From 694c0d734be725d56eff1e625a4c97d7a2e8ca00 Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Wed, 12 Nov 2025 10:36:57 +0100 Subject: [PATCH 1/7] tracer --- .../code_snippets/04_0100_install_operator.sh | 2 +- .../04_0110_wait_for_operator_deployment.sh | 8 + .../04_0304_install_cert_manager.sh | 31 +++ ...5_create_mongodb_community_user_secrets.sh | 25 ++- .../04_0306_create_tls_secrets.sh | 189 ++++++++++++++++++ ..._0310_create_mongodb_community_resource.sh | 16 +- .../04_0315_wait_for_community_resource.sh | 10 +- .../04_0320_create_mongodb_search_resource.sh | 9 +- ...0322_create_search_loadbalancer_service.sh | 2 +- .../04_0325_wait_for_search_resource.sh | 4 +- .../04_0330_wait_for_community_resource.sh | 4 +- .../env_variables.sh | 15 +- docs/search/04-search-external-mongod/test.sh | 2 + ...st_kind_search_external_mongod_snippets.sh | 2 +- 14 files changed, 294 insertions(+), 25 deletions(-) create mode 100644 docs/search/04-search-external-mongod/code_snippets/04_0110_wait_for_operator_deployment.sh create mode 100644 docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh create mode 100755 docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0100_install_operator.sh b/docs/search/04-search-external-mongod/code_snippets/04_0100_install_operator.sh index 8ada5bee6..432139353 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0100_install_operator.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0100_install_operator.sh @@ -2,5 +2,5 @@ helm upgrade --install --debug --kube-context "${K8S_CTX}" \ --create-namespace \ --namespace="${MDB_NS}" \ mongodb-kubernetes \ - --set "${OPERATOR_ADDITIONAL_HELM_VALUES:-"dummy=value"}" \ + ${OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}} \ "${OPERATOR_HELM_CHART}" diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0110_wait_for_operator_deployment.sh b/docs/search/04-search-external-mongod/code_snippets/04_0110_wait_for_operator_deployment.sh new file mode 100644 index 000000000..1a3a0d82a --- /dev/null +++ b/docs/search/04-search-external-mongod/code_snippets/04_0110_wait_for_operator_deployment.sh @@ -0,0 +1,8 @@ +echo "Waiting for operator deployment to be ready..." +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" rollout status --timeout=2m deployment/mongodb-kubernetes-operator + +echo "Operator deployment in ${MDB_NS} namespace" +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get deployments + +echo; echo "Operator pod in ${MDB_NS} namespace" +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods -l app=mongodb-kubernetes-operator diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh b/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh new file mode 100644 index 000000000..659a8016c --- /dev/null +++ b/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +set -euo pipefail + +required_env=( + "K8S_CTX" + "CERT_MANAGER_NAMESPACE" +) + +for var in "${required_env[@]}"; do + if [[ -z "${!var:-}" ]]; then + echo "Environment variable ${var} must be set" >&2 + exit 1 + fi +done + +helm upgrade --install \ + cert-manager \ + oci://quay.io/jetstack/charts/cert-manager \ + --kube-context "${K8S_CTX}" \ + --namespace "${CERT_MANAGER_NAMESPACE}" \ + --create-namespace \ + --set crds.enabled=true + +for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do + kubectl --context "${K8S_CTX}" \ + -n "${CERT_MANAGER_NAMESPACE}" \ + wait --for=condition=Available "deployment/${deployment}" --timeout=300s +done + +echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}." diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh b/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh index f04439134..6fad0111b 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh @@ -1,11 +1,18 @@ -kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ - create secret generic mdb-admin-user-password \ - --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" +#!