Merge branch 'master' into anandsyncs/add-certmanager-community-search-snippets

Author: anandsyncs

api/v1/mdb/mongodb_types.go

@@ -243,6 +243,9 @@ func GetLastAdditionalMongodConfigByType(lastSpec *MongoDbSpec, configType Addit
 
 // GetLastAdditionalMongodConfigByType returns the last successfully achieved AdditionalMongodConfigType for the given component.
 func (m *MongoDB) GetLastAdditionalMongodConfigByType(configType AdditionalMongodConfigType) (*AdditionalMongodConfig, error) {
+	if m.Spec.GetResourceType() == ReplicaSet {
+		panic(errors.Errorf("this method cannot be used from ReplicaSet controller; use non-method GetLastAdditionalMongodConfigByType and pass lastSpec from the deployment state."))
+	}
 	if m.Spec.GetResourceType() == ShardedCluster {
 		panic(errors.Errorf("this method cannot be used from ShardedCluster controller; use non-method GetLastAdditionalMongodConfigByType and pass lastSpec from the deployment state."))
 	}

changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md

@@ -0,0 +1,6 @@
+---
+kind: other
+date: 2025-10-15
+---
+
+* Simplified MongoDB Search setup: Removed the custom Search Coordinator polyfill (a piece of compatibility code previously needed to add the required permissions), as MongoDB 8.2.0 and later now include the necessary permissions via the built-in searchCoordinator role.

controllers/om/deployment/testing_utils.go

@@ -26,7 +26,7 @@ func CreateFromReplicaSet(mongoDBImage string, forceEnterprise bool, rs *mdb.Mon
 	), zap.S())
 	d := om.NewDeployment()
 
-	lastConfig, err := rs.GetLastAdditionalMongodConfigByType(mdb.ReplicaSetConfig)
+	lastConfig, err := mdb.GetLastAdditionalMongodConfigByType(nil, mdb.ReplicaSetConfig)
 	if err != nil {
 		panic(err)
 	}

controllers/operator/mongodbreplicaset_controller.go

@@ -2,6 +2,7 @@ package operator
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"reflect"
 	"testing"
@@ -858,6 +859,130 @@ func TestHandlePVCResize(t *testing.T) {
 	testPVCFinishedResizing(t, ctx, memberClient, p, reconciledResource, statefulSet, logger)
 }
 
