CLOUDP-353164: Community/Enterprise Search TLS and cert manager changes

.gitignore

@@ -94,3 +94,5 @@ logs
 
 # locally packaged chart
 mongodb-kubernetes-*.tgz
+
+scripts/code_snippets/tests/outputs/*

controllers/searchcontroller/mongodbsearch_reconcile_helper.go

@@ -272,7 +272,7 @@ func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context
 
 	mongotModification := func(config *mongot.Config) {
 		config.SyncSource.ReplicaSet.TLS = ptr.To(true)
-		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + "/" + tlsSourceConfig.CAFileName)
+		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + tlsSourceConfig.CAFileName)
 
 		// if the gRPC server is configured to accept TLS connections then toggle mTLS as well
 		if config.Server.Grpc.TLS.Mode == mongot.ConfigTLSModeTLS {

docs/search/01-search-community-deploy/code_snippets/01_0040_validate_env.sh

@@ -0,0 +1,25 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done
+
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - ${m}" >&2; done
+else
+  echo "All required environment variables present."
+fi

docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh

@@ -1,12 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+  --from-literal=password="${MDB_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
+echo "User secrets created."

docs/search/01-search-community-deploy/code_snippets/01_0306_install_cert_manager.sh

@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."

docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh

@@ -0,0 +1,60 @@
+# Bootstrap a self-signed ClusterIssuer that will mint the CA material consumed by
+# the MongoDBCommunity deployment.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+# Create the CA certificate and secret in the cert-manager namespace.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+# Publish a cluster-scoped issuer that fronts the generated CA secret so all namespaces can reuse it.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+
+kubectl --context "${K8S_CTX}" \
+  get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \
+  -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Expose the CA bundle through a ConfigMap for workloads and the MongoDBCommunity resource.
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "Cluster-wide CA issuer ${MDB_TLS_CA_ISSUER} is ready."

docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh

@@ -0,0 +1,70 @@
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+mongo_dns_names=()
+for ((member = 0; member < MDB_MEMBERS; member++)); do
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+done
+mongo_dns_names+=(
+  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+)
+
+search_dns_names=(
+  "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+
+render_dns_list() {
+  local dns_list=("$@")
+  for dns in "${dns_list[@]}"; do
+    printf "      - \"%s\"\n" "${dns}"
+  done
+}
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${server_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${mongo_dns_names[@]}")
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${search_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${search_dns_names[@]}")
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "MongoDB TLS certificates have been issued."

docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh

@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
   version: ${MDB_VERSION}
   type: ReplicaSet
-  members: 3
+  members: ${MDB_MEMBERS}
   security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
@@ -68,8 +74,8 @@ spec:
       db: admin
       # a reference to the secret that will be used to generate the user's password
       passwordSecretRef:
-        name: mdbc-rs-search-sync-source-password
-      scramCredentialsSecretName: mdbc-rs-search-sync-source
+        name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+      scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
       roles:
         - name: searchCoordinator
           db: admin

docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh

@@ -2,8 +2,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"

docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh

@@ -1,3 +1,3 @@
 echo "Waiting for MongoDBSearch resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=jsonpath='{.status.phase}'=Running mdbs/mdbc-rs --timeout=300s
+  --for=jsonpath='{.status.phase}'=Running mdbs/"${MDB_RESOURCE_NAME}" --timeout=300s

docs/search/01-search-community-deploy/code_snippets/01_0330_wait_for_community_resource.sh

@@ -1,3 +1,7 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
   --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+echo; echo "MongoDBCommunity resource"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/mdbc-rs
+echo; echo "Pods running in cluster ${K8S_CTX}"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods

docs/search/01-search-community-deploy/env_variables.sh

@@ -4,6 +4,21 @@ export K8S_CTX="<local cluster context>"
 # the following namespace will be created if not exists
 export MDB_NS="mongodb"
 
+# MongoDBCommunity resource name referenced throughout the guide
+export MDB_RESOURCE_NAME="mdbc-rs"
+# Number of replica set members deployed in the sample MongoDBCommunity
+export MDB_MEMBERS=3
+
+# TLS-related secret names used for MongoDBCommunity and MongoDBSearch
+export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer"
+export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca"
+export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer"
+
 # minimum required MongoDB version for running MongoDB Search is 8.2.0
 export MDB_VERSION="8.2.0"
 
@@ -18,4 +33,7 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@mdbc-rs-0.mdbc-rs-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=mdbc-rs"
+# TLS is mandatory; connection string must include tls=true
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"

docs/search/01-search-community-deploy/test.sh

@@ -11,13 +11,19 @@ cd "${script_dir}"
 
 prepare_snippets
 
+run 01_0040_validate_env.sh
 run 01_0045_create_namespaces.sh
 run 01_0046_create_image_pull_secrets.sh
 run 01_0048_configure_prerelease_image_pullsecret.sh
 run_for_output 01_0090_helm_add_mogodb_repo.sh
 run_for_output 01_0100_install_operator.sh
 run_for_output 01_0110_wait_for_operator_deployment.sh
 run 01_0305_create_mongodb_community_user_secrets.sh
+
+run 01_0306_install_cert_manager.sh
+run 01_0307_prepare_cert_manager_issuer.sh
+run 01_0308_issue_tls_certificates.sh
+
 run 01_0310_create_mongodb_community_resource.sh
 run_for_output 01_0315_wait_for_community_resource.sh
 run 01_0320_create_mongodb_search_resource.sh

docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh

@@ -0,0 +1,28 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+  OPS_MANAGER_PROJECT_NAME
+  OPS_MANAGER_API_URL
+  OPS_MANAGER_API_USER
+  OPS_MANAGER_API_KEY
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - ${m}" >&2; done
+else
+  echo "All required environment variables present."
+fi

docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh

@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."