try out new test instead

nammn · nammn · commit bc0f7db33dd1 · 2025-12-17T14:21:56.000+01:00
diff --git a/.evergreen-tasks.yml b/.evergreen-tasks.yml
@@ -783,6 +783,11 @@ tasks:
     commands:
       - func: "e2e_test"
 
+  - name: e2e_om_appdb_tls_disable
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
   - name: e2e_om_appdb_multi_change
     tags: [ "patch-run" ]
     commands:
diff --git a/.evergreen.yml b/.evergreen.yml
@@ -968,6 +968,7 @@ task_groups:
       - e2e_om_appdb_flags_and_config
       - e2e_om_appdb_upgrade
       - e2e_om_appdb_monitoring_tls
+      - e2e_om_appdb_tls_disable
       - e2e_om_ops_manager_backup
       - e2e_om_ops_manager_backup_light
       - e2e_om_ops_manager_backup_liveness_probe
@@ -1022,6 +1023,7 @@ task_groups:
       - e2e_om_appdb_flags_and_config
       - e2e_om_appdb_upgrade
       - e2e_om_appdb_monitoring_tls
+      - e2e_om_appdb_tls_disable
       - e2e_om_ops_manager_backup
       - e2e_om_ops_manager_backup_light
       - e2e_om_ops_manager_backup_liveness_probe
@@ -1076,6 +1078,7 @@ task_groups:
       - e2e_om_appdb_external_connectivity
       - e2e_om_appdb_flags_and_config
       - e2e_om_appdb_monitoring_tls
+      - e2e_om_appdb_tls_disable
       - e2e_om_appdb_multi_change
       - e2e_om_appdb_scale_up_down
       - e2e_om_appdb_upgrade
@@ -1120,6 +1123,7 @@ task_groups:
       - e2e_om_appdb_external_connectivity
       - e2e_om_appdb_flags_and_config
       - e2e_om_appdb_monitoring_tls
+      - e2e_om_appdb_tls_disable
       - e2e_om_appdb_multi_change
       - e2e_om_appdb_scale_up_down
       - e2e_om_appdb_upgrade
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_appdb_tls_disable.yaml b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_appdb_tls_disable.yaml
@@ -0,0 +1,35 @@
+apiVersion: mongodb.com/v1
+kind: MongoDBOpsManager
+metadata:
+  name: om-tls-disable-test
+spec:
+  replicas: 1
+  version: 4.4.1
+  adminCredentials: ops-manager-admin-secret
+  security:
+    tls:
+      secretRef:
+        name: certs-for-ops-manager
+      ca: issuer-ca
+  backup:
+    enabled: false
+  applicationDatabase:
+    members: 3
+    version: 5.0.14-ent
+    security:
+      certsSecretPrefix: appdb
+      tls:
+        ca: issuer-ca
+
+  # adding this just to avoid wizard when opening OM UI
+  configuration:
+    automation.versions.source: mongodb
+    mms.adminEmailAddr: cloud-manager-support@mongodb.com
+    mms.fromEmailAddr: cloud-manager-support@mongodb.com
+    mms.ignoreInitialUiSetup: "true"
+    mms.mail.hostname: email-smtp.us-east-1.amazonaws.com
+    mms.mail.port: "465"
+    mms.mail.ssl: "true"
+    mms.mail.transport: smtp
+    mms.minimumTLSVersion: TLSv1.2
+    mms.replyToEmailAddr: cloud-manager-support@mongodb.com
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py
@@ -0,0 +1,109 @@
+"""
+CLOUDP-351614: Test that TLS can be disabled on AppDB without breaking monitoring.
+
+This is a dedicated test file to verify that when TLS is disabled on AppDB,
+the operator correctly clears stale TLS params from the monitoring configuration.
+"""
+from typing import Optional
+
+from kubetester import create_or_update_secret, try_load
+from kubetester.certs import create_ops_manager_tls_certs
+from kubetester.kubetester import fixture as yaml_fixture
+from kubetester.opsmanager import MongoDBOpsManager
+from kubetester.phase import Phase
+from pytest import fixture, mark
+from tests.common.cert.cert_issuer import create_appdb_certs
+from tests.conftest import is_multi_cluster
+from tests.opsmanager.withMonitoredAppDB.conftest import enable_multi_cluster_deployment
+
+OM_NAME = "om-tls-disable-test"
+APPDB_NAME = f"{OM_NAME}-db"
+
+
+@fixture(scope="module")
+def ops_manager_certs(namespace: str, issuer: str):
+    return create_ops_manager_tls_certs(issuer, namespace, OM_NAME)
+
+
+@fixture(scope="module")
+def appdb_certs(namespace: str, issuer: str):
+    return create_appdb_certs(namespace, issuer, APPDB_NAME)
+
+
+@fixture(scope="module")
+@mark.usefixtures("appdb_certs", "ops_manager_certs", "issuer_ca_configmap")
+def ops_manager(
+    namespace: str,
+    issuer_ca_configmap: str,
+    appdb_certs: str,
+    ops_manager_certs: str,
+    custom_version: Optional[str],
+    custom_appdb_version: str,
+) -> MongoDBOpsManager:
+    """Create an Ops Manager with TLS-enabled AppDB for testing TLS disable."""