+// ===== Test for state and vault annotations handling in replicaset controller =====
+
+// TestReplicaSetAnnotations_WrittenOnSuccess verifies that lastAchievedSpec annotation is written after successful
+// reconciliation.
+func TestReplicaSetAnnotations_WrittenOnSuccess(t *testing.T) {
+	ctx := context.Background()
+	rs := DefaultReplicaSetBuilder().Build()
+
+	reconciler, client, _ := defaultReplicaSetReconciler(ctx, nil, "", "", rs)
+
+	checkReconcileSuccessful(ctx, t, reconciler, rs, client)
+
+	err := client.Get(ctx, rs.ObjectKey(), rs)
+	require.NoError(t, err)
+
+	require.Contains(t, rs.Annotations, util.LastAchievedSpec,
+		"lastAchievedSpec annotation should be written on successful reconciliation")
+
+	var lastSpec mdbv1.MongoDbSpec
+	err = json.Unmarshal([]byte(rs.Annotations[util.LastAchievedSpec]), &lastSpec)
+	require.NoError(t, err)
+	assert.Equal(t, 3, lastSpec.Members)
+	assert.Equal(t, "4.0.0", lastSpec.Version)
+}
+
+// TestReplicaSetAnnotations_NotWrittenOnFailure verifies that lastAchievedSpec annotation
+// is NOT written when reconciliation fails.
+func TestReplicaSetAnnotations_NotWrittenOnFailure(t *testing.T) {
+	ctx := context.Background()
+	rs := DefaultReplicaSetBuilder().Build()
+
+	// Setup without credentials secret to cause failure
+	kubeClient := mock.NewEmptyFakeClientBuilder().
+		WithObjects(rs).
+		WithObjects(mock.GetProjectConfigMap(mock.TestProjectConfigMapName, "testProject", "testOrg")).
+		Build()
+
+	reconciler := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, nil)
+
+	_, err := reconciler.Reconcile(ctx, requestFromObject(rs))
+	require.NoError(t, err, "Reconcile should not return error (error captured in status)")
+
+	err = kubeClient.Get(ctx, rs.ObjectKey(), rs)
+	require.NoError(t, err)
+
+	assert.NotEqual(t, status.PhaseRunning, rs.Status.Phase)
+
+	assert.NotContains(t, rs.Annotations, util.LastAchievedSpec,
+		"lastAchievedSpec should NOT be written when reconciliation fails")
+}
+
+// TestReplicaSetAnnotations_PreservedOnSubsequentFailure verifies that annotations from a previous successful
+// reconciliation are preserved when a later reconciliation fails.
+func TestReplicaSetAnnotations_PreservedOnSubsequentFailure(t *testing.T) {
+	ctx := context.Background()
+	rs := DefaultReplicaSetBuilder().Build()
+
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient(rs)
+	reconciler := newReplicaSetReconciler(ctx, kubeClient, nil, "", "", false, false, omConnectionFactory.GetConnectionFunc)
+
+	_, err := reconciler.Reconcile(ctx, requestFromObject(rs))
+	require.NoError(t, err)
+
+	err = kubeClient.Get(ctx, rs.ObjectKey(), rs)
+	require.NoError(t, err)
+	require.Contains(t, rs.Annotations, util.LastAchievedSpec)
+
+	originalLastAchievedSpec := rs.Annotations[util.LastAchievedSpec]
+
+	// Delete credentials to cause failure
+	credentialsSecret := mock.GetCredentialsSecret("testUser", "testApiKey")
+	err = kubeClient.Delete(ctx, credentialsSecret)
+	require.NoError(t, err)
+
+	rs.Spec.Members = 5
+	err = kubeClient.Update(ctx, rs)
+	require.NoError(t, err)
+
+	_, err = reconciler.Reconcile(ctx, requestFromObject(rs))
+	require.NoError(t, err)
+
+	err = kubeClient.Get(ctx, rs.ObjectKey(), rs)
+	require.NoError(t, err)
+
+	assert.Contains(t, rs.Annotations, util.LastAchievedSpec)
+	assert.NotEqual(t, status.PhaseRunning, rs.Status.Phase)
+	assert.Equal(t, originalLastAchievedSpec, rs.Annotations[util.LastAchievedSpec],
+		"lastAchievedSpec should remain unchanged when reconciliation fails")
+
+	var lastSpec mdbv1.MongoDbSpec
+	err = json.Unmarshal([]byte(rs.Annotations[util.LastAchievedSpec]), &lastSpec)
+	require.NoError(t, err)
+	assert.Equal(t, 3, lastSpec.Members,
+		"Should still reflect previous successful state (3 members, not 5)")
+}
+
+// TestVaultAnnotations_NotWrittenWhenDisabled verifies that vault annotations are NOT
+// written when vault backend is disabled.
+func TestVaultAnnotations_NotWrittenWhenDisabled(t *testing.T) {
+	ctx := context.Background()
+	rs := DefaultReplicaSetBuilder().Build()
+
+	t.Setenv("SECRET_BACKEND", "K8S_SECRET_BACKEND")
+
+	reconciler, client, _ := defaultReplicaSetReconciler(ctx, nil, "", "", rs)
+
+	checkReconcileSuccessful(ctx, t, reconciler, rs, client)
+
+	err := client.Get(ctx, rs.ObjectKey(), rs)
+	require.NoError(t, err)
+
+	require.Contains(t, rs.Annotations, util.LastAchievedSpec,
+		"lastAchievedSpec should be written even when vault is disabled")
+
+	// Vault annotations would be simple secret names like "my-secret": "5"
+	for key := range rs.Annotations {
+		if key == util.LastAchievedSpec {
+			continue
+		}
+		assert.NotRegexp(t, "^[a-z0-9-]+$", key,
+			"Should not have simple secret name annotations when vault disabled - found: %s", key)
+	}
+}
+
 func testPVCFinishedResizing(t *testing.T, ctx context.Context, memberClient kubernetesClient.Client, p *corev1.PersistentVolumeClaim, reconciledResource *mdbv1.MongoDB, statefulSet *appsv1.StatefulSet, logger *zap.SugaredLogger) {
 	// Simulate that the PVC has finished resizing
 	setPVCWithUpdatedResource(ctx, t, memberClient, p)

controllers/operator/mongodbreplicaset_controller_test.go

@@ -36,7 +36,7 @@ func newMongoDBCommunity(name, namespace string) *mdbcv1.MongoDBCommunity {
 		Spec: mdbcv1.MongoDBCommunitySpec{
 			Type:    mdbcv1.ReplicaSet,
 			Members: 1,
-			Version: "8.0.10",
+			Version: "8.2.0",
 		},
 	}
 }

controllers/operator/mongodbsearch_controller_test.go

@@ -64,8 +64,8 @@ func (r *CommunitySearchSource) Validate() error {
 	version, err := semver.ParseTolerant(r.GetMongoDBVersion())
 	if err != nil {
 		return xerrors.Errorf("error parsing MongoDB version '%s': %w", r.Spec.Version, err)
-	} else if version.LT(semver.MustParse("8.0.10")) {
-		return xerrors.New("MongoDB version must be 8.0.10 or higher")
+	} else if version.LT(semver.MustParse("8.2.0")) {
+		return xerrors.New("MongoDB version must be 8.2.0 or higher")
 	}
 
