Add explicit tests to verify TLS params in monitoring config

nammn · claude · nammn · commit ae774a79819e · 2025-12-17T22:15:12.000+01:00
CLOUDP-351614: Added two new tests that explicitly verify the fix: 1. test_monitoring_config_has_tls_params_when_tls_enabled: - Verifies that when TLS is enabled, the monitoring config contains TLS additionalParams (useSslForAllConnections, sslTrustedServerCertificates) - This confirms the starting state before disabling TLS 2. test_monitoring_config_tls_params_cleared_after_tls_disabled: - THE KEY TEST FOR THE BUG FIX - Verifies that after TLS is disabled, the additionalParams are CLEARED - This test would have FAILED before the fix because stale TLS params would remain in the monitoring config, causing monitoring agents to fail when trying to use certificate files that are no longer valid 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py
@@ -16,6 +16,26 @@
 from tests.conftest import is_multi_cluster
 from tests.opsmanager.withMonitoredAppDB.conftest import enable_multi_cluster_deployment
 
+
+def get_monitoring_tls_params(ops_manager: MongoDBOpsManager) -> dict:
+    """
+    Extract TLS-related additionalParams from monitoring config.
+
+    Returns a dict with the additionalParams for all monitoring agents,
+    keyed by hostname. An empty dict means no TLS params are present.
+    """
+    ac = ops_manager.get_automation_config_tester()
+    monitoring_versions = ac.automation_config.get("monitoringVersions", [])
+
+    tls_params_by_host = {}
+    for mv in monitoring_versions:
+        hostname = mv.get("hostname", "unknown")
+        additional_params = mv.get("additionalParams", {})
+        if additional_params:
+            tls_params_by_host[hostname] = additional_params
+
+    return tls_params_by_host
+
 OM_NAME = "om-tls-disable-test"
 APPDB_NAME = f"{OM_NAME}-db"
 
@@ -69,6 +89,32 @@ def test_appdb_monitoring_works_with_tls(ops_manager: MongoDBOpsManager):
     ops_manager.assert_monitoring_data_exists(timeout=600, all_hosts=False)
 
 
+@mark.e2e_om_appdb_tls_disable
+def test_monitoring_config_has_tls_params_when_tls_enabled(ops_manager: MongoDBOpsManager):
+    """
+    CLOUDP-351614: Verify that monitoring config contains TLS params when TLS is enabled.
+
+    When TLS is enabled on AppDB, the monitoring agents should be configured with
+    TLS parameters in additionalParams, including:
+    - useSslForAllConnections: "true"
+    - sslTrustedServerCertificates: path to CA file
+    - sslClientCertificate: path to client certificate (for x509 auth)
+    """
+    tls_params = get_monitoring_tls_params(ops_manager)
+
+    # Monitoring agents should have TLS params configured
+    assert len(tls_params) > 0, "Expected TLS params in monitoring config when TLS is enabled"
+
+    # Verify TLS params contain expected keys
+    for hostname, params in tls_params.items():
+        assert params.get("useSslForAllConnections") == "true", (
+            f"Expected useSslForAllConnections=true for {hostname}, got {params}"
+        )
+        assert "sslTrustedServerCertificates" in params, (
+            f"Expected sslTrustedServerCertificates in params for {hostname}"
+        )
+
+
 @mark.e2e_om_appdb_tls_disable
 def test_disable_tls_on_appdb(ops_manager: MongoDBOpsManager):
     """
@@ -95,6 +141,30 @@ def test_disable_tls_on_appdb(ops_manager: MongoDBOpsManager):
     ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1800)
 
 
+@mark.e2e_om_appdb_tls_disable
+def test_monitoring_config_tls_params_cleared_after_tls_disabled(ops_manager: MongoDBOpsManager):
+    """
+    CLOUDP-351614: Verify that TLS params are CLEARED from monitoring config after TLS is disabled.
+
+    THIS IS THE KEY TEST FOR THE BUG FIX:
+    Before the fix in CLOUDP-351614, the operator would leave stale TLS params
+    (useSslForAllConnections, sslClientCertificate, etc.) in the monitoring config
+    even after TLS was disabled. This caused monitoring agents to fail because they
+    would try to use TLS certificate files that are no longer valid for authentication.
+
+    After the fix, the operator correctly clears these params by calling:
+        delete(monitoringVersion, "additionalParams")
+    """
+    tls_params = get_monitoring_tls_params(ops_manager)
+
+    # After TLS is disabled, monitoring config should NOT have TLS params
+    # This assertion would have FAILED before the fix because stale TLS params remained
+    assert len(tls_params) == 0, (
+        f"CLOUDP-351614 BUG: TLS params should be cleared from monitoring config after "
+        f"TLS is disabled, but found stale params: {tls_params}"
+    )
+
+
 @mark.e2e_om_appdb_tls_disable
 def test_monitoring_works_after_tls_disable(ops_manager: MongoDBOpsManager):
     """
