mongodb
diff --git a/‎docs/search/01-search-community-deploy/code_snippets/01_0100_install_operator.sh‎
Lines changed: 6 additions & 0 deletions b/‎docs/search/01-search-community-deploy/code_snippets/01_0100_install_operator.sh‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh‎
Lines changed: 14 additions & 9 deletions b/‎docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎docs/search/01-search-community-deploy/code_snippets/01_0306_create_mongodb_tls_secrets.sh‎
Lines changed: 175 additions & 0 deletions b/‎docs/search/01-search-community-deploy/code_snippets/01_0306_create_mongodb_tls_secrets.sh‎
Lines changed: 175 additions & 0 deletions
@@ -1,3 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo $OPERATOR_ADDITIONAL_HELM_VALUES
+
 helm upgrade --install --debug --kube-context "${K8S_CTX}" \
   --create-namespace \
   --namespace="${MDB_NS}" \
 
@@ -1,12 +1,17 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+#!/usr/bin/env bash
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+set -euo pipefail
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+create_secret() {
+    local secret_name="$1"
+    local password_var="$2"
 
+    kubectl create secret generic "${secret_name}" \
+        --from-literal=password="${password_var}" \
+        --dry-run=client -o yaml \
+        | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
+}
+
+create_secret "mdb-admin-user-password" "${MDB_ADMIN_USER_PASSWORD}"
+create_secret "${MDB_RESOURCE_NAME}-search-sync-source-password" "${MDB_SEARCH_SYNC_USER_PASSWORD}"
+create_secret "mdb-user-password" "${MDB_USER_PASSWORD}"
@@ -0,0 +1,175 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+: "${MDB_MEMBERS:=3}"
+
+# Inline TLS DNS entry functions (avoiding external file dependency)
+mongodb_service_fqdn() {
+  printf '%s-svc.%s.svc.cluster.local' "${MDB_RESOURCE_NAME}" "${MDB_NS}"
+}
+
+mongodb_wildcard_fqdn() {
+  printf '*.%s-svc.%s.svc.cluster.local' "${MDB_RESOURCE_NAME}" "${MDB_NS}"
+}
+
+mongodb_dns_entries() {
+  local members="${MDB_MEMBERS:-3}"
+  local member
+  local service
+  local wildcard
+
+  service="$(mongodb_service_fqdn)"
+  wildcard="$(mongodb_wildcard_fqdn)"
+
+  for ((member = 0; member < members; member++)); do
+    printf '%s-%s.%s\n' "${MDB_RESOURCE_NAME}" "${member}" "${service}"
+  done
+
+  printf '%s\n%s\n' "${service}" "${wildcard}"
+}
+
+mongot_service_fqdn() {
+  printf '%s-search-svc.%s.svc.cluster.local' "${MDB_RESOURCE_NAME}" "${MDB_NS}"
+}
+
+mongot_wildcard_fqdn() {
+  printf '*.%s-search.%s.svc.cluster.local' "${MDB_RESOURCE_NAME}" "${MDB_NS}"
+}
+
+mongot_dns_entries() {
+  mongot_service_fqdn
+  printf '\n'
+  mongot_wildcard_fqdn
+  printf '\n'
+  # Add individual search pod hostname for proper TLS validation
+  printf '%s-search-0.%s-search-svc.%s.svc.cluster.local\n' "${MDB_RESOURCE_NAME}" "${MDB_RESOURCE_NAME}" "${MDB_NS}"
+  # Add localhost and IP for local connections
+  printf 'localhost\n'
+  printf '127.0.0.1\n'
+}
+
+tls_ca_common_name() {
+  mongodb_service_fqdn
+}
+
+# Validate OpenSSL is available
+if ! command -v openssl &>/dev/null; then
+    echo "Error: OpenSSL is required but not installed"
+    exit 1
+fi
+
+# Mirror the certificate subjects and SAN entries that the optional cert-manager
+# helper provisions so users can either self-manage the assets or plug cert-manager
+# in to populate the same Kubernetes secrets automatically.
