assert autopwd when changing projects

Author: filipcirtog

.evergreen.yml

@@ -713,14 +713,15 @@ task_groups:
       - e2e_sharded_cluster_scram_sha_1_user_connectivity
       - e2e_sharded_cluster_scram_x509_ic_manual_certs
       - e2e_sharded_cluster_external_access
-      - e2e_sharded_cluster_scram_sha_256_switch_project
-      - e2e_sharded_cluster_scram_sha_1_switch_project
-      - e2e_sharded_cluster_x509_switch_project
       - e2e_replica_set_scram_sha_256_switch_project
+      - e2e_sharded_cluster_scram_sha_256_switch_project
       - e2e_replica_set_scram_sha_1_switch_project
-      - e2e_replica_set_x509_switch_project
-      - e2e_replica_set_ldap_switch_project
-      - e2e_sharded_cluster_ldap_switch_project
+      - e2e_sharded_cluster_scram_sha_1_switch_project
+      # Disabled these tests as they don't use the password secret, and project migrations aren't fully supported yet.  
+      # e2e_sharded_cluster_x509_switch_project
+      # e2e_replica_set_x509_switch_project
+      # e2e_replica_set_ldap_switch_project
+      # e2e_sharded_cluster_ldap_switch_project
       # e2e_auth_transitions_task_group
       - e2e_replica_set_scram_sha_and_x509
       - e2e_replica_set_x509_to_scram_transition

controllers/operator/common_controller.go

@@ -452,6 +452,7 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 		AutoUser:           scramAgentUserName,
 		AutoLdapGroupDN:    ar.GetSecurity().Authentication.Agents.AutomationLdapGroupDN,
 		CAFilePath:         caFilepath,
+		MongoDBResource:    types.NamespacedName{Namespace: ar.GetNamespace(), Name: ar.GetName()},
 	}
 	var databaseSecretPath string
 	if r.VaultClient != nil {
@@ -512,7 +513,6 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 			agentName := ar.GetSecurity().Authentication.Agents.AutomationUserName
 			userOpts.AutomationSubject = agentName
 			authOpts.UserOptions = userOpts
-			authOpts.MongoDBResource = types.NamespacedName{Namespace: ar.GetNamespace(), Name: ar.GetName()}
 		}
 
 		if err := authentication.Configure(ctx, r.client, conn, authOpts, isRecovering, log); err != nil {
@@ -534,7 +534,7 @@ func (r *ReconcileCommonController) updateOmAuthentication(ctx context.Context,
 		}
 
 		authOpts.UserOptions = userOpts
-		authOpts.MongoDBResource = types.NamespacedName{Namespace: ar.GetNamespace(), Name: ar.GetName()}
+
 		if err := authentication.Disable(ctx, r.client, conn, authOpts, false, log); err != nil {
 			return workflow.Failed(err), false
 		}

docker/mongodb-kubernetes-tests/kubetester/automation_config_tester.py

@@ -36,6 +36,9 @@ def get_mongos_processes(self):
     def get_all_processes(self):
         return self.automation_config["processes"]
 
+    def get_automation_agent_password(self):
+        return self.automation_config["auth"]["autoPwd"]
+    
     def assert_expected_users(self, expected_users: int):
         automation_config_users = 0
 

docker/mongodb-kubernetes-tests/tests/authentication/helper_replica_set_switch_project.py

@@ -38,6 +38,8 @@ def test_ops_manager_state_with_expected_authentication(self, expected_users: in
             tester.assert_authoritative_set(True)
 
     def test_switch_replica_set_project(self):
+        original_tester = self.sharded_cluster.get_automation_config_tester()
+        original_automation_agent_password = original_tester.get_automation_agent_password
         original_configmap = read_configmap(namespace=self.namespace, name="my-project")
         new_project_name = f"{self.namespace}-second"
         new_project_configmap = create_or_update_configmap(
@@ -52,6 +54,12 @@ def test_switch_replica_set_project(self):
         self.replica_set["spec"]["opsManager"]["configMapRef"]["name"] = new_project_configmap
         self.replica_set.update()
         self.replica_set.assert_reaches_phase(Phase.Running, timeout=600)
+        switched_tester = self.sharded_cluster.get_automation_config_tester()
+        switched_automation_agent_password = switched_tester.get_automation_agent_password
+        
+        assert original_automation_agent_password == switched_automation_agent_password, (  
+        "The automation agent password changed after switching the project."  
+    )  
 
     def test_ops_manager_state_with_users(self, user_name: str, expected_roles: set, expected_users: int):
         tester = self.replica_set.get_automation_config_tester()

docker/mongodb-kubernetes-tests/tests/authentication/helper_sharded_cluster_switch_project.py

@@ -38,6 +38,8 @@ def test_ops_manager_state_with_expected_authentication(self, expected_users: in
             tester.assert_authoritative_set(True)
 
     def test_switch_sharded_cluster_project(self):
+        original_tester = self.sharded_cluster.get_automation_config_tester()
+        original_automation_agent_password = original_tester.get_automation_agent_password
         original_configmap = read_configmap(namespace=self.namespace, name="my-project")
         new_project_name = f"{self.namespace}-second"
 
@@ -50,10 +52,16 @@ def test_switch_sharded_cluster_project(self):
                 "orgId": original_configmap["orgId"],
             },
         )
-
         self.sharded_cluster["spec"]["opsManager"]["configMapRef"]["name"] = new_project_configmap
         self.sharded_cluster.update()
         self.sharded_cluster.assert_reaches_phase(Phase.Running, timeout=800)
+        switched_tester = self.sharded_cluster.get_automation_config_tester()
+        switched_automation_agent_password = switched_tester.get_automation_agent_password
+        
+        assert original_automation_agent_password == switched_automation_agent_password, (  
+        "The automation agent password changed after switching the project."  
+    )  
+
 
     def test_ops_manager_state_with_users(self, user_name: str, expected_roles: set, expected_users: int):
         tester = self.sharded_cluster.get_automation_config_tester()