/usr/bin/env bash -kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ - create secret generic mdbc-rs-search-sync-source-password \ - --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" +# Create admin user secret +kubectl create secret generic mdb-admin-user-password \ + --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \ + --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f - -kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ - create secret generic mdb-user-password \ - --from-literal=password="${MDB_USER_PASSWORD}" +# Create search sync source user secret +kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \ + --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \ + --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f - + +# Create regular user secret +kubectl create secret generic mdb-user-password \ + --from-literal=password="${MDB_USER_PASSWORD}" \ + --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f - + +echo "User secrets created." diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh b/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh new file mode 100755 index 000000000..cfd09c982 --- /dev/null +++ b/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh @@ -0,0 +1,189 @@ +#!/usr/bin/env bash + +set -euo pipefail + +required_env=( + "K8S_CTX" + "MDB_NS" + "CERT_MANAGER_NAMESPACE" + "MDB_RESOURCE_NAME" + "MDB_TLS_SELF_SIGNED_ISSUER" + "MDB_TLS_CA_CERT_NAME" + "MDB_TLS_CA_SECRET_NAME" + "MDB_TLS_CA_CONFIGMAP" + "MDB_TLS_CA_ISSUER" + "MDB_TLS_SERVER_CERT_SECRET_NAME" + "MDB_SEARCH_TLS_SECRET_NAME" + "MDB_SEARCH_SERVICE_NAME" + "MDB_SEARCH_HOSTNAME" +) + +for var in "${required_env[@]}"; do + if [[ -z "${!var:-}" ]]; then + echo "Environment variable ${var} must be set" >&2 + exit 1 + fi +done + +server_certificate="${MDB_RESOURCE_NAME}-server-tls" +search_certificate="${MDB_RESOURCE_NAME}-search-tls" + +kubectl apply --context "${K8S_CTX}" -f - <&2 + exit 1 +fi + +echo "CA certificate data retrieved for secret ${MDB_TLS_CA_SECRET_NAME}." + +# Write CA cert to temp file +printf '%s' "${ca_data}" | base64 --decode > "${tmp_ca_cert}" + +# Create namespaced CA secret with multiple key variants for compatibility +kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \ + --from-file=ca.crt="${tmp_ca_cert}" \ + --from-file=ca-pem="${tmp_ca_cert}" \ + --from-file=mms-ca.crt="${tmp_ca_cert}" \ + --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - + +add_unique_dns() { + local -n seen_ref=$1 + local -n collection_ref=$2 + local candidate=$3 + [[ -z "${candidate}" ]] && return 0 + if [[ -z "${seen_ref[${candidate}]:-}" ]]; then + seen_ref["${candidate}"]=1 + collection_ref+=("${candidate}") + fi +} + +render_dns_list() { + local entries=("$@") + for entry in "${entries[@]}"; do + printf " - \"%s\"\n" "${entry}" + done +} + +declare -A mongo_seen=() +mongo_dns_names=() + +for host_var in MDB_EXTERNAL_HOST_0 MDB_EXTERNAL_HOST_1 MDB_EXTERNAL_HOST_2; do + host_value="${!host_var:-}" + if [[ -n "${host_value}" ]]; then + add_unique_dns mongo_seen mongo_dns_names "${host_value%%:*}" + fi +done + +add_unique_dns mongo_seen mongo_dns_names "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" +add_unique_dns mongo_seen mongo_dns_names "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" + +if [[ ${#mongo_dns_names[@]} -eq 0 ]]; then + echo "No MongoDB DNS names generated; ensure MDB_EXTERNAL_HOST_* variables are set" >&2 + exit 1 +fi + +declare -A search_seen=() +search_dns_names=() + +add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}" +add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local" +add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" +add_unique_dns search_seen search_dns_names "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" +add_unique_dns search_seen search_dns_names "${MDB_SEARCH_HOSTNAME}" + +kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - < Date: Wed, 12 Nov 2025 13:23:30 +0100 Subject: [PATCH 2/7] cleanup --- .../04_0304_install_cert_manager.sh | 16 ------ .../04_0306_create_tls_secrets.sh | 52 ++++--------------- 2 files changed, 11 insertions(+), 57 deletions(-) diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh b/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh index 659a8016c..0e92edf54 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0304_install_cert_manager.sh @@ -1,19 +1,3 @@ -#!