CLOUDP-342363 [Search] Enterprise Server with TLS (#395)

# Summary

<!-- Enter your issue summary here.-->

## Proof of Work

<!-- Enter your proof that it works here.-->

## Checklist

- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you added changelog file?
    - use `skip-changelog` label if not needed
- refer to [Changelog files and Release
Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes)
section in CONTRIBUTING.md for more details

Author: fealebenpae

.evergreen-tasks.yml

@@ -1306,3 +1306,8 @@ tasks:
     commands:
       - func: "e2e_test"
 
+  - name: e2e_search_enterprise_tls
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+

.evergreen.yml

@@ -817,6 +817,7 @@ task_groups:
       - e2e_sharded_cluster_oidc_m2m_user
       # MongoDBSearch test group
       - e2e_search_enterprise_basic
+      - e2e_search_enterprise_tls
     <<: *teardown_group
 
   # this task group contains just a one task, which is smoke testing whether the operator

config/crd/bases/mongodb.com_mongodbsearch.yaml

@@ -49,6 +49,8 @@ spec:
           spec:
             properties:
               persistence:
+                description: Configure MongoDB Search's persistent volume. If not
+                  defined, the operator will request 10GB of storage.
                 properties:
                   multiple:
                     properties:
@@ -95,7 +97,8 @@ spec:
                     type: object
                 type: object
               resourceRequirements:
-                description: ResourceRequirements describes the compute resource requirements.
+                description: Configure resource requests and limits for the MongoDB
+                  Search pods.
                 properties:
                   claims:
                     description: |-
@@ -150,6 +153,8 @@ spec:
                     type: object
                 type: object
               security:
+                description: Configure security settings of the MongoDB Search server
+                  that MongoDB database is connecting to when performing search queries.
                 properties:
                   tls:
                     properties:
@@ -181,6 +186,8 @@ spec:
                     type: object
                 type: object
               source:
+                description: MongoDB database connection details from which MongoDB
+                  Search will synchronize data to build indexes.
                 properties:
                   external:
                     properties:
@@ -199,7 +206,7 @@ spec:
                           name:
                             type: string
                         required:
-                          - name
+                        - name
                         type: object
                       tls:
                         properties:
@@ -224,7 +231,7 @@ spec:
                           enabled:
                             type: boolean
                         required:
-                          - enabled
+                        - enabled
                         type: object
                     type: object
                   mongodbResourceRef:
@@ -277,6 +284,9 @@ spec:
                 - spec
                 type: object
               version:
+                description: Optional version of MongoDB Search component (mongot).
+                  If not set, then the operator will set the most appropriate version
+                  of MongoDB Search.
                 type: string
             type: object
           status:

controllers/operator/mongodbsearch_controller.go

@@ -59,6 +59,21 @@ func (r *MongoDBSearchReconciler) Reconcile(ctx context.Context, request reconci
 
 	r.watch.AddWatchedResourceIfNotAdded(searchSource.KeyfileSecretName(), mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName())
 
+	// Watch for changes in database source CA certificate secrets or configmaps
+	tlsSourceConfig := searchSource.TLSConfig()
+	if tlsSourceConfig != nil {
+		for wType, resources := range tlsSourceConfig.ResourcesToWatch {
+			for _, resource := range resources {
+				r.watch.AddWatchedResourceIfNotAdded(resource.Name, resource.Namespace, wType, mdbSearch.NamespacedName())
+			}
+		}
+	}
+
+	// Watch our own TLS certificate secret for changes
+	if mdbSearch.Spec.Security.TLS.Enabled {
+		r.watch.AddWatchedResourceIfNotAdded(mdbSearch.Spec.Security.TLS.CertificateKeySecret.Name, mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName())
+	}
+
 	reconcileHelper := search_controller.NewMongoDBSearchReconcileHelper(kubernetesClient.NewClient(r.kubeClient), mdbSearch, searchSource, r.operatorSearchConfig)
 
 	return reconcileHelper.Reconcile(ctx, log).ReconcileResult()

controllers/search_controller/community_search_source.go

@@ -8,7 +8,11 @@ import (
 	"golang.org/x/xerrors"
 	"k8s.io/apimachinery/pkg/types"
 
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/watch"
 	mdbcv1 "github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/api/v1"
+	"github.com/mongodb/mongodb-kubernetes/pkg/statefulset"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 )
 
@@ -32,12 +36,27 @@ func (r *CommunitySearchSource) KeyfileSecretName() string {
 	return r.MongoDBCommunity.GetAgentKeyfileSecretNamespacedName().Name
 }
 
