From 8c4a7c846b74978dd40c1071fd3b106a050facfc Mon Sep 17 00:00:00 2001
From: Roo Thorp <roo.thorp@mongodb.com>
Date: Thu, 20 Feb 2025 10:06:25 +0000
Subject: [PATCH 1/2] add test for conn secret cleanup issue

---
 test/int/databaseuser_unprotected_test.go | 48 +++++++++++++++++++++--
 1 file changed, 45 insertions(+), 3 deletions(-)

diff --git a/test/int/databaseuser_unprotected_test.go b/test/int/databaseuser_unprotected_test.go
index 34e80ba9ff..51eade01b6 100644
--- a/test/int/databaseuser_unprotected_test.go
+++ b/test/int/databaseuser_unprotected_test.go
@@ -442,7 +442,7 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 			})
 		})
 
-		It("Remove stale secrets", Label("user-gc-secrets"), func() {
+		It("Correctly removes stale secrets", Label("user-gc-secrets"), func() {
 			secondTestDeployment := &akov2.AtlasDeployment{}
 
 			By("Creating a second deployment", func() {
@@ -474,6 +474,26 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser1)).Should(Succeed())
 			})
 
+			By("Creating a second database user", func() {
+				passwordSecret := buildPasswordSecret(testNamespace.Name, "user-password-secret-2", DBUserPassword)
+				Expect(k8sClient.Create(context.Background(), &passwordSecret)).To(Succeed())
+
+				testDBUser2 = akov2.NewDBUser(testNamespace.Name, dbUserName2, dbUserName2, projectName).
+					WithPasswordSecret("user-password-secret-2").
+					WithRole("readWriteAnyDatabase", "admin", "")
+				Expect(k8sClient.Create(context.Background(), testDBUser2)).To(Succeed())
+
+				Eventually(func() bool {
+					return resources.CheckCondition(k8sClient, testDBUser2, api.TrueCondition(api.ReadyType))
+				}).WithTimeout(databaseUserTimeout).WithPolling(PollingInterval).Should(BeTrue())
+
+				validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser2)
+				validateSecret(k8sClient, *testProject, *secondTestDeployment, *testDBUser2)
+
+				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser2)).Should(Succeed())
+				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser2)).Should(Succeed())
+			})
+
 			By("Renaming username, new user is added and stale secrets are removed", func() {
 				Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(testDBUser1), testDBUser1)).To(Succeed())
 				oldName := testDBUser1.Spec.Username
@@ -493,7 +513,7 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 					Execute()
 				Expect(err).To(HaveOccurred())
 
-				checkNumberOfConnectionSecrets(k8sClient, *testProject, testNamespace.Name, 2)
+				checkNumberOfConnectionSecrets(k8sClient, *testProject, testNamespace.Name, 4)
 				secret := validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser1)
 				Expect(secret.Name).To(Equal(fmt.Sprintf("%s-%s-new-user",
 					kube.NormalizeIdentifier(testProject.Spec.Name),
@@ -504,9 +524,21 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 					kube.NormalizeIdentifier(testProject.Spec.Name),
 					kube.NormalizeIdentifier(secondTestDeployment.GetDeploymentName()),
 				)))
+				secret = validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser2)
+				Expect(secret.Name).To(Equal(fmt.Sprintf("%s-%s-db-user2",
+					kube.NormalizeIdentifier(testProject.Spec.Name),
+					kube.NormalizeIdentifier(testDeployment.GetDeploymentName()),
+				)))
+				secret = validateSecret(k8sClient, *testProject, *secondTestDeployment, *testDBUser2)
+				Expect(secret.Name).To(Equal(fmt.Sprintf("%s-%s-db-user2",
+					kube.NormalizeIdentifier(testProject.Spec.Name),
+					kube.NormalizeIdentifier(secondTestDeployment.GetDeploymentName()),
+				)))
 
 				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser1)).Should(Succeed())
 				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser1)).Should(Succeed())
+				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser2)).Should(Succeed())
+				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser2)).Should(Succeed())
 			})
 
 			By("Scoping user to one cluster, a stale secret is removed", func() {
@@ -520,11 +552,21 @@ var _ = Describe("Atlas Database User", Label("int", "AtlasDatabaseUser", "prote
 					return resources.CheckCondition(k8sClient, testDBUser1, api.TrueCondition(api.ReadyType))
 				}).WithTimeout(databaseUserTimeout).WithPolling(PollingInterval).Should(BeTrue())
 
-				checkNumberOfConnectionSecrets(k8sClient, *testProject, testNamespace.Name, 1)
+				testDBUser2 = testDBUser2.ClearScopes().WithScope(akov2.DeploymentScopeType, testDeployment.GetDeploymentName())
+				Expect(k8sClient.Update(context.Background(), testDBUser2)).To(Succeed())
+
+				Eventually(func() bool {
+					return resources.CheckCondition(k8sClient, testDBUser2, api.TrueCondition(api.ReadyType))
+				}).WithTimeout(databaseUserTimeout).WithPolling(PollingInterval).Should(BeTrue())
+
+				checkNumberOfConnectionSecrets(k8sClient, *testProject, testNamespace.Name, 2)
 				validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser1)
+				validateSecret(k8sClient, *testProject, *testDeployment, *testDBUser2)
 
 				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser1)).Should(Succeed())
 				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser1)).ShouldNot(Succeed())
+				Expect(tryConnect(testProject.ID(), *testDeployment, *testDBUser2)).Should(Succeed())
+				Expect(tryConnect(testProject.ID(), *secondTestDeployment, *testDBUser2)).ShouldNot(Succeed())
 			})
 
 			By("Deleting second deployment", func() {

From fef6e05b91d060968062feb6a4fafb0bf36fb0c0 Mon Sep 17 00:00:00 2001
From: Roo Thorp <roo.thorp@mongodb.com>
Date: Thu, 20 Feb 2025 10:06:42 +0000
Subject: [PATCH 2/2] account for flex when listing clusters

---
 internal/translation/deployment/deployment.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/translation/deployment/deployment.go b/internal/translation/deployment/deployment.go
index 55e3450e65..546bc9dc1b 100644
--- a/internal/translation/deployment/deployment.go
+++ b/internal/translation/deployment/deployment.go
@@ -87,6 +87,17 @@ func (ds *ProductionAtlasDeployments) ListDeploymentNames(ctx context.Context, p
 		return deploymentNames, nil
 	}
 
+	flex, _, err := ds.flexAPI.ListFlexClusters(ctx, projectID).Execute()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list flex clusters for project %s: %w", projectID, err)
+	}
+	for _, d := range flex.GetResults() {
+		name := pointer.GetOrDefault(d.Name, "")
+		if name != "" {
+			deploymentNames = append(deploymentNames, name)
+		}
+	}
+
 	serverless, _, err := ds.serverlessAPI.ListServerlessInstances(ctx, projectID).Execute()
 	if err != nil {
 		return nil, fmt.Errorf("failed to list serverless deployments for project %s: %w", projectID, err)