mongodb · fealebenpae · Jul 21, 2025 · Jul 21, 2025 · Jul 21, 2025 · lsierant
@@ -1285,3 +1285,8 @@ tasks:
     tags: ["patch-run"]
     commands:
       - func: "e2e_test"
+
+  - name: e2e_search_community_tls
+    tags: ["patch-run"]
+    commands:
+      - func: "e2e_test"
@@ -686,6 +686,7 @@ task_groups:
     tasks:
       - e2e_community_replicaset_scale
       - e2e_search_community_basic
+      - e2e_search_community_tls
 
   # This is the task group that contains all the tests run in the e2e_mdb_kind_ubuntu_cloudqa build variant
   - name: e2e_mdb_kind_cloudqa_task_group

@@ -36,6 +36,8 @@ type MongoDBSearchSpec struct {
 	Persistence *common.Persistence `json:"persistence,omitempty"`
 	// +optional
 	ResourceRequirements *corev1.ResourceRequirements `json:"resourceRequirements,omitempty"`
+	// +optional
+	Security Security `json:"security"`
 }
 
 type MongoDBSource struct {
@@ -47,6 +49,22 @@ type MongoDBSource struct {
 	Username *string `json:"username,omitempty"`
 }
 
+type Security struct {
+	// +optional
+	TLS TLS `json:"tls"`
+}
+
+type TLS struct {
+	Enabled bool `json:"enabled"`
+	// CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
+	// The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
+	// This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
+	// Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.
+	// If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key
+	// +optional
+	CertificateKeySecret corev1.LocalObjectReference `json:"certificateKeySecretRef"`
+}
+
 type MongoDBSearchStatus struct {
 	status.Common `json:",inline"`
 	Version       string           `json:"version,omitempty"`
@@ -160,3 +178,14 @@ func (s *MongoDBSearch) GetMongotPort() int32 {
 func (s *MongoDBSearch) GetMongotMetricsPort() int32 {
 	return MongotDefaultMetricsPort
 }
+
+// TLSSecretNamespacedName will get the namespaced name of the Secret containing the server certificate and key
+func (s *MongoDBSearch) TLSSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Spec.Security.TLS.CertificateKeySecret.Name, Namespace: s.Namespace}
+}
+
+// TLSOperatorSecretNamespacedName will get the namespaced name of the Secret created by the operator
+// containing the combined certificate and key.
+func (s *MongoDBSearch) TLSOperatorSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Name + "-search-certificate-key", Namespace: s.Namespace}
+}
@@ -149,6 +149,37 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
+              security:
+                properties:
+                  tls:
+                    properties:
+                      certificateKeySecretRef:
+                        description: |-
+                          CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
+                          The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
+                          This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
+                          Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.
+                          If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key
+                        properties:
+                          name:
+                            default: ""
+                            description: |-
+                              Name of the referent.
+                              This field is effectively required, but due to backwards compatibility is
+                              allowed to be empty. Instances of this type with an empty value here are
+                              almost certainly wrong.
+                              TODO: Add other useful fields. apiVersion, kind, uid?
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      enabled:
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                type: object
               source:
                 properties:
                   mongodbResourceRef:

@@ -13,6 +13,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search"
@@ -67,7 +68,7 @@ func getSourceMongoDBForSearch(ctx context.Context, kubeClient client.Client, se
 	mdbcName := types.NamespacedName{Namespace: search.GetNamespace(), Name: sourceMongoDBResourceRef.Name}
 	mdbc := &mdbcv1.MongoDBCommunity{}
 	if err := kubeClient.Get(ctx, mdbcName, mdbc); err != nil {
-		return nil, xerrors.Errorf("error getting MongoDBCommunity %s", mdbcName)
+		return nil, xerrors.Errorf("error getting MongoDBCommunity %s: %w", mdbcName, err)
 	}
 	return search_controller.NewSearchSourceDBResourceFromMongoDBCommunity(mdbc), nil
 }
@@ -89,5 +90,6 @@ func AddMongoDBSearchController(ctx context.Context, mgr manager.Manager, operat
 		For(&searchv1.MongoDBSearch{}).
 		Watches(&mdbcv1.MongoDBCommunity{}, r.mdbcWatcher).
 		Owns(&appsv1.StatefulSet{}).
+		Owns(&corev1.Secret{}).
 		Complete(r)
 }