diff --git a/.evergreen-snippets.yml b/.evergreen-snippets.yml index c5a209920..c6ed37af3 100644 --- a/.evergreen-snippets.yml +++ b/.evergreen-snippets.yml @@ -121,6 +121,12 @@ tasks: - func: test_code_snippets - func: sample_commit_output + - name: test_kind_search_external_mongod_snippets.sh + tags: [ "code_snippets", "patch-run" ] + commands: + - func: test_code_snippets + - func: sample_commit_output + task_groups: - name: gke_code_snippets_task_group <<: *setup_and_teardown_group_gke_code_snippets @@ -135,6 +141,7 @@ task_groups: tasks: - test_kind_search_community_snippets.sh - test_kind_search_enterprise_snippets.sh + - test_kind_search_external_mongod_snippets.sh buildvariants: # These variants are used to test the code snippets and each one can be used in patches diff --git a/api/v1/search/mongodbsearch_types.go b/api/v1/search/mongodbsearch_types.go index ce90a8d13..47ddd5186 100644 --- a/api/v1/search/mongodbsearch_types.go +++ b/api/v1/search/mongodbsearch_types.go @@ -69,22 +69,20 @@ type ExternalMongoDBSource struct { } type ExternalMongodTLS struct { - Enabled bool `json:"enabled"` - // +optional - CA *corev1.LocalObjectReference `json:"ca,omitempty"` + // CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate. + // The CA certificate is expected to be PEM encoded and available at the "ca.crt" key. + CA *corev1.LocalObjectReference `json:"ca"` } type Security struct { // +optional - TLS TLS `json:"tls"` + TLS *TLS `json:"tls,omitempty"` } type TLS struct { - Enabled bool `json:"enabled"` // CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS. // The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt". // This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required. - // +optional CertificateKeySecret corev1.LocalObjectReference `json:"certificateKeySecretRef"` } diff --git a/config/crd/bases/mongodb.com_mongodbsearch.yaml b/config/crd/bases/mongodb.com_mongodbsearch.yaml index 6cdf7d1dc..aa9596e8b 100644 --- a/config/crd/bases/mongodb.com_mongodbsearch.yaml +++ b/config/crd/bases/mongodb.com_mongodbsearch.yaml @@ -179,10 +179,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - certificateKeySecretRef type: object type: object source: @@ -211,8 +209,8 @@ spec: properties: ca: description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate. + The CA certificate is expected to be PEM encoded and available at the "ca.crt" key. properties: name: default: "" @@ -225,10 +223,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - ca type: object type: object mongodbResourceRef: diff --git a/controllers/operator/mongodbsearch_controller.go b/controllers/operator/mongodbsearch_controller.go index b633fe9b4..16db88027 100644 --- a/controllers/operator/mongodbsearch_controller.go +++ b/controllers/operator/mongodbsearch_controller.go @@ -70,7 +70,7 @@ func (r *MongoDBSearchReconciler) Reconcile(ctx context.Context, request reconci } // Watch our own TLS certificate secret for changes - if mdbSearch.Spec.Security.TLS.Enabled { + if mdbSearch.Spec.Security.TLS != nil { r.watch.AddWatchedResourceIfNotAdded(mdbSearch.Spec.Security.TLS.CertificateKeySecret.Name, mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName()) } diff --git a/controllers/searchcontroller/external_search_source.go b/controllers/searchcontroller/external_search_source.go index 8b5cc2d56..077277921 100644 --- a/controllers/searchcontroller/external_search_source.go +++ b/controllers/searchcontroller/external_search_source.go @@ -26,7 +26,7 @@ func (r *externalSearchResource) Validate() error { } func (r *externalSearchResource) TLSConfig() *TLSSourceConfig { - if r.spec.TLS == nil || !r.spec.TLS.Enabled { + if r.spec.TLS == nil { return nil } diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go index 50c0e3987..f8db1895b 100644 --- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go +++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go @@ -228,7 +228,7 @@ func (r *MongoDBSearchReconcileHelper) ensureMongotConfig(ctx context.Context, l } func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification, error) { - if !r.mdbSearch.Spec.Security.TLS.Enabled { + if r.mdbSearch.Spec.Security.TLS == nil { mongotModification := func(config *mongot.Config) { config.Server.Wireproto.TLS.Mode = mongot.ConfigTLSModeDisabled } @@ -390,7 +390,7 @@ func createMongotConfig(search *searchv1.MongoDBSearch, db SearchSourceDBResourc func GetMongodConfigParameters(search *searchv1.MongoDBSearch) map[string]any { searchTLSMode := automationconfig.TLSModeDisabled - if search.Spec.Security.TLS.Enabled { + if search.Spec.Security.TLS != nil { searchTLSMode = automationconfig.TLSModeRequired } return map[string]any{ diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py index 3a084b7a6..e9facccb2 100644 --- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py +++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py @@ -71,7 +71,6 @@ def mdbs(namespace: str, mdbc: MongoDBCommunity) -> MongoDBSearch: "external": { "hostAndPorts": seeds, "keyfileSecretRef": {"name": f"{mdbc.name}-keyfile", "key": "keyfile"}, - "tls": {"enabled": False}, }, "passwordSecretRef": {"name": f"{MDBC_RESOURCE_NAME}-{MONGOT_USER_NAME}-password", "key": "password"}, "username": MONGOT_USER_NAME, diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py index 8ccd5298c..a3d367636 100644 --- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py +++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py @@ -138,7 +138,6 @@ def test_create_search_resource(mdbs: MongoDBSearch, mdbc: MongoDBCommunity): "hostAndPorts": seeds, "keyfileSecretRef": {"name": f"{mdbc.name}-keyfile"}, "tls": { - "enabled": True, "ca": {"name": f"{mdbc.name}-ca"}, }, }, @@ -146,7 +145,7 @@ def test_create_search_resource(mdbs: MongoDBSearch, mdbc: MongoDBCommunity): "username": MONGOT_USER_NAME, } - mdbs["spec"]["security"] = {"tls": {"enabled": True, "certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}} + mdbs["spec"]["security"] = {"tls": {"certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}} mdbs.update() mdbs.assert_reaches_phase(Phase.Running, timeout=300) diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py index 8050ccd5c..887a8e5d0 100644 --- a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py +++ b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py @@ -59,7 +59,7 @@ def mdbs(namespace: str) -> MongoDBSearch: if "spec" not in resource: resource["spec"] = {} - resource["spec"]["security"] = {"tls": {"enabled": True, "certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}} + resource["spec"]["security"] = {"tls": {"certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}} return resource diff --git a/docs/search/04-search-external-mongod/README.md b/docs/search/04-search-external-mongod/README.md index 9d1f059c6..c84b20ae2 100644 --- a/docs/search/04-search-external-mongod/README.md +++ b/docs/search/04-search-external-mongod/README.md @@ -182,8 +182,6 @@ spec: keyfileSecretRef: name: ${MDB_EXTERNAL_KEYFILE_SECRET_NAME} key: keyfile - tls: - enabled: false username: search-sync-source passwordSecretRef: name: mdbc-rs-search-sync-source-password diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh index 1670172a8..85ce3f4d5 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh @@ -13,8 +13,6 @@ spec: keyfileSecretRef: name: ${MDB_EXTERNAL_KEYFILE_SECRET_NAME} key: keyfile - tls: - enabled: false username: search-sync-source passwordSecretRef: name: mdbc-rs-search-sync-source-password diff --git a/docs/search/04-search-external-mongod/test.sh b/docs/search/04-search-external-mongod/test.sh old mode 100644 new mode 100755 diff --git a/helm_chart/crds/mongodb.com_mongodbsearch.yaml b/helm_chart/crds/mongodb.com_mongodbsearch.yaml index 6cdf7d1dc..aa9596e8b 100644 --- a/helm_chart/crds/mongodb.com_mongodbsearch.yaml +++ b/helm_chart/crds/mongodb.com_mongodbsearch.yaml @@ -179,10 +179,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - certificateKeySecretRef type: object type: object source: @@ -211,8 +209,8 @@ spec: properties: ca: description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate. + The CA certificate is expected to be PEM encoded and available at the "ca.crt" key. properties: name: default: "" @@ -225,10 +223,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - ca type: object type: object mongodbResourceRef: diff --git a/public/crds.yaml b/public/crds.yaml index 9fa6a9207..9ea68b946 100644 --- a/public/crds.yaml +++ b/public/crds.yaml @@ -4201,10 +4201,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - certificateKeySecretRef type: object type: object source: @@ -4233,8 +4231,8 @@ spec: properties: ca: description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate. + The CA certificate is expected to be PEM encoded and available at the "ca.crt" key. properties: name: default: "" @@ -4247,10 +4245,8 @@ spec: type: string type: object x-kubernetes-map-type: atomic - enabled: - type: boolean required: - - enabled + - ca type: object type: object mongodbResourceRef: diff --git a/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh b/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh old mode 100644 new mode 100755