+
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "${tmpdir}"' EXIT
+
+# Pre-calculate all DNS entries and services
+mongodb_service="$(mongodb_service_fqdn)"
+mongodb_sans=()
+while IFS= read -r entry; do
+  mongodb_sans+=("${entry}")
+done < <(mongodb_dns_entries)
+mongodb_san=$(printf 'DNS:%s,' "${mongodb_sans[@]}")
+mongodb_san="${mongodb_san%,}"
+
+mongot_service="$(mongot_service_fqdn)"
+mongot_sans=()
+while IFS= read -r entry; do
+  mongot_sans+=("${entry}")
+done < <(mongot_dns_entries)
+mongot_san=$(printf 'DNS:%s,' "${mongot_sans[@]}")
+mongot_san="${mongot_san%,}"
+
+# Function to handle OpenSSL errors
+openssl_exec() {
+    if ! "$@" >/dev/null 2>&1; then
+        echo "Error: OpenSSL command failed: $*" >&2
+        exit 1
+    fi
+}
+
+# Create CA certificate
+echo "Generating CA certificate..."
+openssl_exec openssl ecparam -name prime256v1 -genkey -noout -out "${tmpdir}/ca.key"
+openssl_exec openssl req -x509 -new -key "${tmpdir}/ca.key" \
+  -out "${tmpdir}/ca.crt" \
+  -days 365 \
+  -sha256 \
+  -subj "/CN=$(tls_ca_common_name)" \
+  -addext "basicConstraints = critical,CA:true" \
+  -addext "keyUsage = critical,keyCertSign,cRLSign" \
+  -addext "subjectKeyIdentifier = hash"
+
+# Optimized function to sign certificates
+sign_cert() {
+    local name="$1"
+    local common_name="$2"
+    local san="$3"
+
+    echo "Generating certificate for ${name}..."
+
+    # Generate private key
+    openssl_exec openssl ecparam -name prime256v1 -genkey -noout -out "${tmpdir}/${name}.key"
+
+    # Create CSR
+    openssl_exec openssl req -new \
+        -key "${tmpdir}/${name}.key" \
+        -out "${tmpdir}/${name}.csr" \
+        -subj "/CN=${common_name}" \
+        -addext "subjectAltName = ${san}" \
+        -addext "extendedKeyUsage = serverAuth,clientAuth" \
+        -addext "keyUsage = digitalSignature,keyEncipherment"
+
+    # Sign certificate with consolidated extensions including client auth
+    openssl_exec openssl x509 -req -in "${tmpdir}/${name}.csr" \
+        -CA "${tmpdir}/ca.crt" \
+        -CAkey "${tmpdir}/ca.key" \
+        -CAcreateserial \
+        -out "${tmpdir}/${name}.crt" \
+        -days 365 \
+        -sha256 \
+        -extfile <(cat <<EOF
+subjectAltName=${san}
+extendedKeyUsage=serverAuth,clientAuth
+keyUsage=digitalSignature,keyEncipherment
+basicConstraints=CA:FALSE
+EOF
+)
+}
+
+# Generate certificates for MongoDB and Search
+sign_cert mongodb "${mongodb_service}" "${mongodb_san}"
+sign_cert mongot "${mongot_service}" "${mongot_san}"
+
+# Function to create secrets with consistent pattern
+create_tls_secret() {
+    local secret_name="$1"
+    local cert_file="$2"
+    local key_file="$3"
+    local secret_type="${4:-tls}"
+
+    echo "Creating secret ${secret_name}..."
+    if [[ "${secret_type}" == "generic" ]]; then
+        kubectl create secret generic "${secret_name}" \
+            --from-file=ca.crt="${cert_file}" \
+            --dry-run=client -o yaml \
+            | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
+    else
+        kubectl create secret tls "${secret_name}" \
+            --cert="${cert_file}" \
+            --key="${key_file}" \
+            --dry-run=client -o yaml \
+            | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
+    fi
+}
+
+# Create all secrets
+echo "Creating Kubernetes secrets..."
+create_tls_secret "${MDB_TLS_CA_SECRET}" "${tmpdir}/ca.crt" "" "generic"
+create_tls_secret "${MDB_TLS_CERT_SECRET}" "${tmpdir}/mongodb.crt" "${tmpdir}/mongodb.key"
+create_tls_secret "${MDB_SEARCH_TLS_SECRET}" "${tmpdir}/mongot.crt" "${tmpdir}/mongot.key"
+
+echo "TLS certificates and secrets created successfully"