refactoring

Author: filipcirtog

controllers/om/automation_config.go

@@ -14,16 +14,12 @@ import (
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/ldap"
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/oidc"
 	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/kube/secret"
+	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/util/constants"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/generate"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/maputil"
 )
 
-// The constants for the authentication secret
-const (
-	autoPwdSecretKey = "automation-agent-password"
-)
-
 // AutomationConfig maintains the raw map in the Deployment field
 // and constructs structs to make use of go's type safety
 // Dev notes: actually, this object is just a wrapper for the `Deployment` object which is received from Ops Manager,
@@ -455,18 +451,13 @@ func (ac *AutomationConfig) EnsurePassword(ctx context.Context, k8sClient secret
 
 	data, err := secret.ReadStringData(ctx, k8sClient, secretNamespacedName)
 	if err == nil {
-		if val, ok := data[autoPwdSecretKey]; ok && len(val) > 0 {
+		if val, ok := data[constants.AutomationAgentAuthSecretKey]; ok && len(val) > 0 {
 			password = val
 		}
 	} else if secret.SecretNotExist(err) {
 		if ac.Auth.AutoPwd != "" && ac.Auth.AutoPwd != util.InvalidAutomationAgentPassword {
 			password = ac.Auth.AutoPwd
 		}
-
-		err := EnsureEmptySecret(ctx, k8sClient, secretNamespacedName)
-		if err != nil {
-			return "", err
-		}
 	}
 
 	if password == "" {
@@ -477,31 +468,21 @@ func (ac *AutomationConfig) EnsurePassword(ctx context.Context, k8sClient secret
 		password = generatedPassword
 	}
 
-	ac.Auth.AutoPwd = password
-	err = secret.UpdateField(ctx, k8sClient, secretNamespacedName, autoPwdSecretKey, password)
-	if err != nil {
-		return "", fmt.Errorf("failed to update password field in shared secret %s/%s: %w", secretNamespacedName.Namespace, secretNamespacedName.Name, err)
-	}
-
-	return password, nil
-}
-
-func EnsureEmptySecret(ctx context.Context, k8sClient secret.GetUpdateCreator, secretNamespacedName types.NamespacedName) error {
 	dataFields := map[string]string{
-		autoPwdSecretKey: "",
+		constants.AutomationAgentAuthSecretKey: password,
 	}
 
-	emptySecret := secret.Builder().
+	passwordSecret := secret.Builder().
 		SetName(secretNamespacedName.Name).
 		SetNamespace(secretNamespacedName.Namespace).
 		SetStringMapToData(dataFields).
 		Build()
 
-	if err := secret.CreateOrUpdateIfNeeded(ctx, k8sClient, emptySecret); err != nil {
-		return fmt.Errorf("failed to create or update empty secret %s/%s: %w", secretNamespacedName.Namespace, secretNamespacedName.Name, err)
+	if err := secret.CreateOrUpdateIfNeeded(ctx, k8sClient, passwordSecret); err != nil {
+		return "", fmt.Errorf("failed to update password field in shared secret %s/%s: %w", secretNamespacedName.Namespace, secretNamespacedName.Name, err)
 	}
-
-	return nil
+	ac.Auth.AutoPwd = password
+	return password, nil
 }
 
 func (ac *AutomationConfig) CanEnableX509ProjectAuthentication() (bool, string) {

controllers/operator/appdbreplicaset_controller.go

@@ -1666,8 +1666,9 @@ func (r *ReconcileAppDbReplicaSet) tryConfigureMonitoringInOpsManager(ctx contex
 		AutoUser:           util.AutomationAgentUserName,
 		AutoPEMKeyFilePath: agentCertPath,
 		CAFilePath:         util.CAFilePathInContainer,
+		MongoDBResource:    types.NamespacedName{Namespace: opsManager.Namespace, Name: opsManager.Name},
 	}
-	err = authentication.Configure(ctx, r.client, types.NamespacedName{Namespace: opsManager.Namespace, Name: opsManager.Name}, conn, opts, false, log)
+	err = authentication.Configure(ctx, r.client, conn, opts, false, log)
 	if err != nil {
 		log.Errorf("Could not set Automation Authentication options in Ops/Cloud Manager for the Application Database. "+
 			"Application Database is always configured with authentication enabled, but this will not be "+

controllers/operator/authentication/authentication.go

@@ -67,6 +67,8 @@ type Options struct {
 	AutoPwd string
 
 	AutoLdapGroupDN string
+
+	MongoDBResource types.NamespacedName
 }
 
 func Redact(o Options) Options {
@@ -86,7 +88,7 @@ type UserOptions struct {
 
 // Configure will configure all the specified authentication Mechanisms. We need to ensure we wait for
 // the agents to reach ready state after each operation as prematurely updating the automation config can cause the agents to get stuck.
-func Configure(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, isRecovering bool, log *zap.SugaredLogger) error {
+func Configure(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, isRecovering bool, log *zap.SugaredLogger) error {
 	log.Infow("ensuring correct deployment mechanisms", "ProcessNames", opts.ProcessNames, "Mechanisms", opts.Mechanisms)
 
