CLOUDP-353164: Community/Enterprise Search TLS and cert manager changes (#572)

# Summary

Why: Making Search snippets with TLS-First

Our MongoDB Search snippets guide previously deployed without TLS. This
PR overhauls them to be "TLS-first," adding and automating end-to-end
encryption by default.

What's Changing:

1. Integrates cert-manager to automatically install, bootstrap a
self-signed CA, and issue all TLS certificates for MongoDB and
MongoDBSearch.
2. All resource manifests are updated to require and reference the new
TLS secrets and CA.
3. Replaces all hardcoded resource names, member counts, and secret
names with environment variables (e.g., $RESOURCE_NAME).
4. Adds validation scripts to check for required variables before
deployment.


## Proof of Work

Tests pass

Author: anandsyncs

.gitignore

@@ -94,3 +94,5 @@ logs
 
 # locally packaged chart
 mongodb-kubernetes-*.tgz
+
+scripts/code_snippets/tests/outputs/*

controllers/searchcontroller/mongodbsearch_reconcile_helper.go

@@ -274,7 +274,7 @@ func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context
 
 	mongotModification := func(config *mongot.Config) {
 		config.SyncSource.ReplicaSet.TLS = ptr.To(true)
-		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + "/" + tlsSourceConfig.CAFileName)
+		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + tlsSourceConfig.CAFileName)
 
 		// if the gRPC server is configured to accept TLS connections then toggle mTLS as well
 		if config.Server.Grpc.TLS.Mode == mongot.ConfigTLSModeTLS {

docs/search/01-search-community-deploy/code_snippets/01_0040_validate_env.sh

@@ -0,0 +1,25 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done
+
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - ${m}" >&2; done
+else
+  echo "All required environment variables present."
+fi

docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh

@@ -1,12 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+  --from-literal=password="${MDB_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
+echo "User secrets created."

docs/search/01-search-community-deploy/code_snippets/01_0306_install_cert_manager.sh

@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."

docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh

@@ -0,0 +1,60 @@
+# Bootstrap a self-signed ClusterIssuer that will mint the CA material consumed by
+# the MongoDBCommunity deployment.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+# Create the CA certificate and secret in the cert-manager namespace.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+# Publish a cluster-scoped issuer that fronts the generated CA secret so all namespaces can reuse it.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+
+kubectl --context "${K8S_CTX}" \
+  get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \
+  -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Expose the CA bundle through a ConfigMap for workloads and the MongoDBCommunity resource.
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "Cluster-wide CA issuer ${MDB_TLS_CA_ISSUER} is ready."

docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh

@@ -0,0 +1,70 @@
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+mongo_dns_names=()
+for ((member = 0; member < MDB_MEMBERS; member++)); do
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+done
+mongo_dns_names+=(
+  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+)
+
+search_dns_names=(
+  "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+
+render_dns_list() {
+  local dns_list=("$@")
+  for dns in "${dns_list[@]}"; do
+    printf "      - \"%s\"\n" "${dns}"
+  done
+}
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${server_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${mongo_dns_names[@]}")
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${search_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${search_dns_names[@]}")
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "MongoDB TLS certificates have been issued."

docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh

@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
   version: ${MDB_VERSION}
   type: ReplicaSet
-  members: 3
+  members: ${MDB_MEMBERS}
   security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
@@ -68,8 +74,8 @@ spec:
       db: admin
       # a reference to the secret that will be used to generate the user's password
       passwordSecretRef:
-        name: mdbc-rs-search-sync-source-password
-      scramCredentialsSecretName: mdbc-rs-search-sync-source
+        name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+      scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
       roles:
         - name: searchCoordinator
           db: admin

docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh

@@ -2,8 +2,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"

docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh

@@ -1,3 +1,3 @@
 echo "Waiting for MongoDBSearch resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=jsonpath='{.status.phase}'=Running mdbs/mdbc-rs --timeout=300s
+  --for=jsonpath='{.status.phase}'=Running mdbs/"${MDB_RESOURCE_NAME}" --timeout=300s