use cluster issuer

anandsyncs · anandsyncs · commit 0a13ee9082c6 · 2025-11-05T00:32:05.000+01:00
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh b/docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh
@@ -1,46 +1,65 @@
-self_signed_issuer="${MDB_RESOURCE_NAME}-selfsigned-issuer"
-ca_cert_name="${MDB_RESOURCE_NAME}-ca"
-ca_issuer="${MDB_RESOURCE_NAME}-ca-issuer"
+#!/usr/bin/env bash
 
-kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+set -euo pipefail
+
+# Bootstrap a self-signed ClusterIssuer that will mint the CA material consumed by
+# the MongoDBCommunity deployment.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: ${self_signed_issuer}
-  namespace: ${MDB_NS}
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
 spec:
   selfSigned: {}
----
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+# Create the CA certificate and secret in the cert-manager namespace.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: ${ca_cert_name}
-  namespace: ${MDB_NS}
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
 spec:
   isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
   secretName: ${MDB_TLS_CA_SECRET_NAME}
-  commonName: ${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local
   privateKey:
-    algorithm: RSA
-    size: 2048
+    algorithm: ECDSA
+    size: 256
   issuerRef:
-    kind: Issuer
-    name: ${self_signed_issuer}
-  duration: 240h0m0s
-  renewBefore: 120h0m0s
----
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+# Publish a cluster-scoped issuer that fronts the generated CA secret so all namespaces can reuse it.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: ${ca_issuer}
-  namespace: ${MDB_NS}
+  name: ${MDB_TLS_CA_ISSUER}
 spec:
   ca:
     secretName: ${MDB_TLS_CA_SECRET_NAME}
 EOF_MANIFEST
 
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready issuer "${self_signed_issuer}" --timeout=120s
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${ca_cert_name}" --timeout=300s
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready issuer "${ca_issuer}" --timeout=120s
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+trap 'rm -f "${TMP_CA_CERT}"' EXIT
+
+kubectl --context "${K8S_CTX}" \
+  get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \
+  -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Expose the CA bundle through a ConfigMap for workloads and the MongoDBCommunity resource.
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
 
-echo "cert-manager issuer ${ca_issuer} is ready to sign certificates."
+echo "Cluster-wide CA issuer ${MDB_TLS_CA_ISSUER} is ready."
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh b/docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh
@@ -1,4 +1,3 @@
-ca_issuer="${MDB_RESOURCE_NAME}-ca-issuer"
 server_certificate="${MDB_RESOURCE_NAME}-server-tls"
 search_certificate="${MDB_RESOURCE_NAME}-search-tls"
 
@@ -32,8 +31,8 @@ metadata:
 spec:
   secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
   issuerRef:
-    kind: Issuer
-    name: ${ca_issuer}
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
   duration: 240h0m0s
   renewBefore: 120h0m0s
   usages:
@@ -52,8 +51,8 @@ metadata:
 spec:
   secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
   issuerRef:
-    kind: Issuer
-    name: ${ca_issuer}
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
   duration: 240h0m0s
   renewBefore: 120h0m0s
   usages:
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh b/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh
@@ -12,8 +12,8 @@ spec:
       enabled: true
       certificateKeySecretRef:
         name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
-      caCertificateSecretRef:
-        name: ${MDB_TLS_CA_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
diff --git a/docs/search/01-search-community-deploy/env_variables.sh b/docs/search/01-search-community-deploy/env_variables.sh
@@ -14,6 +14,11 @@ export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
 export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
 export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
 
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer"
+export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca"
+export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer"
+
 # minimum required MongoDB version for running MongoDB Search is 8.2.0
 export MDB_VERSION="8.2.0"
 