 	// In case we're recovering, we can push all changes at once, because the mechanism is triggered after 20min by default.
@@ -117,7 +119,7 @@ func Configure(ctx context.Context, client kubernetesClient.Client, mdbNamespace
 
 	// once we have made sure that the deployment authentication mechanism array contains the desired auth mechanism
 	// we can then configure the agent authentication.
-	if err := enableAgentAuthentication(ctx, client, mdbNamespacedName, conn, opts, log); err != nil {
+	if err := enableAgentAuthentication(ctx, client, conn, opts, log); err != nil {
 		return xerrors.Errorf("error enabling agent authentication: %w", err)
 	}
 	if err := waitForReadyStateIfNeeded(); err != nil {
@@ -155,7 +157,7 @@ func Configure(ctx context.Context, client kubernetesClient.Client, mdbNamespace
 
 // Disable disables all authentication mechanisms, and waits for the agents to reach goal state. It is still required to provide
 // automation agent username, password and keyfile contents to ensure a valid Automation Config.
-func Disable(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, deleteUsers bool, log *zap.SugaredLogger) error {
+func Disable(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, deleteUsers bool, log *zap.SugaredLogger) error {
 	ac, err := conn.ReadAutomationConfig()
 	if err != nil {
 		return xerrors.Errorf("error reading automation config: %w", err)
@@ -185,7 +187,7 @@ func Disable(ctx context.Context, client kubernetesClient.Client, mdbNamespacedN
 		if err := ac.EnsureKeyFileContents(); err != nil {
 			return xerrors.Errorf("error ensuring keyfile contents: %w", err)
 		}
-		if _, err := ac.EnsurePassword(ctx, client, mdbNamespacedName); err != nil {
+		if _, err := ac.EnsurePassword(ctx, client, opts.MongoDBResource); err != nil {
 			return xerrors.Errorf("error ensuring agent password: %w", err)
 		}
 
@@ -262,7 +264,7 @@ func removeUnsupportedAgentMechanisms(conn om.Connection, opts Options, log *zap
 
 // enableAgentAuthentication determines which agent authentication mechanism should be configured
 // and enables it in Ops Manager
-func enableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, log *zap.SugaredLogger) error {
+func enableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, log *zap.SugaredLogger) error {
 	ac, err := conn.ReadAutomationConfig()
 	if err != nil {
 		return xerrors.Errorf("error reading automation config: %w", err)
@@ -271,7 +273,7 @@ func enableAgentAuthentication(ctx context.Context, client kubernetesClient.Clie
 	// we then configure the agent authentication for that type
 	mechanism := convertToMechanismOrPanic(opts.AgentMechanism, ac)
 
-	if err := ensureAgentAuthenticationIsConfigured(ctx, client, mdbNamespacedName, conn, opts, ac, mechanism, log); err != nil {
+	if err := ensureAgentAuthenticationIsConfigured(ctx, client, conn, opts, ac, mechanism, log); err != nil {
 		return xerrors.Errorf("error ensuring agent authentication is configured: %w", err)
 	}
 
@@ -369,14 +371,14 @@ func addOrRemoveAgentClientCertificate(conn om.Connection, opts Options, log *za
 }
 
 // ensureAgentAuthenticationIsConfigured will configure the agent authentication settings based on the desiredAgentAuthMechanism
-func ensureAgentAuthenticationIsConfigured(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, ac *om.AutomationConfig, mechanism Mechanism, log *zap.SugaredLogger) error {
+func ensureAgentAuthenticationIsConfigured(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, ac *om.AutomationConfig, mechanism Mechanism, log *zap.SugaredLogger) error {
 	if mechanism.IsAgentAuthenticationConfigured(ac, opts) {
 		log.Infof("Agent authentication mechanism %s is already configured", mechanism.GetName())
 		return nil
 	}
 
 	log.Infof("Enabling %s agent authentication", mechanism.GetName())
-	return mechanism.EnableAgentAuthentication(ctx, client, mdbNamespacedName, conn, opts, log)
+	return mechanism.EnableAgentAuthentication(ctx, client, conn, opts, log)
 }
 
