env var unification

Author: anandsyncs

docs/search/01-search-community-deploy/code_snippets/01_0306_create_mongodb_tls_secrets.sh

@@ -168,8 +168,8 @@ create_tls_secret() {
 
 # Create all secrets
 echo "Creating Kubernetes secrets..."
-create_tls_secret "${MDB_TLS_CA_SECRET}" "${tmpdir}/ca.crt" "" "generic"
-create_tls_secret "${MDB_TLS_CERT_SECRET}" "${tmpdir}/mongodb.crt" "${tmpdir}/mongodb.key"
-create_tls_secret "${MDB_SEARCH_TLS_SECRET}" "${tmpdir}/mongot.crt" "${tmpdir}/mongot.key"
+create_tls_secret "${MDB_TLS_CA_SECRET_NAME}" "${tmpdir}/ca.crt" "" "generic"
+create_tls_secret "${MDB_TLS_SERVER_CERT_SECRET_NAME}" "${tmpdir}/mongodb.crt" "${tmpdir}/mongodb.key"
+create_tls_secret "${MDB_SEARCH_TLS_SECRET_NAME}" "${tmpdir}/mongot.crt" "${tmpdir}/mongot.key"
 
 echo "TLS certificates and secrets created successfully"

docs/search/01-search-community-deploy/code_snippets/01_0307_optional_cert_manager_tls.sh

@@ -9,7 +9,7 @@ echo "Starting cert-manager TLS certificate setup..."
 
 # Function to check for required environment variables
 check_required_vars() {
-    local required_vars=("MDB_RESOURCE_NAME" "MDB_NS" "K8S_CTX" "MDB_TLS_CA_SECRET" "MDB_TLS_CERT_SECRET" "MDB_SEARCH_TLS_SECRET")
+    local required_vars=("MDB_RESOURCE_NAME" "MDB_NS" "K8S_CTX" "MDB_TLS_CA_SECRET_NAME" "MDB_TLS_SERVER_CERT_SECRET_NAME" "MDB_SEARCH_TLS_SECRET_NAME")
     local missing_vars=()
 
     for var in "${required_vars[@]}"; do
@@ -30,7 +30,7 @@ force_cleanup_cert_manager_resources() {
     echo "Force cleaning up cert-manager resources to prevent conflicts..."
 
     # Force delete certificates (remove finalizers if stuck)
-    for cert in "${MDB_SEARCH_TLS_SECRET}" "${MDB_TLS_CERT_SECRET}" "${MDB_TLS_CA_SECRET}"; do
+    for cert in "${MDB_SEARCH_TLS_SECRET_NAME}" "${MDB_TLS_SERVER_CERT_SECRET_NAME}" "${MDB_TLS_CA_SECRET_NAME}"; do
         if kubectl get certificate "${cert}" --context "${K8S_CTX}" -n "${MDB_NS}" >/dev/null 2>&1; then
             echo "Force deleting certificate ${cert}..."
             kubectl patch certificate "${cert}" --context "${K8S_CTX}" -n "${MDB_NS}" -p '{"metadata":{"finalizers":null}}' --type=merge || true
@@ -48,7 +48,7 @@ force_cleanup_cert_manager_resources() {
     done
 
     # Delete related secrets if they exist in bad state
-    for secret in "${MDB_SEARCH_TLS_SECRET}" "${MDB_TLS_CERT_SECRET}" "${MDB_TLS_CA_SECRET}"; do
+    for secret in "${MDB_SEARCH_TLS_SECRET_NAME}" "${MDB_TLS_SERVER_CERT_SECRET_NAME}" "${MDB_TLS_CA_SECRET_NAME}"; do
         if kubectl get secret "${secret}" --context "${K8S_CTX}" -n "${MDB_NS}" >/dev/null 2>&1; then
             echo "Cleaning up secret ${secret}..."
             kubectl delete secret "${secret}" --context "${K8S_CTX}" -n "${MDB_NS}" --ignore-not-found=true
@@ -60,7 +60,7 @@ force_cleanup_cert_manager_resources() {
 