-func (r *CommunitySearchSource) IsSecurityTLSConfigEnabled() bool {
-	return r.Spec.Security.TLS.Enabled
-}
+func (r *CommunitySearchSource) TLSConfig() *TLSSourceConfig {
+	if !r.Spec.Security.TLS.Enabled {
+		return nil
+	}
+
+	var volume corev1.Volume
+	watchedResources := make(map[watch.Type][]types.NamespacedName)
 
-func (r *CommunitySearchSource) TLSOperatorCASecretNamespacedName() types.NamespacedName {
-	return r.MongoDBCommunity.TLSOperatorCASecretNamespacedName()
+	if r.Spec.Security.TLS.CaCertificateSecret != nil {
+		volume = statefulset.CreateVolumeFromSecret("ca", r.Spec.Security.TLS.CaCertificateSecret.Name)
+		watchedResources[watch.Secret] = []types.NamespacedName{r.TLSCaCertificateSecretNamespacedName()}
+	} else {
+		volume = statefulset.CreateVolumeFromConfigMap("ca", r.Spec.Security.TLS.CaConfigMap.Name)
+		watchedResources[watch.ConfigMap] = []types.NamespacedName{r.TLSConfigMapNamespacedName()}
+	}
+
+	return &TLSSourceConfig{
+		CAFileName:       "ca.crt",
+		CAVolume:         volume,
+		ResourcesToWatch: watchedResources,
+	}
 }
 
 func (r *CommunitySearchSource) Validate() error {

controllers/search_controller/enterprise_search_source.go

@@ -9,6 +9,8 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/watch"
+	"github.com/mongodb/mongodb-kubernetes/pkg/statefulset"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 )
 
@@ -28,16 +30,24 @@ func (r EnterpriseResourceSearchSource) HostSeeds() []string {
 	return seeds
 }
 
-func (r EnterpriseResourceSearchSource) KeyfileSecretName() string {
-	return fmt.Sprintf("%s-keyfile", r.Name)
-}
+func (r EnterpriseResourceSearchSource) TLSConfig() *TLSSourceConfig {
+	if !r.Spec.Security.IsTLSEnabled() {
+		return nil
+	}
 
-func (r EnterpriseResourceSearchSource) IsSecurityTLSConfigEnabled() bool {
-	return r.Spec.Security.IsTLSEnabled()
+	return &TLSSourceConfig{
+		CAFileName: "ca-pem",
+		CAVolume:   statefulset.CreateVolumeFromConfigMap("ca", r.Spec.Security.TLSConfig.CA),
+		ResourcesToWatch: map[watch.Type][]types.NamespacedName{
+			watch.ConfigMap: {
+				{Namespace: r.Namespace, Name: r.Spec.Security.TLSConfig.CA},
+			},
+		},
+	}
 }
 
-func (r EnterpriseResourceSearchSource) TLSOperatorCASecretNamespacedName() types.NamespacedName {
-	return types.NamespacedName{}
+func (r EnterpriseResourceSearchSource) KeyfileSecretName() string {
+	return fmt.Sprintf("%s-keyfile", r.Name)
 }
 
 func (r EnterpriseResourceSearchSource) Validate() error {

controllers/search_controller/external_search_source.go

@@ -4,6 +4,8 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/watch"
+	"github.com/mongodb/mongodb-kubernetes/pkg/statefulset"
 )
 
 func NewExternalSearchSource(namespace string, spec *searchv1.ExternalMongoDBSource) SearchSourceDBResource {
@@ -20,27 +22,28 @@ func (r *externalSearchResource) Validate() error {
 	return nil
 }
 
-func (r *externalSearchResource) KeyfileSecretName() string {
-	if r.spec.KeyFileSecretKeyRef != nil {
-		return r.spec.KeyFileSecretKeyRef.Name
+func (r *externalSearchResource) TLSConfig() *TLSSourceConfig {
+	if r.spec.TLS == nil || !r.spec.TLS.Enabled {
+		return nil
 	}
 
-	return ""
-}
-
-func (r *externalSearchResource) IsSecurityTLSConfigEnabled() bool {
-	return r.spec.TLS != nil && r.spec.TLS.Enabled
+	return &TLSSourceConfig{
+		CAFileName: "ca.crt",
+		CAVolume:   statefulset.CreateVolumeFromSecret("ca", r.spec.TLS.CA.Name),
+		ResourcesToWatch: map[watch.Type][]types.NamespacedName{
+			watch.Secret: {
+				{Namespace: r.namespace, Name: r.spec.TLS.CA.Name},
+			},
+		},
+	}
 }
 
