CLOUDP-358717: Update search external mongod snippets (#585)

# Summary

TLS & Certificate Automation: Added cert-manager installation, issuer
preparation, and certificate generation scripts

Resource TLS Enforcement: Updated MongoDBCommunity and MongoDBSearch
manifests to require and reference TLS


## Proof of Work

Tests pass

Author: anandsyncs

docs/search/04-search-external-mongod/code_snippets/04_0100_install_operator.sh

@@ -2,5 +2,5 @@ helm upgrade --install --debug --kube-context "${K8S_CTX}" \
   --create-namespace \
   --namespace="${MDB_NS}" \
   mongodb-kubernetes \
-  --set "${OPERATOR_ADDITIONAL_HELM_VALUES:-"dummy=value"}" \
+  ${OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}} \
   "${OPERATOR_HELM_CHART}"

docs/search/04-search-external-mongod/code_snippets/04_0110_wait_for_operator_deployment.sh

@@ -0,0 +1,8 @@
+echo "Waiting for operator deployment to be ready..."
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" rollout status --timeout=2m deployment/mongodb-kubernetes-operator
+
+echo "Operator deployment in ${MDB_NS} namespace"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get deployments
+
+echo; echo "Operator pod in ${MDB_NS} namespace"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods -l app=mongodb-kubernetes-operator

docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh

@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."

docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh

@@ -1,11 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+  --from-literal=password="${MDB_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
+
+echo "User secrets created."

docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh

@@ -0,0 +1,59 @@
+# 1. Self-signed bootstrap issuer
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}" --timeout=120s
+
+# 2. CA certificate
+kubectl apply --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}" --timeout=300s
+
+# 3. CA issuer referencing CA secret
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}" --timeout=120s
+
+# 4. Extract CA cert (only ca.crt) and publish to ConfigMap & Secret
+TMP_CA_CERT="$(mktemp)"; trap 'rm -f "${TMP_CA_CERT}"' EXIT
+ca_b64="$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}")"
+[[ -n "${ca_b64}" ]] || { echo "CA certificate key ca.crt missing in secret ${MDB_TLS_CA_SECRET_NAME}" >&2; exit 1; }
+printf '%s' "${ca_b64}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Create ConfigMap (MongoDBCommunity) and Secret (external search source) containing CA
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP}, Secret: ${MDB_TLS_CA_SECRET_NAME})."

docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh

@@ -0,0 +1,70 @@
+# Issue server and search certificates
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+# DNS names for MongoDB server certificate
+mongo_dns_names=()
+[[ -n "${MDB_EXTERNAL_HOST_0:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_0%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_1:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_1%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_2:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_2%%:*}")
+mongo_dns_names+=("${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+[[ ${#mongo_dns_names[@]} -gt 0 ]] || { echo "No MongoDB DNS names generated; set MDB_EXTERNAL_HOST_* vars" >&2; exit 1; }
+
+# DNS names for MongoDB Search certificate
+search_dns_names=(
+  "${MDB_SEARCH_SERVICE_NAME}"
+  "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local"
+  "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+[[ -n "${MDB_SEARCH_HOSTNAME}" ]] && search_dns_names+=("${MDB_SEARCH_HOSTNAME}")
+
+mongo_dns_block="$(printf '      - "%s"\n' "${mongo_dns_names[@]}")"
+search_dns_block="$(printf '      - "%s"\n' "${search_dns_names[@]}")"
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${server_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+${mongo_dns_block}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${search_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+${search_dns_block}
+EOF
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "Server and Search TLS certificates issued (Secrets: ${MDB_TLS_SERVER_CERT_SECRET_NAME}, ${MDB_SEARCH_TLS_SECRET_NAME})."

docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh

@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
   version: ${MDB_VERSION}
   type: ReplicaSet
   members: 3
   security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
@@ -17,7 +23,7 @@ spec:
       mongotHost: ${MDB_SEARCH_HOSTNAME}:27028
       searchIndexManagementHostAndPort: ${MDB_SEARCH_HOSTNAME}:27028
       skipAuthenticationToSearchIndexManagementServer: false
-      searchTLSMode: disabled
+      searchTLSMode: requireTLS
       useGrpcForSearch: true
   agent:
     logLevel: DEBUG
@@ -71,8 +77,8 @@ spec:
       db: admin
       # a reference to the secret that will be used to generate the user's password
       passwordSecretRef:
-        name: mdbc-rs-search-sync-source-password
-      scramCredentialsSecretName: mdbc-rs-search-sync-source
+        name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+      scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
       roles:
         - name: searchCoordinator
           db: admin

docs/search/04-search-external-mongod/code_snippets/04_0315_wait_for_community_resource.sh

@@ -1,7 +1,9 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s
+
 echo; echo "MongoDBCommunity resource"
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/mdbc-rs
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/"${MDB_RESOURCE_NAME}"
+
 echo; echo "Pods running in cluster ${K8S_CTX}"
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods

docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh

@@ -2,18 +2,25 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
-  name: mdbs
+  name: ${MDB_SEARCH_RESOURCE_NAME:-mdbs}
 spec:
   source:
     external:
       hostAndPorts:
         - ${MDB_EXTERNAL_HOST_0}
         - ${MDB_EXTERNAL_HOST_1}
         - ${MDB_EXTERNAL_HOST_2}
+      tls:
+        ca:
+          name: ${MDB_TLS_CA_SECRET_NAME}
     username: search-sync-source
     passwordSecretRef:
       name: ${MDB_RESOURCE_NAME}-search-sync-source-password
       key: password
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"

docs/search/04-search-external-mongod/code_snippets/04_0322_create_search_loadbalancer_service.sh

@@ -6,7 +6,7 @@ metadata:
 spec:
   type: LoadBalancer
   selector:
-    app: mdbs-search-svc
+    app: ${MDB_SEARCH_RESOURCE_NAME:-mdbs}-search-svc
   ports:
     - name: mongot
       port: 27028