Fix broken TLS + X509 tests that never enabled TLS

[filipcirtog]

Summary

TLS + X509 tests (RS, SC, Standalone) were broken: Tests modified spec.security but never set certsSecretPrefix or called update(), so IsTLSEnabled() always returned false and the automation config never included TLS settings. Tests passed without actually validating TLS behavior.

Standalone doesn't support TLS + X509 simultaneously: MongoDB standalone deployments don't support X509 authentication, so the standalone test was removed rather than fixed.

Multicluster test: Omitted update() calls.

Proof of Work

• Add missing update() calls and set certsSecretPrefix/tls.ca in RS and SC tests to properly enable TLS
• Add test_connectivity_with_ssl to verify TLS with SSL-enabled client
• Increase X509 timeout to 1200s/2000s for auth transitions
• Remove standalone test from Evergreen

Checklist

• Have you linked a jira ticket and/or is the ticket in the title?
• Have you checked whether your jira ticket required DOCSP changes?
• Have you added changelog file?
  • use skip-changelog label if not needed
  • refer to Changelog files and Release Notes section in CONTRIBUTING.md for more details

[filipcirtog]

• Fix broken TLS + X509 tests that never enabled TLS #815 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.7.1 Release Notes

Other Changes

• Container images: Merged the init-database and init-appdb init container images into a single init-database image. The init-appdb image will no longer be published and does not affect existing deployments.
• Helm Chart: Removed operator.baseName Helm value. This value was never intended to be consumed by operator users and was never documented. The value controls the prefix for workload RBAC resource names (mongodb-kubernetes default), but changing it could break the operator and workloads because the operator is not aware of custom prefixes. With this change, the Helm chart will no longer allow customisation and the relevant resources will be deployed with predefined names (ServiceAccount with names mongodb-kubernetes-appdb, mongodb-kubernetes-database-pods, mongodb-kubernetes-ops-manager, Role with name mongodb-kubernetes-appdb and RoleBinding with name mongodb-kubernetes-appdb).

[Copilot]

Pull request overview

This PR adjusts E2E tests to correctly apply and validate TLS enablement before switching authentication to X509, and fixes spec update handling in a multicluster replicaset test.

Changes:

• Update the RS and SC “TLS + X509 simultaneously” tests to explicitly enable TLS via certsSecretPrefix + tls.ca, call update(), and add SSL connectivity assertions before enabling X509 auth.
• Fix the multicluster clusterwide replicaset test to use the correct spec.security.authentication structure and ensure spec changes are applied via try_load() / update().
• Remove the standalone variant of the “TLS + X509 simultaneously” test from Evergreen configuration (and delete the standalone test file).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_standalone.py	Removes the standalone TLS+X509 simultaneous E2E test module.
docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_rs.py	Enables TLS through spec updates, adds SSL connectivity test, then enables X509 auth.
docker/mongodb-kubernetes-tests/tests/tls/e2e_configure_tls_and_x509_simultaneously_sc.py	Same as RS but for sharded cluster; adds TLS enablement step + SSL connectivity check before X509 auth.
docker/mongodb-kubernetes-tests/tests/multicluster/multi_2_cluster_clusterwide_replicaset.py	Fixes auth spec shape (dict vs tuple), adds missing update() calls, uses try_load() in fixtures.
.evergreen.yml	Removes the standalone TLS+X509 task from the relevant task group.
.evergreen-tasks.yml	Removes the standalone TLS+X509 task definition.

Comments suppressed due to low confidence (1)

.evergreen.yml:748

• PR description discusses fixing the standalone TLS+X509 simultaneous test, but this change removes the e2e_configure_tls_and_x509_simultaneously_st task from Evergreen (and the standalone test file/task appears to be deleted). Either update the PR description/title to reflect that the standalone coverage was removed, or restore/replace the standalone test so coverage remains consistent with the stated intent.

      # e2e_x509_task_group
      - e2e_configure_tls_and_x509_simultaneously_rs
      - e2e_configure_tls_and_x509_simultaneously_sc

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This module currently has an unused import (ShardedClusterTester). With the repo's flake8 config selecting F codes, this will raise an F401 unused-import error and fail lint. Remove the unused import (or use it if intended).

[nammn]

The changes make sense, but can you update your pr description with the why rather than what?