Skip to content

Commit fda22ee

Browse files
anandsyncsanandsyncs
committed
cleanup
1 parent dae55bd commit fda22ee

File tree

8 files changed

+202
-220
lines changed

8 files changed

+202
-220
lines changed

docs/search/01-search-community-deploy/code_snippets/01_0306_configure_cert_manager_tls.sh

Lines changed: 162 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,162 @@
1+
#!/usr/bin/env bash
2+
3+
set -euo pipefail
4+
5+
required=(
6+
K8S_CTX
7+
MDB_NS
8+
MDB_RESOURCE_NAME
9+
MDB_MEMBERS
10+
MDB_TLS_CA_SECRET_NAME
11+
MDB_TLS_SERVER_CERT_SECRET_NAME
12+
MDB_SEARCH_TLS_SECRET_NAME
13+
CERT_MANAGER_NAMESPACE
14+
)
15+
missing=()
16+
for var in "${required[@]}"; do
17+
[[ -n "${!var:-}" ]] || missing+=("${var}")
18+
done
19+
if (( ${#missing[@]} )); then
20+
echo "Missing required environment variables: ${missing[*]}" >&2
21+
exit 1
22+
fi
23+
24+
helm repo add jetstack https://charts.jetstack.io --force-update >/dev/null 2>&1 || true
25+
helm upgrade --install \
26+
cert-manager jetstack/cert-manager \
27+
--kube-context "${K8S_CTX}" \
28+
--namespace "${CERT_MANAGER_NAMESPACE}" \
29+
--create-namespace \
30+
--set crds.enabled=true >/dev/null 2>&1
31+
32+
for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
33+
kubectl --context "${K8S_CTX}" \
34+
-n "${CERT_MANAGER_NAMESPACE}" \
35+
wait --for=condition=Available "deployment/${deployment}" --timeout=300s
36+
done
37+
38+
self_signed_issuer="${MDB_RESOURCE_NAME}-selfsigned-issuer"
39+
ca_cert_name="${MDB_RESOURCE_NAME}-ca"
40+
ca_issuer="${MDB_RESOURCE_NAME}-ca-issuer"
41+
server_certificate="${MDB_RESOURCE_NAME}-server-tls"
42+
search_certificate="${MDB_RESOURCE_NAME}-search-tls"
43+
44+
kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
45+
apiVersion: cert-manager.io/v1
46+
kind: Issuer
47+
metadata:
48+
name: ${self_signed_issuer}
49+
namespace: ${MDB_NS}
50+
spec:
51+
selfSigned: {}
52+
---
53+
apiVersion: cert-manager.io/v1
54+
kind: Certificate
55+
metadata:
56+
name: ${ca_cert_name}
57+
namespace: ${MDB_NS}
58+
spec:
59+
isCA: true
60+
secretName: ${MDB_TLS_CA_SECRET_NAME}
61+
commonName: ${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local
62+
privateKey:
63+
algorithm: RSA
64+
size: 2048
65+
issuerRef:
66+
kind: Issuer
67+
name: ${self_signed_issuer}
68+
duration: 240h0m0s
69+
renewBefore: 120h0m0s
70+
---
71+
apiVersion: cert-manager.io/v1
72+
kind: Issuer
73+
metadata:
74+
name: ${ca_issuer}
75+
namespace: ${MDB_NS}
76+
spec:
77+
ca:
78+
secretName: ${MDB_TLS_CA_SECRET_NAME}
79+
EOF_MANIFEST
80+
81+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready issuer "${self_signed_issuer}" --timeout=120s
82+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${ca_cert_name}" --timeout=300s
83+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready issuer "${ca_issuer}" --timeout=120s
84+
85+
if ! kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get secret "${MDB_TLS_CA_SECRET_NAME}" -o jsonpath='{.data.ca\\.crt}' 2>/dev/null | grep -q .; then
86+
tls_crt=$(kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get secret "${MDB_TLS_CA_SECRET_NAME}" -o jsonpath='{.data.tls\\.crt}' || true)
87+
if [[ -n "${tls_crt}" ]]; then
88+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" patch secret "${MDB_TLS_CA_SECRET_NAME}" \
89+
--type=merge \
90+
-p "{"data":{"ca.crt":"${tls_crt}"}}"
91+
fi
92+
fi
93+
94+
mongo_dns_names=()
95+
for ((member = 0; member < ${MDB_MEMBERS}; member++)); do
96+
mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
97+
mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
98+
done
99+
mongo_dns_names+=(
100+
"${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
101+
"*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
102+
)
103+
104+
search_dns_names=(
105+
"${MDB_RESOURCE_NAME}-search-0"
106+
"${MDB_RESOURCE_NAME}-search-0.${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
107+
"${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
108+
)
109+
110+
render_dns_list() {
111+
local dns_list=("$@")
112+
for dns in "${dns_list[@]}"; do
113+
printf " - \"%s\"\n" "${dns}"
114+
done
115+
}
116+
117+
kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
118+
apiVersion: cert-manager.io/v1
119+
kind: Certificate
120+
metadata:
121+
name: ${server_certificate}
122+
namespace: ${MDB_NS}
123+
spec:
124+
secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
125+
issuerRef:
126+
kind: Issuer
127+
name: ${ca_issuer}
128+
duration: 240h0m0s
129+
renewBefore: 120h0m0s
130+
usages:
131+
- digital signature
132+
- key encipherment
133+
- server auth
134+
- client auth
135+
dnsNames:
136+
$(render_dns_list "${mongo_dns_names[@]}")
137+
---
138+
apiVersion: cert-manager.io/v1
139+
kind: Certificate
140+
metadata:
141+
name: ${search_certificate}
142+
namespace: ${MDB_NS}
143+
spec:
144+
secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
145+
issuerRef:
146+
kind: Issuer
147+
name: ${ca_issuer}
148+
duration: 240h0m0s
149+
renewBefore: 120h0m0s
150+
usages:
151+
- digital signature
152+
- key encipherment
153+
- server auth
154+
- client auth
155+
dnsNames:
156+
$(render_dns_list "${search_dns_names[@]}")
157+
EOF_MANIFEST
158+
159+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
160+
kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
161+
162+
echo "Community cert-manager TLS assets ready."

