snippet test automation
   #
-
-  sample_commit_output:
-    - command: github.generate_token
-      params:
-        expansion_name: GH_TOKEN
+  archive_snippets_output:
     - command: subprocess.exec
       params:
         include_expansions_in_env:
           - GH_TOKEN
-          - code_snippets_commit_output
+          - MDB_BASH_DEBUG
         working_dir: src/github.com/mongodb/mongodb-kubernetes
-        binary: scripts/code_snippets/sample_commit_output.sh
+        binary: scripts/code_snippets/archive_snippets_output.sh
 
   # it executes a script by convention: ./scripts/code_snippets/tests/${task_name}
   test_code_snippets:
@@ -793,6 +792,9 @@ functions:
           - code_snippets_teardown
           - code_snippets_reset
           - task_name
+          - MDB_BASH_DEBUG
+        add_to_path:
+          - ${workdir}/bin
         script: |
           ./scripts/code_snippets/tests/${task_name}
 

.evergreen-snippets.yml

@@ -69,33 +69,19 @@ functions:
         permissions: private
         visibility: signed
         content_type: text/plain
-    - command: s3.put
-      params:
-        aws_key: ${enterprise_aws_access_key_id}
-        aws_secret: ${enterprise_aws_secret_access_key}
-        local_files_include_filter:
-          - src/github.com/mongodb/mongodb-kubernetes/public/architectures/**/*.out
-          - src/github.com/mongodb/mongodb-kubernetes/docs/**/*.out
-        preserve_path: true
-        remote_file: logs/${task_id}/${execution}/
-        bucket: operator-e2e-artifacts
-        permissions: private
-        visibility: signed
-        content_type: text/plain
 
   upload_code_snippets_outputs:
     - command: s3.put
       params:
         aws_key: ${enterprise_aws_access_key_id}
         aws_secret: ${enterprise_aws_secret_access_key}
         local_files_include_filter:
-          - snippets_outputs.tgz
-        remote_file: logs/${task_id}/${execution}/
+          - snippets_outputs*.tgz
+        remote_file: snippets_outputs/${version_id}
         bucket: operator-e2e-artifacts
         permissions: private
         visibility: signed
         content_type: ${content_type|application/x-gzip}
-        display_name: "Snippets Outputs"
 
 tasks:
   # Code snippets tasks
@@ -106,31 +92,31 @@ tasks:
     tags: [ "code_snippets" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: test_gke_multi_cluster_no_mesh_snippets.sh
     tags: [ "code_snippets" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: test_kind_search_community_snippets.sh
     tags: [ "code_snippets", "patch-run" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: test_kind_search_enterprise_snippets.sh
     tags: [ "code_snippets", "patch-run" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: test_kind_search_external_mongod_snippets.sh
     tags: [ "code_snippets", "patch-run" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
 task_groups:
   - name: gke_code_snippets_task_group

.evergreen-tasks.yml

@@ -66,25 +66,25 @@ tasks:
     tags: [ "code_snippets" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: task_gke_multi_cluster_no_mesh_snippets
     tags: [ "code_snippets" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: task_kind_search_community_snippets
     tags: [ "code_snippets", "patch-run" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
   - name: task_kind_search_enterprise_snippets
     tags: [ "code_snippets", "patch-run" ]
     commands:
       - func: test_code_snippets
-      - func: sample_commit_output
+      - func: archive_snippets_output
 
 ## Below are only e2e runs for .evergreen.yml ##
 
@@ -1307,3 +1307,8 @@ tasks:
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"
+
+  - name: e2e_search_enterprise_x509_cluster_auth
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"

.evergreen.yml

@@ -203,9 +203,9 @@ parameters:
     value: "false"
     description: set this to true if you would like to delete the resources created in the code snippet tests, but keep the clusters
 
-  - key: code_snippets_commit_output
-    value: "false"
-    description: set this to true if you would like the pipeline to automatically push a branch with updated snippets outputs
+  - key: MDB_BASH_DEBUG
+    value: "0"
+    description: set this to 1 if you want shell scripts to enable set -x
 
 # Triggered manually or by PCT.
 patch_aliases:
@@ -770,6 +770,7 @@ task_groups:
       # MongoDBSearch test group
       - e2e_search_enterprise_basic
       - e2e_search_enterprise_tls
+      - e2e_search_enterprise_x509_cluster_auth
     <<: *teardown_group
 
   # this task group contains just a one task, which is smoke testing whether the operator
@@ -1202,6 +1203,7 @@ task_groups:
     <<: *setup_and_teardown_task
     tasks:
       - e2e_search_enterprise_tls
+      - e2e_search_enterprise_x509_cluster_auth
     <<: *teardown_group
 
   # Tests features only supported on OM70 and OM80, its only upgrade test as we test upgrading from 6 to 7 or 7 to 8

changelog/20251103_feature_mongodbsearch_mongodb_deployments_using_x509.md

@@ -0,0 +1,7 @@
+---
+kind: feature
+date: 2025-11-03
+---
+
+* **MongoDBSearch**: MongoDB deployments using X509 internal cluster authentication are now supported. Previously MongoDB Search required SCRAM authentication among members of a MongoDB replica set. Note: SCRAM client authentication is still required, this change merely relaxes the requirements on internal cluster authentication.
+

changelog/20251106_feature_mongodbsearch_updated_the_default_mongodbmongodb.md

@@ -0,0 +1,6 @@
+---
+kind: feature
+date: 2025-11-06
+---
+
+* **MongoDBSearch**: Updated the default `mongodb/mongodb-search` image version to 0.55.0. This is the version MCK uses if `.spec.version` is not specified.

