Fix TLS disable test - disable TLS before removing certs

nammn · nammn · commit 3acc29c95301 · 2025-12-17T18:41:25.000+01:00
The test was failing because certs were removed while TLS mode was still
transitioning. MongoDB requires certs until TLS is fully disabled.

Correct order:
1. Set tls.enabled = False (keeping certs for transition)
2. Wait for AppDB to reach Running state
3. Remove certsSecretPrefix (optional cleanup)
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py
@@ -74,25 +74,30 @@ def test_disable_tls_on_appdb(ops_manager: MongoDBOpsManager):
     """
     CLOUDP-351614: Disable TLS on AppDB and verify the operator correctly handles
     the transition without leaving stale TLS params in monitoring config.
+
+    TLS must be disabled in the correct order:
+    1. First disable TLS (tls.enabled = False) while keeping certs
+    2. Wait for the TLS mode transition to complete
+    3. Only then remove the certs (certsSecretPrefix)
     """
     ops_manager.load()
 
-    # Step 1: Transition to allowTLS mode first (required before fully disabling TLS)
-    ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"] = {
-        "net": {"tls": {"mode": "allowTLS"}}
-    }
+    # Step 1: Disable TLS mode (keeping certs until mode transition completes)
+    # The operator will handle the TLS mode transition: requireTLS -> preferTLS -> allowTLS -> disabled
+    ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
     ops_manager.update()
+
+    # Wait for AppDB to reach Running state after TLS mode is disabled
     ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
 
-    # Step 2: Fully disable TLS on AppDB
-    # Must remove certsSecretPrefix, disable TLS, and remove additionalMongodConfig
+    # Step 2: Now that TLS is fully disabled, we can safely remove the cert configuration
+    # This is optional cleanup - the certs are no longer used
+    ops_manager.load()
     ops_manager["spec"]["applicationDatabase"]["security"]["certsSecretPrefix"] = None
-    ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
-    del ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"]
     ops_manager.update()
 
-    # Wait for AppDB to reach Running state after TLS disable
-    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
+    # Wait for AppDB to reach Running state after cert cleanup
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=600)
 
 
 @mark.e2e_om_appdb_tls_disable
