add enterprise snippets for search tls updates

anandsyncs · lsierant · commit a14e482ebc8c · 2025-11-06T18:24:02.000+01:00
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh
@@ -0,0 +1,28 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+  OPS_MANAGER_PROJECT_NAME
+  OPS_MANAGER_API_URL
+  OPS_MANAGER_API_USER
+  OPS_MANAGER_API_KEY
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("$v"); done
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - $m" >&2; done
+else
+  echo "All required environment variables present."
+fi
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh
@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh
@@ -0,0 +1,53 @@
+# Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+trap 'rm -f "${TMP_CA_CERT}"' EXIT
+
+kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh
@@ -0,0 +1,47 @@
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-server-tls
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+  - client auth
+  dnsNames:
+  - "${MDB_RESOURCE_NAME}-0"
+  - "${MDB_RESOURCE_NAME}-1"
+  - "${MDB_RESOURCE_NAME}-2"
+  - "${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  - "${MDB_RESOURCE_NAME}-1.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  - "${MDB_RESOURCE_NAME}-2.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-search-tls
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+  - client auth
+  dnsNames:
+  - "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${MDB_NS}" certificate "${MDB_RESOURCE_NAME}-server-tls"
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${MDB_NS}" certificate "${MDB_RESOURCE_NAME}-search-tls"
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh
@@ -17,6 +17,10 @@ spec:
       ignoreUnknownUsers: true
       modes:
       - SCRAM
+    certsSecretPrefix: ${MDB_TLS_CERT_SECRET_PREFIX}
+    tls:
+      enabled: true
+      ca: ${MDB_TLS_CA_CONFIGMAP}
   agent:
     logLevel: INFO
   podSpec:
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh
@@ -6,6 +6,10 @@ metadata:
 spec:
   # no need to specify source.mongodbResourceRef if MongoDBSearch CR has the same name as MongoDB CR
   # the operator infer it automatically
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"
diff --git a/docs/search/02-search-enterprise-deploy/env_variables.sh b/docs/search/02-search-enterprise-deploy/env_variables.sh
@@ -33,5 +33,15 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
-
+export MDB_TLS_CERT_SECRET_PREFIX="certs"
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"
+export MDB_TLS_SELF_SIGNED_ISSUER="selfsigned-bootstrap-issuer"
+export MDB_TLS_CA_CERT_NAME="my-selfsigned-ca"
+export MDB_TLS_CA_SECRET_NAME="root-secret"
+export MDB_TLS_CA_ISSUER="my-ca-issuer"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true"
diff --git a/docs/search/02-search-enterprise-deploy/test.sh b/docs/search/02-search-enterprise-deploy/test.sh
@@ -11,13 +11,20 @@ cd "${script_dir}"
 
 prepare_snippets
 
+run 02_0040_validate_env.sh
 run 02_0045_create_namespaces.sh
 run 02_0046_create_image_pull_secrets.sh
 run 02_0048_configure_prerelease_image_pullsecret.sh
 
 run_for_output 02_0090_helm_add_mogodb_repo.sh
 run_for_output 02_0100_install_operator.sh
 run 02_0300_create_ops_manager_resources.sh
+
+#TLS related steps
+run 02_0301_install_cert_manager.sh
+run 02_0302_configure_tls_prerequisites.sh
+run 02_0304_generate_tls_certificates.sh
+
 run 02_0305_create_mongodb_database_resource.sh
 run_for_output 02_0310_wait_for_database_resource.sh
 run 02_0315_create_mongodb_users.sh
diff --git a/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh b/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh
@@ -19,7 +19,7 @@ spec:
   volumes:
   - name: mongo-ca
     configMap:
-      name: ${MDB_TLS_CA_CONFIGMAP}
+      name: ${MDB_TLS_CA_CONFIGMAP:-"${MDB_RESOURCE_NAME}-ca-configmap"}
       optional: true
       items:
       - key: ca.crt
diff --git a/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh b/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh
@@ -30,6 +30,6 @@ echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 # shellcheck disable=SC1090
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
 ${test_dir}/test.sh
