Simplify TLS disable test - keep certs during transition

nammn · nammn · commit eb0dd7ed3bec · 2025-12-17T19:45:10.000+01:00
The test was failing because removing certsSecretPrefix while TLS was
still transitioning (preferTLS mode) caused MongoDB to fail with:
'The use of TLS without specifying a chain of trust is no longer supported'

Fix: Just disable TLS and keep the certs. The certs are needed during
the transition and harmless to keep after TLS is fully disabled.
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/withMonitoredAppDB/om_appdb_tls_disable.py
@@ -75,29 +75,24 @@ def test_disable_tls_on_appdb(ops_manager: MongoDBOpsManager):
     CLOUDP-351614: Disable TLS on AppDB and verify the operator correctly handles
     the transition without leaving stale TLS params in monitoring config.
 
-    TLS must be disabled in the correct order:
-    1. First disable TLS (tls.enabled = False) while keeping certs
-    2. Wait for the TLS mode transition to complete
-    3. Only then remove the certs (certsSecretPrefix)
+    This test disables TLS by setting tls.enabled = False. The operator handles
+    the TLS mode transition: requireTLS -> preferTLS -> allowTLS -> disabled.
+
+    Note: We keep the certsSecretPrefix in place because:
+    1. The cert files are needed during the TLS transition
+    2. Removing certsSecretPrefix while TLS mode is still transitioning causes failures
+    3. The certs are harmless to keep after TLS is disabled (just unused)
     """
     ops_manager.load()
 
-    # Step 1: Disable TLS mode (keeping certs until mode transition completes)
+    # Disable TLS mode (keeping certs for the transition)
     # The operator will handle the TLS mode transition: requireTLS -> preferTLS -> allowTLS -> disabled
     ops_manager["spec"]["applicationDatabase"]["security"]["tls"]["enabled"] = False
     ops_manager.update()
 
-    # Wait for AppDB to reach Running state after TLS mode is disabled
-    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1200)
-
-    # Step 2: Now that TLS is fully disabled, we can safely remove the cert configuration
-    # This is optional cleanup - the certs are no longer used
-    ops_manager.load()
-    ops_manager["spec"]["applicationDatabase"]["security"]["certsSecretPrefix"] = None
-    ops_manager.update()
-
-    # Wait for AppDB to reach Running state after cert cleanup
-    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=600)
+    # Wait for AppDB to reach Running state after TLS mode is fully disabled
+    # Use a longer timeout as the transition goes through multiple TLS modes
+    ops_manager.appdb_status().assert_reaches_phase(Phase.Running, timeout=1800)
 
 
 @mark.e2e_om_appdb_tls_disable