     # Verify cleanup completed
     local cleanup_failed=false
-    for resource in "${MDB_SEARCH_TLS_SECRET}" "${MDB_TLS_CERT_SECRET}" "${MDB_TLS_CA_SECRET}"; do
+    for resource in "${MDB_SEARCH_TLS_SECRET_NAME}" "${MDB_TLS_SERVER_CERT_SECRET_NAME}" "${MDB_TLS_CA_SECRET_NAME}"; do
         if kubectl get certificate "${resource}" --context "${K8S_CTX}" -n "${MDB_NS}" >/dev/null 2>&1; then
             echo "WARNING: Certificate ${resource} still exists after cleanup"
             cleanup_failed=true
@@ -391,13 +391,13 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_CA_CERT
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: ${MDB_TLS_CA_SECRET}
+  name: ${MDB_TLS_CA_SECRET_NAME}
   namespace: ${MDB_NS}
   annotations:
     cert-manager.io/revision: "$(date +%s)"
 spec:
   isCA: true
-  secretName: ${MDB_TLS_CA_SECRET}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
   commonName: "${ca_common_name}"
   duration: 240h
   renewBefore: 120h
@@ -413,8 +413,8 @@ spec:
     kind: Issuer
 EOF_CA_CERT
 
-wait_for_certificate "${MDB_TLS_CA_SECRET}"
-ensure_ca_secret_has_ca_crt "${MDB_TLS_CA_SECRET}"
+wait_for_certificate "${MDB_TLS_CA_SECRET_NAME}"
+ensure_ca_secret_has_ca_crt "${MDB_TLS_CA_SECRET_NAME}"
 
 # Step 3: Create CA issuer
 echo "Step 3: Creating CA issuer..."
@@ -428,7 +428,7 @@ metadata:
     cert-manager.io/revision: "$(date +%s)"
 spec:
   ca:
-    secretName: ${MDB_TLS_CA_SECRET}
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
 EOF_CA_ISSUER
 
 wait_for_issuer "${MDB_TLS_CA_ISSUER}"
@@ -439,12 +439,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MONGODB_CERT
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: ${MDB_TLS_CERT_SECRET}
+  name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
   namespace: ${MDB_NS}
   annotations:
     cert-manager.io/revision: "$(date +%s)"
 spec:
-  secretName: ${MDB_TLS_CERT_SECRET}
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
   duration: 240h
   renewBefore: 120h
   usages:
@@ -464,12 +464,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_SEARCH_CERT
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: ${MDB_SEARCH_TLS_SECRET}
+  name: ${MDB_SEARCH_TLS_SECRET_NAME}
   namespace: ${MDB_NS}
   annotations:
     cert-manager.io/revision: "$(date +%s)"
 spec:
-  secretName: ${MDB_SEARCH_TLS_SECRET}
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
   duration: 240h
   renewBefore: 120h
   usages:
@@ -486,14 +486,14 @@ EOF_SEARCH_CERT
 
 # Wait for all certificates with enhanced monitoring
 echo "Waiting for MongoDB certificates to be issued..."
-wait_for_certificate "${MDB_TLS_CERT_SECRET}"
-wait_for_certificate "${MDB_SEARCH_TLS_SECRET}"
+wait_for_certificate "${MDB_TLS_SERVER_CERT_SECRET_NAME}"
+wait_for_certificate "${MDB_SEARCH_TLS_SECRET_NAME}"
 
 echo "All TLS certificates have been successfully created by cert-manager"
 echo "Performing final verification..."
 
 # Enhanced verification with SSL certificate details
-for secret in "${MDB_TLS_CA_SECRET}" "${MDB_TLS_CERT_SECRET}" "${MDB_SEARCH_TLS_SECRET}"; do
+for secret in "${MDB_TLS_CA_SECRET_NAME}" "${MDB_TLS_SERVER_CERT_SECRET_NAME}" "${MDB_SEARCH_TLS_SECRET_NAME}"; do
     if kubectl get secret "${secret}" --context "${K8S_CTX}" -n "${MDB_NS}" >/dev/null 2>&1; then
         echo "✓ Secret ${secret} exists"
 
@@ -520,9 +520,9 @@ metadata:
   namespace: ${MDB_NS}
 data:
   status: "ready"
-  ca-secret: "${MDB_TLS_CA_SECRET}"
-  mongodb-secret: "${MDB_TLS_CERT_SECRET}"
-  search-secret: "${MDB_SEARCH_TLS_SECRET}"
+  ca-secret: "${MDB_TLS_CA_SECRET_NAME}"
+  mongodb-secret: "${MDB_TLS_SERVER_CERT_SECRET_NAME}"
+  search-secret: "${MDB_SEARCH_TLS_SECRET_NAME}"
   created: "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
 EOF_STATUS
 

docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh

@@ -11,9 +11,9 @@ spec:
     tls:
       enabled: true
       certificateKeySecretRef:
-        name: ${MDB_TLS_CERT_SECRET}
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
       caCertificateSecretRef:
-        name: ${MDB_TLS_CA_SECRET}
+        name: ${MDB_TLS_CA_SECRET_NAME}
     authentication:
       ignoreUnknownUsers: true
       modes:

docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh

@@ -7,7 +7,7 @@ spec:
   security:
     tls:
       certificateKeySecretRef:
-        name: ${MDB_SEARCH_TLS_SECRET}
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"

docs/search/01-search-community-deploy/env_variables.sh

@@ -10,9 +10,9 @@ export MDB_RESOURCE_NAME="mdbc-rs"
 export MDB_MEMBERS=3
 
 # TLS-related secret names used for MongoDBCommunity and MongoDBSearch
-export MDB_TLS_CA_SECRET="${MDB_RESOURCE_NAME}-ca"
-export MDB_TLS_CERT_SECRET="${MDB_RESOURCE_NAME}-tls"
-export MDB_SEARCH_TLS_SECRET="${MDB_RESOURCE_NAME}-search-tls"
+export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
 # Set to "1" to use cert-manager for TLS certificate management instead of self-managed certificates
 export MDB_USE_CERT_MANAGER_TLS="0"
 

docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh

@@ -62,3 +62,11 @@ fi
 kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
   --from-file=ca-pem="${TMP_DIR}/mms-ca.crt" --from-file=mms-ca.crt="${TMP_DIR}/mms-ca.crt" \
   --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+# Ensure CA secret also exists in application namespace for mounts expecting a Secret (root-secret)
+if ! kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get secret "${MDB_TLS_CA_SECRET_NAME}" >/dev/null 2>&1; then
+  kubectl --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" get secret "${MDB_TLS_CA_SECRET_NAME}" -o yaml \
+    | sed 's/namespace: "+${CERT_MANAGER_NAMESPACE}+"/namespace: '"${MDB_NS}"'/' \
+    | sed 's/namespace: cert-manager/namespace: '"${MDB_NS}"'/' \
+    | kubectl --context "${K8S_CTX}" apply -n "${MDB_NS}" -f - || echo "Warning: failed to copy ${MDB_TLS_CA_SECRET_NAME} to ${MDB_NS}" >&2
+fi

docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh

@@ -4,7 +4,7 @@ kind: Certificate
 metadata:
   name: ${MDB_RESOURCE_NAME}-server-tls
 spec:
-  secretName: ${MDB_TLS_SERVER_CERT_SECRET}
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
   issuerRef:
     name: ${MDB_TLS_CLUSTER_ISSUER}
     kind: ClusterIssuer

docs/search/02-search-enterprise-deploy/env_variables.sh

@@ -34,9 +34,9 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
 ## TLS-related secret names used for MongoDB and MongoDBSearch
-#export MDB_TLS_CA_SECRET="${MDB_RESOURCE_NAME}-ca"              # legacy CA secret (not used by Enterprise CR directly)
-#export MDB_TLS_CERT_SECRET="${MDB_RESOURCE_NAME}-tls"          # legacy direct cert secret (not used by Enterprise CR directly)
-#export MDB_SEARCH_TLS_SECRET="${MDB_RESOURCE_NAME}-search-tls"  # used by MongoDBSearch
+#export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"              # legacy CA secret (not used by Enterprise CR directly)
+#export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"    # legacy direct cert secret (not used by Enterprise CR directly)
+#export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"  # used by MongoDBSearch
 ## New variables for Enterprise MongoDB TLS configuration using certsSecretPrefix + tls.ca
 export MDB_TLS_CERT_SECRET_PREFIX="certs"
 export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
@@ -48,7 +48,7 @@ export MDB_TLS_SELF_SIGNED_CLUSTER_ISSUER="selfsigned-cluster-issuer"
 export MDB_TLS_CA_CERT_NAME="my-selfsigned-ca"
 export MDB_TLS_CA_SECRET_NAME="root-secret"
 export MDB_TLS_CLUSTER_ISSUER="my-ca-issuer"
-export MDB_TLS_SERVER_CERT_SECRET="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert"
 export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
 
 export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true"

docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh

@@ -19,7 +19,7 @@ spec:
   volumes:
   - name: mongo-ca
     secret:
-      secretName: ${MDB_TLS_CA_SECRET}
+      secretName: ${MDB_TLS_CA_SECRET_NAME}
 EOF
 
 echo "Waiting for the mongodb-tools to be ready..."

docs/search/03-search-query-usage/env_variables.sh

@@ -15,6 +15,11 @@
 # user only for the connection string in MDB_CONNECTION_STRING env var below
 #export MDB_RESOURCE_NAME="mdbc-rs"
 
+# TLS-related secret names used by the snippets in this module
+#export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+#export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+#export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
 # default connection string if MongoDB database is deployed using the operator
 #export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"