 // ensureDeploymentMechanisms configures the given AutomationConfig to allow deployments to

controllers/operator/authentication/authentication_mechanism.go

@@ -7,7 +7,6 @@ import (
 
 	"go.uber.org/zap"
 	"golang.org/x/xerrors"
-	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/mongodb/mongodb-kubernetes/controllers/om"
 	kubernetesClient "github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/kube/client"
@@ -16,7 +15,7 @@ import (
 
 // Mechanism is an interface that needs to be implemented for any Ops Manager authentication mechanism
 type Mechanism interface {
-	EnableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, log *zap.SugaredLogger) error
+	EnableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, log *zap.SugaredLogger) error
 	DisableAgentAuthentication(conn om.Connection, log *zap.SugaredLogger) error
 	EnableDeploymentAuthentication(conn om.Connection, opts Options, log *zap.SugaredLogger) error
 	DisableDeploymentAuthentication(conn om.Connection, log *zap.SugaredLogger) error

controllers/operator/authentication/configure_authentication_test.go

@@ -22,7 +22,7 @@ func init() {
 func TestConfigureScramSha256(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -32,9 +32,10 @@ func TestConfigureScramSha256(t *testing.T) {
 		ProcessNames:     []string{"process-1", "process-2", "process-3"},
 		Mechanisms:       []string{"SCRAM"},
 		AgentMechanism:   "SCRAM",
+		MongoDBResource:  mongoDBResource,
 	}
 
-	if err := Configure(ctx, kubeClient, mdbNamespacedName, conn, opts, false, zap.S()); err != nil {
+	if err := Configure(ctx, kubeClient, conn, opts, false, zap.S()); err != nil {
 		t.Fatal(err)
 	}
 
@@ -50,7 +51,7 @@ func TestConfigureScramSha256(t *testing.T) {
 func TestConfigureX509(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -64,9 +65,10 @@ func TestConfigureX509(t *testing.T) {
 		UserOptions: UserOptions{
 			AutomationSubject: validSubject("automation"),
 		},
+		MongoDBResource: mongoDBResource,
 	}
 
-	if err := Configure(ctx, kubeClient, mdbNamespacedName, conn, opts, false, zap.S()); err != nil {
+	if err := Configure(ctx, kubeClient, conn, opts, false, zap.S()); err != nil {
 		t.Fatal(err)
 	}
 
@@ -82,7 +84,7 @@ func TestConfigureX509(t *testing.T) {
 func TestConfigureScramSha1(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -92,9 +94,10 @@ func TestConfigureScramSha1(t *testing.T) {
 		ProcessNames:     []string{"process-1", "process-2", "process-3"},
 		Mechanisms:       []string{"SCRAM-SHA-1"},
 		AgentMechanism:   "SCRAM-SHA-1",
+		MongoDBResource:  mongoDBResource,
 	}
 
-	if err := Configure(ctx, kubeClient, mdbNamespacedName, conn, opts, false, zap.S()); err != nil {
+	if err := Configure(ctx, kubeClient, conn, opts, false, zap.S()); err != nil {
 		t.Fatal(err)
 	}
 
@@ -108,7 +111,7 @@ func TestConfigureScramSha1(t *testing.T) {
 func TestConfigureMultipleAuthenticationMechanisms(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -121,9 +124,10 @@ func TestConfigureMultipleAuthenticationMechanisms(t *testing.T) {
 		UserOptions: UserOptions{
 			AutomationSubject: validSubject("automation"),
 		},
+		MongoDBResource: mongoDBResource,
 	}
 
-	if err := Configure(ctx, kubeClient, mdbNamespacedName, conn, opts, false, zap.S()); err != nil {
+	if err := Configure(ctx, kubeClient, conn, opts, false, zap.S()); err != nil {
 		t.Fatal(err)
 	}
 
@@ -145,7 +149,7 @@ func TestConfigureMultipleAuthenticationMechanisms(t *testing.T) {
 func TestDisableAuthentication(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	dep := om.NewDeployment()
 	conn := om.NewMockedOmConnection(dep)
@@ -156,7 +160,7 @@ func TestDisableAuthentication(t *testing.T) {
 		return nil
 	}, zap.S())
 
-	if err := Disable(ctx, kubeClient, mdbNamespacedName, conn, Options{}, true, zap.S()); err != nil {
+	if err := Disable(ctx, kubeClient, conn, Options{MongoDBResource: mongoDBResource}, true, zap.S()); err != nil {
 		t.Fatal(err)
 	}
 
@@ -237,9 +241,10 @@ func assertDeploymentMechanismsConfigured(t *testing.T, authMechanism Mechanism,
 func assertAgentAuthenticationDisabled(t *testing.T, authMechanism Mechanism, conn om.Connection, opts Options) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
+	opts.MongoDBResource = mongoDBResource
 