-func (r *externalSearchResource) TLSOperatorCASecretNamespacedName() types.NamespacedName {
-	if r.spec.TLS != nil && r.spec.TLS.CA != nil {
-		return types.NamespacedName{
-			Name:      r.spec.TLS.CA.Name,
-			Namespace: r.namespace,
-		}
+func (r *externalSearchResource) KeyfileSecretName() string {
+	if r.spec.KeyFileSecretKeyRef != nil {
+		return r.spec.KeyFileSecretKeyRef.Name
 	}
 
-	return types.NamespacedName{}
+	return ""
 }
 
 func (r *externalSearchResource) HostSeeds() []string { return r.spec.HostAndPorts }

controllers/search_controller/mongodbsearch_reconcile_helper.go

@@ -261,28 +261,17 @@ func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Contex
 }
 
 func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification, error) {
-	if !r.db.IsSecurityTLSConfigEnabled() {
+	tlsSourceConfig := r.db.TLSConfig()
+	if tlsSourceConfig == nil {
 		return mongot.NOOP(), statefulset.NOOP(), nil
 	}
 
-	caSecretName := r.db.TLSOperatorCASecretNamespacedName()
-	caSecret := &corev1.Secret{}
-	if err := r.client.Get(ctx, caSecretName, caSecret); err != nil {
-		return nil, nil, xerrors.Errorf("error getting CA Secret %s: %w", caSecretName, err)
-	}
-
-	// HACK: find a better way of getting the CA file name
-	var caFileName string
-	for k := range caSecret.Data {
-		caFileName = k
-	}
-
 	mongotModification := func(config *mongot.Config) {
 		config.SyncSource.ReplicaSet.TLS = ptr.To(true)
 	}
 
 	_, containerSecurityContext := podtemplatespec.WithDefaultSecurityContextsModifications()
-	caVolume := statefulset.CreateVolumeFromSecret("ca", caSecretName.Name)
+	caVolume := tlsSourceConfig.CAVolume
 	trustStoreVolume := statefulset.CreateVolumeFromEmptyDir("cacerts")
 	statefulsetModification := statefulset.WithPodSpecTemplate(podtemplatespec.Apply(
 		podtemplatespec.WithVolume(caVolume),
@@ -300,7 +289,7 @@ func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context
 				fmt.Sprintf(`
 cp /mongot-community/bin/jdk/lib/security/cacerts /java/trust-store/cacerts
 /mongot-community/bin/jdk/bin/keytool -keystore /java/trust-store/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias mongodcert -file %s/%s
-							`, tls.CAMountPath, caFileName),
+							`, tls.CAMountPath, tlsSourceConfig.CAFileName),
 			}),
 		)),
 		podtemplatespec.WithContainer(MongotContainerName, container.Apply(

controllers/search_controller/search_construction.go

@@ -9,6 +9,7 @@ import (
 
 	searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search"
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/construct"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/watch"
 	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/api/v1/common"
 	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/kube/container"
 	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/kube/podtemplatespec"
@@ -31,12 +32,17 @@ const (
 // TODO check if we could use already existing interface (DbCommon, MongoDBStatefulSetOwner, etc.)
 type SearchSourceDBResource interface {
 	KeyfileSecretName() string
-	IsSecurityTLSConfigEnabled() bool
-	TLSOperatorCASecretNamespacedName() types.NamespacedName
+	TLSConfig() *TLSSourceConfig
 	HostSeeds() []string
 	Validate() error
 }
 
+type TLSSourceConfig struct {
+	CAFileName       string
+	CAVolume         corev1.Volume
+	ResourcesToWatch map[watch.Type][]types.NamespacedName
+}
+
 // ReplicaSetOptions returns a set of options which will configure a ReplicaSet StatefulSet
 func CreateSearchStatefulSetFunc(mdbSearch *searchv1.MongoDBSearch, sourceDBResource SearchSourceDBResource, searchImage string) statefulset.Modification {
 	labels := map[string]string{

docker/mongodb-kubernetes-tests/kubetester/mongodb.py

@@ -278,10 +278,8 @@ def configure_custom_tls(
         tls_cert_secret_name: str,
     ):
         ensure_nested_objects(self, ["spec", "security", "tls"])
-        self["spec"]["security"] = {
-            "certsSecretPrefix": tls_cert_secret_name,
-            "tls": {"enabled": True, "ca": issuer_ca_configmap_name},
-        }
+        self["spec"]["security"]["certsSecretPrefix"] = tls_cert_secret_name
+        self["spec"]["security"]["tls"].update({"enabled": True, "ca": issuer_ca_configmap_name})
 
     def build_list_of_hosts(self):
         """Returns the list of full_fqdn:27017 for every member of the mongodb resource"""