 	foundScram := false

controllers/searchcontroller/community_search_source.go

@@ -50,120 +50,120 @@ func TestCommunitySearchSource_Validate(t *testing.T) {
 			version:        "7.0.0",
 			authModes:      []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError:    true,
-			expectedErrMsg: "MongoDB version must be 8.0.10 or higher",
+			expectedErrMsg: "MongoDB version must be 8.2.0 or higher",
 		},
 		{
 			name:           "Version just below minimum",
-			version:        "8.0.9",
+			version:        "8.1.9",
 			authModes:      []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError:    true,
-			expectedErrMsg: "MongoDB version must be 8.0.10 or higher",
+			expectedErrMsg: "MongoDB version must be 8.2.0 or higher",
 		},
 		{
 			name:        "Valid minimum version",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError: false,
 		},
 		{
 			name:        "Version above minimum",
-			version:     "8.1.0",
+			version:     "8.3.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError: false,
 		},
 		{
 			name:        "Version with build number",
-			version:     "8.1.0-rc1",
+			version:     "8.3.0-rc1",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError: false,
 		},
 		// Authentication mode tests - empty/nil cases
 		{
 			name:        "Empty auth modes",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{},
 			expectError: false,
 		},
 		{
 			name:        "Nil auth modes",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   nil,
 			expectError: false,
 		},
 		{
 			name:           "X509 mode only",
-			version:        "8.0.10",
+			version:        "8.2.0",
 			authModes:      []mdbcv1.AuthMode{"X509"},
 			expectError:    true,
 			expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled",
 		},
 		{
 			name:        "X509 and SCRAM",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"X509", "SCRAM-SHA-256"},
 			expectError: false,
 		},
 		{
 			name:        "Multiple auth modes with SCRAM first",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-1", "X509"},
 			expectError: false,
 		},
 		{
 			name:        "Multiple auth modes with SCRAM last",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"PLAIN", "X509", "SCRAM-SHA-256"},
 			expectError: false,
 		},
 		{
 			name:           "Multiple non-SCRAM modes",
-			version:        "8.0.10",
+			version:        "8.2.0",
 			authModes:      []mdbcv1.AuthMode{"PLAIN", "X509"},
 			expectError:    true,
 			expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled",
 		},
 		// SCRAM variant tests
 		{
 			name:        "SCRAM only",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM"},
 			expectError: false,
 		},
 		{
 			name:        "SCRAM-SHA-1 only",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-1"},
 			expectError: false,
 		},
 		{
 			name:        "SCRAM-SHA-256 only",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError: false,
 		},
 		{
 			name:        "All SCRAM variants",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"SCRAM", "SCRAM-SHA-1", "SCRAM-SHA-256"},
 			expectError: false,
 		},
 		// Case-insensitive tests (now supported with ToUpper)
 		{
 			name:        "Lowercase SCRAM",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"scram-sha-256"},
 			expectError: false,
 		},
 		{
 			name:        "Mixed case SCRAM",
-			version:     "8.0.10",
+			version:     "8.2.0",
 			authModes:   []mdbcv1.AuthMode{"Scram-Sha-256"},
 			expectError: false,
 		},
 		// Edge case tests
 		{
 			name:           "PLAIN only",
-			version:        "8.0.10",
+			version:        "8.2.0",
 			authModes:      []mdbcv1.AuthMode{"PLAIN"},
 			expectError:    true,
 			expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled",
@@ -174,11 +174,11 @@ func TestCommunitySearchSource_Validate(t *testing.T) {
 			version:        "7.0.0",
 			authModes:      []mdbcv1.AuthMode{"SCRAM-SHA-256"},
 			expectError:    true,
-			expectedErrMsg: "MongoDB version must be 8.0.10 or higher",
+			expectedErrMsg: "MongoDB version must be 8.2.0 or higher",
 		},
 		{
 			name:           "Valid version with invalid auth",
-			version:        "8.0.10",
+			version:        "8.2.0",
 			authModes:      []mdbcv1.AuthMode{"X509"},
 			expectError:    true,
 			expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled",
@@ -188,7 +188,7 @@ func TestCommunitySearchSource_Validate(t *testing.T) {
 			version:        "7.0.0",
 			authModes:      []mdbcv1.AuthMode{"X509"},
 			expectError:    true,
-			expectedErrMsg: "MongoDB version must be 8.0.10 or higher", // Should fail on version first
+			expectedErrMsg: "MongoDB version must be 8.2.0 or higher", // Should fail on version first
 		},
 	}
 

controllers/searchcontroller/community_search_source_test.go

@@ -55,8 +55,8 @@ func (r EnterpriseResourceSearchSource) Validate() error {
 	version, err := semver.ParseTolerant(util.StripEnt(r.Spec.GetMongoDBVersion()))
 	if err != nil {
 		return xerrors.Errorf("error parsing MongoDB version '%s': %w", r.Spec.GetMongoDBVersion(), err)
-	} else if version.LT(semver.MustParse("8.0.10")) {
-		return xerrors.New("MongoDB version must be 8.0.10 or higher")
+	} else if version.LT(semver.MustParse("8.2.0")) {
+		return xerrors.New("MongoDB version must be 8.2.0 or higher")
 	}
 
 	if r.Spec.GetTopology() != mdbv1.ClusterTopologySingleCluster {