-	err := authMechanism.EnableAgentAuthentication(ctx, kubeClient, mdbNamespacedName, conn, opts, zap.S())
+	err := authMechanism.EnableAgentAuthentication(ctx, kubeClient, conn, opts, zap.S())
 	require.NoError(t, err)
 
 	ac, err := conn.ReadAutomationConfig()

controllers/operator/authentication/ldap.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"go.uber.org/zap"
-	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/mongodb/mongodb-kubernetes/controllers/om"
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/ldap"
@@ -19,7 +18,7 @@ func (l *ldapAuthMechanism) GetName() MechanismName {
 	return LDAPPlain
 }
 
-func (l *ldapAuthMechanism) EnableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, mdbNamespacedName types.NamespacedName, conn om.Connection, opts Options, log *zap.SugaredLogger) error {
+func (l *ldapAuthMechanism) EnableAgentAuthentication(ctx context.Context, client kubernetesClient.Client, conn om.Connection, opts Options, log *zap.SugaredLogger) error {
 	log.Info("Configuring LDAP authentication")
 	err := conn.ReadUpdateAutomationConfig(func(ac *om.AutomationConfig) error {
 		if err := ac.EnsureKeyFileContents(); err != nil {

controllers/operator/authentication/ldap_test.go

@@ -50,7 +50,7 @@ func TestLdapDeploymentMechanism(t *testing.T) {
 func TestLdapEnableAgentAuthentication(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	conn := om.NewMockedOmConnection(om.NewDeployment())
 	opts := Options{
@@ -60,9 +60,10 @@ func TestLdapEnableAgentAuthentication(t *testing.T) {
 		},
 		AuthoritativeSet: true,
 		AutoPwd:          "LDAPPassword.",
+		MongoDBResource:  mongoDBResource,
 	}
 
-	err := ldapPlainMechanism.EnableAgentAuthentication(ctx, kubeClient, mdbNamespacedName, conn, opts, zap.S())
+	err := ldapPlainMechanism.EnableAgentAuthentication(ctx, kubeClient, conn, opts, zap.S())
 	require.NoError(t, err)
 
 	ac, err := conn.ReadAutomationConfig()

controllers/operator/authentication/oidc.go

@@ -8,7 +8,6 @@ import (
 
 	"go.uber.org/zap"
 	"golang.org/x/xerrors"
-	"k8s.io/apimachinery/pkg/types"
 
 	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
 	"github.com/mongodb/mongodb-kubernetes/controllers/om"
@@ -23,7 +22,7 @@ func (o *oidcAuthMechanism) GetName() MechanismName {
 	return MongoDBOIDC
 }
 
-func (o *oidcAuthMechanism) EnableAgentAuthentication(_ context.Context, _ kubernetesClient.Client, _ types.NamespacedName, _ om.Connection, _ Options, _ *zap.SugaredLogger) error {
+func (o *oidcAuthMechanism) EnableAgentAuthentication(_ context.Context, _ kubernetesClient.Client, _ om.Connection, _ Options, _ *zap.SugaredLogger) error {
 	return xerrors.Errorf("OIDC agent authentication is not supported")
 }
 

controllers/operator/authentication/oidc_test.go

@@ -82,11 +82,12 @@ func TestOIDC_EnableDeploymentAuthentication(t *testing.T) {
 func TestOIDC_EnableAgentAuthentication(t *testing.T) {
 	ctx := context.Background()
 	kubeClient, _ := mock.NewDefaultFakeClient()
-	mdbNamespacedName := types.NamespacedName{Namespace: "test", Name: "test"}
+	mongoDBResource := types.NamespacedName{Namespace: "test", Name: "test"}
 
 	conn := om.NewMockedOmConnection(om.NewDeployment())
 	opts := Options{
-		Mechanisms: []string{string(MongoDBOIDC)},
+		Mechanisms:      []string{string(MongoDBOIDC)},
+		MongoDBResource: mongoDBResource,
 	}
 
 	ac, err := conn.ReadAutomationConfig()
@@ -95,7 +96,7 @@ func TestOIDC_EnableAgentAuthentication(t *testing.T) {
 	configured := mongoDBOIDCMechanism.IsAgentAuthenticationConfigured(ac, opts)
 	assert.False(t, configured)
 
-	err = mongoDBOIDCMechanism.EnableAgentAuthentication(ctx, kubeClient, mdbNamespacedName, conn, opts, zap.S())
+	err = mongoDBOIDCMechanism.EnableAgentAuthentication(ctx, kubeClient, conn, opts, zap.S())
 	require.Error(t, err)
 
 	err = mongoDBOIDCMechanism.DisableAgentAuthentication(conn, zap.S())