+    om = MongoDBOpsManager.from_yaml(yaml_fixture("om_appdb_tls_disable.yaml"), namespace=namespace)
+    om.set_version(custom_version)
+    om.set_appdb_version(custom_appdb_version)
+
+    if try_load(om):
+        return om
+
+    if is_multi_cluster():
+        enable_multi_cluster_deployment(om)
+
+    om.update()
+    return om
+
+
+@mark.e2e_om_appdb_tls_disable
+def test_om_created_with_tls(ops_manager: MongoDBOpsManager):
+    """Verify OM and AppDB are running with TLS enabled."""
+    ops_manager.om_status().assert_reaches_phase(Phase.Running, timeout=900)
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=600)
+
+
+@mark.e2e_om_appdb_tls_disable
+def test_appdb_monitoring_works_with_tls(ops_manager: MongoDBOpsManager):
+    """Verify monitoring works with TLS enabled before we disable it."""
+    ops_manager.assert_appdb_monitoring_group_was_created()
+    ops_manager.assert_monitoring_data_exists(timeout=600, all_hosts=False)
+
+
+@mark.e2e_om_appdb_tls_disable
+def test_disable_tls_on_appdb(ops_manager: MongoDBOpsManager):
+    """
+    CLOUDP-351614: Disable TLS on AppDB and verify the operator correctly handles
+    the transition without leaving stale TLS params in monitoring config.
+    """
+    ops_manager.load()
+
+    # Step 1: Transition to allowTLS mode first (required before fully disabling TLS)
+    ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"] = {
+        "net": {"tls": {"mode": "allowTLS"}}
+    }
+    ops_manager.update()
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
+
+    # Step 2: Fully disable TLS on AppDB
+    # Must remove certsSecretPrefix, disable TLS, and remove additionalMongodConfig
+    ops_manager["spec"]["applicationDatabase"]["security"]["certsSecretPrefix"] = None
+    ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
+    del ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"]
+    ops_manager.update()
+
+    # Wait for AppDB to reach Running state after TLS disable
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
+
+
+@mark.e2e_om_appdb_tls_disable
+def test_monitoring_works_after_tls_disable(ops_manager: MongoDBOpsManager):
+    """
+    CLOUDP-351614: Verify monitoring data can still be collected after TLS disable.
+
+    After TLS is disabled, monitoring agents switch from x509 to SCRAM authentication.
+    This test verifies that:
+    1. The operator correctly cleared stale TLS params from monitoring config
+    2. Monitoring agents can reconnect and collect data
+    """
+    # Use a longer timeout as monitoring agents need time to reconnect with SCRAM auth
+    ops_manager.assert_monitoring_data_exists(timeout=1200, all_hosts=False)
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_ops_manager_appdb_monitoring_tls.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_ops_manager_appdb_monitoring_tls.py
@@ -101,34 +101,3 @@ def test_new_database_is_monitored_after_restart(ops_manager: MongoDBOpsManager)
     # We want to retrieve measurements from "new_database" which will indicate
     # that the monitoring agents are working with the new credentials.
     ops_manager.assert_monitoring_data_exists(database_name=database_name, timeout=1200, all_hosts=False)
-
-
-@mark.e2e_om_appdb_monitoring_tls
-def test_monitoring_works_after_tls_disable(ops_manager: MongoDBOpsManager):
-    """
-    CLOUDP-351614: Verify monitoring continues to work after disabling TLS.
-    When TLS is disabled, the monitoring config should not contain stale TLS params.
-    """
-    ops_manager.load()
-
-    # Transition to allowTLS mode first (required before disabling TLS)
-    ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"] = {
-        "net": {"tls": {"mode": "allowTLS"}}
-    }
-    ops_manager.update()
-    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
-
-    # Disable TLS on AppDB - must also remove additionalMongodConfig that had allowTLS
-    ops_manager["spec"]["applicationDatabase"]["security"]["certsSecretPrefix"] = None
-    ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
-    del ops_manager["spec"]["applicationDatabase"]["additionalMongodConfig"]
-    ops_manager.update()
-    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
-
-    # Verify monitoring agents are still healthy after TLS disable
-    tester = ops_manager.get_om_tester(ops_manager.app_db_name())
-    agents_after = tester.api_read_monitoring_agents()
-    appdb_hostnames = ops_manager.get_appdb_hostnames_for_monitoring()
-    appdb_agents_after = [a for a in agents_after if a["hostname"] in appdb_hostnames]
-    assert all(a["stateName"] in ["ACTIVE", "STANDBY"] for a in appdb_agents_after), \
-        f"Monitoring agents should be healthy after TLS disable: {appdb_agents_after}"