config/manager/manager.yaml

@@ -162,8 +162,8 @@ spec:
               value: "quay.io/mongodb/mongodb-agent:108.0.7.8810-1"
             - name: RELATED_IMAGE_AGENT_IMAGE_12_0_35_7911_1
               value: "quay.io/mongodb/mongodb-agent:12.0.35.7911-1"
-            - name: RELATED_IMAGE_AGENT_IMAGE_13_41_0_9830_1
-              value: "quay.io/mongodb/mongodb-agent:13.41.0.9830-1"
+            - name: RELATED_IMAGE_AGENT_IMAGE_13_42_0_9892_1
+              value: "quay.io/mongodb/mongodb-agent:13.42.0.9892-1"
             - name: RELATED_IMAGE_OPS_MANAGER_IMAGE_REPOSITORY_6_0_26
               value: "quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:6.0.26"
             - name: RELATED_IMAGE_OPS_MANAGER_IMAGE_REPOSITORY_6_0_27
@@ -307,11 +307,11 @@ spec:
               value: "quay.io/mongodb/mongodb-enterprise-server:8.0.0-ubi8"
             - name: RELATED_IMAGE_MONGODB_IMAGE_8_0_0_ubi9
               value: "quay.io/mongodb/mongodb-enterprise-server:8.0.0-ubi9"
-            - name: RELATED_IMAGE_MDB_SEARCH_IMAGE_0_53_1
-              value: "quay.io/mongodb/mongodb-search:0.53.1"
+            - name: RELATED_IMAGE_MDB_SEARCH_IMAGE_0_55_0
+              value: "quay.io/mongodb/mongodb-search:0.55.0"
             - name: MDB_SEARCH_REPO_URL
               value: "quay.io/mongodb"
             - name: MDB_SEARCH_NAME
               value: "mongodb-search"
             - name: MDB_SEARCH_VERSION
-              value: "0.53.1"
+              value: "0.55.0"

controllers/operator/common_controller_test.go

@@ -406,6 +406,98 @@ func TestDontSendNilPrivileges(t *testing.T) {
 	assert.NotNil(t, roles[0].Privileges)
 }
 
+func TestCheckEmptyStringsInPrivilegesEquivalentToNotPassingFields(t *testing.T) {
+	ctx := context.Background()
+
+	roleWithEmptyStrings := mdbv1.MongoDBRole{
+		Role: "withEmptyStrings",
+		Db:   "admin",
+		Roles: []mdbv1.InheritedRole{{
+			Db:   "admin",
+			Role: "read",
+		}},
+		Privileges: []mdbv1.Privilege{
+			{
+				Resource: mdbv1.Resource{
+					Db:         "config",
+					Collection: "", // Explicit empty string
+				},
+				Actions: []string{"find", "update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "users",
+					Collection: "usersCollection",
+				},
+				Actions: []string{"update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "", // Explicit empty string
+					Collection: "", // Explicit empty string
+				},
+				Actions: []string{"find"},
+			},
+		},
+	}
+
+	// Role without empty strings (fields omitted, which should result in empty strings for string types)
+	roleWithoutEmptyStrings := mdbv1.MongoDBRole{
+		Role: "withoutEmptyFields",
+		Db:   "admin",
+		Roles: []mdbv1.InheritedRole{{
+			Db:   "admin",
+			Role: "read",
+		}},
+		Privileges: []mdbv1.Privilege{
+			{
+				Resource: mdbv1.Resource{
+					Db: "config",
+					// field not set, should pass ""
+				},
+				Actions: []string{"find", "update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "users",
+					Collection: "usersCollection",
+				},
+				Actions: []string{"update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					// fields not set, should be passed as empty strings
+				},
+				Actions: []string{"find"},
+			},
+		},
+	}
+
+	rs := DefaultReplicaSetBuilder().SetRoles([]mdbv1.MongoDBRole{roleWithEmptyStrings, roleWithoutEmptyStrings}).Build()
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	controller.ensureRoles(ctx, rs.Spec.DbCommonSpec, true, mockOm, kube.ObjectKeyFromApiObject(rs), zap.S())
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.True(t, ok)
+	require.Len(t, roles, 2)
+
+	assert.Equal(t, "config", roles[0].Privileges[0].Resource.Db)
+	assert.Equal(t, "", roles[0].Privileges[0].Resource.Collection)
+
+	assert.Equal(t, "users", roles[0].Privileges[1].Resource.Db)
+	assert.Equal(t, "usersCollection", roles[0].Privileges[1].Resource.Collection)
+
+	assert.Equal(t, "", roles[0].Privileges[2].Resource.Db)
+	assert.Equal(t, "", roles[0].Privileges[2].Resource.Collection)
+
+	assert.True(t, reflect.DeepEqual(roles[0].Privileges, roles[1].Privileges))
+}
+
 func TestSecretWatcherWithAllResources(t *testing.T) {
 	ctx := context.Background()
 	caName := "custom-ca"

controllers/searchcontroller/enterprise_search_source.go

@@ -81,9 +81,5 @@ func (r EnterpriseResourceSearchSource) Validate() error {
 		return xerrors.New("MongoDBSearch requires SCRAM authentication to be enabled")
 	}
 
-	if r.Spec.Security.GetInternalClusterAuthenticationMode() == util.X509 {
-		return xerrors.New("MongoDBSearch does not support X.509 internal cluster authentication")
-	}
-
 	return nil
 }

controllers/searchcontroller/enterprise_search_source_test.go

@@ -223,8 +223,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) {
 			resourceType:        mdbv1.ReplicaSet,
 			authModes:           []string{"SCRAM-SHA-256"},
 			internalClusterAuth: "X509",
-			expectError:         true,
-			expectedErrMsg:      "MongoDBSearch does not support X.509 internal cluster authentication",
+			expectError:         false,
 		},
 		{
 			name:                "Valid internal cluster auth - empty",