docs/search/01-search-community-deploy/code_snippets/01_0306_create_mongodb_tls_secrets.sh

Lines changed: 0 additions & 180 deletions
This file was deleted.

docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,8 @@ spec:
1212
enabled: true
1313
certificateKeySecretRef:
1414
name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
15-
# If both the CA secret and ConfigMap are defined, the operator uses the secret and ignores the ConfigMap.
1615
caCertificateSecretRef:
1716
name: ${MDB_TLS_CA_SECRET_NAME}
18-
caConfigMapRef:
19-
name: ${MDB_TLS_CA_CONFIGMAP_NAME}
2017
authentication:
2118
ignoreUnknownUsers: true
2219
modes:

docs/search/01-search-community-deploy/env_variables.sh

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,6 @@ export MDB_MEMBERS=3
1313
export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
1414
export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
1515
export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
16-
# Set to "1" to use cert-manager for TLS certificate management instead of self-managed certificates
17-
export MDB_USE_CERT_MANAGER_TLS="0"
18-
19-
# ConfigMap holding CA certificate when using cert-manager (community)
20-
export MDB_TLS_CA_CONFIGMAP_NAME="${MDB_RESOURCE_NAME}-ca-configmap"
2116

2217
# minimum required MongoDB version for running MongoDB Search is 8.2.0
2318
export MDB_VERSION="8.2.0"

docs/search/01-search-community-deploy/test.sh

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,7 @@ run_for_output 01_0090_helm_add_mogodb_repo.sh
1818
run_for_output 01_0100_install_operator.sh
1919
run_for_output 01_0110_wait_for_operator_deployment.sh
2020
run 01_0305_create_mongodb_community_user_secrets.sh
21-
22-
if [[ "${MDB_USE_CERT_MANAGER_TLS:-0}" == "1" ]]; then
23-
run 01_0307_optional_cert_manager_tls.sh
24-
else
25-
run 01_0306_create_mongodb_tls_secrets.sh
26-
fi
21+
run 01_0306_configure_cert_manager_tls.sh
2722

2823
run 01_0310_create_mongodb_community_resource.sh
2924
run_for_output 01_0315_wait_for_community_resource.sh

0 commit comments

Comments
 (0)