/usr/bin/env bash - -set -euo pipefail - -required_env=( - "K8S_CTX" - "CERT_MANAGER_NAMESPACE" -) - -for var in "${required_env[@]}"; do - if [[ -z "${!var:-}" ]]; then - echo "Environment variable ${var} must be set" >&2 - exit 1 - fi -done - helm upgrade --install \ cert-manager \ oci://quay.io/jetstack/charts/cert-manager \ diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh b/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh index cfd09c982..21b0be374 100755 --- a/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh @@ -1,30 +1,3 @@ -#!/usr/bin/env bash - -set -euo pipefail - -required_env=( - "K8S_CTX" - "MDB_NS" - "CERT_MANAGER_NAMESPACE" - "MDB_RESOURCE_NAME" - "MDB_TLS_SELF_SIGNED_ISSUER" - "MDB_TLS_CA_CERT_NAME" - "MDB_TLS_CA_SECRET_NAME" - "MDB_TLS_CA_CONFIGMAP" - "MDB_TLS_CA_ISSUER" - "MDB_TLS_SERVER_CERT_SECRET_NAME" - "MDB_SEARCH_TLS_SECRET_NAME" - "MDB_SEARCH_SERVICE_NAME" - "MDB_SEARCH_HOSTNAME" -) - -for var in "${required_env[@]}"; do - if [[ -z "${!var:-}" ]]; then - echo "Environment variable ${var} must be set" >&2 - exit 1 - fi -done - server_certificate="${MDB_RESOURCE_NAME}-server-tls" search_certificate="${MDB_RESOURCE_NAME}-search-tls" @@ -74,26 +47,23 @@ kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_T tmp_ca_cert="$(mktemp)" trap 'rm -f "${tmp_ca_cert}"' EXIT -# Extract CA certificate data (prefer ca.crt, fallback to tls.crt) -ca_data=$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}") || true -if [[ -z "${ca_data}" ]]; then - ca_data=$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['tls\\.crt']}") || true -fi -if [[ -z "${ca_data}" ]]; then - echo "Failed to retrieve CA certificate data from secret ${MDB_TLS_CA_SECRET_NAME} in namespace ${CERT_MANAGER_NAMESPACE}" >&2 - exit 1 -fi - -echo "CA certificate data retrieved for secret ${MDB_TLS_CA_SECRET_NAME}." +ca_data="$(kubectl --context "${K8S_CTX}" \ + get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \ + -o jsonpath="{.data['ca\\.crt']}")" # Write CA cert to temp file printf '%s' "${ca_data}" | base64 --decode > "${tmp_ca_cert}" -# Create namespaced CA secret with multiple key variants for compatibility -kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \ - --from-file=ca.crt="${tmp_ca_cert}" \ +# Create ConfigMap for MongoDBCommunity TLS (keys: ca-pem, mms-ca.crt, ca.crt) +kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \ --from-file=ca-pem="${tmp_ca_cert}" \ --from-file=mms-ca.crt="${tmp_ca_cert}" \ + --from-file=ca.crt="${tmp_ca_cert}" \ + --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - + +# Secret for external MongoDBSearch source TLS (expects ca.crt) +kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \ + --from-file=ca.crt="${tmp_ca_cert}" \ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - add_unique_dns() { From d232b375c83f0fd8dfebfa48a450987ffbfe76fe Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Wed, 12 Nov 2025 14:04:05 +0100 Subject: [PATCH 3/7] fix lint --- .../code_snippets/04_0315_wait_for_community_resource.sh | 4 ++-- .../code_snippets/04_0330_wait_for_community_resource.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0315_wait_for_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0315_wait_for_community_resource.sh index f07bf5f52..1d7c04daf 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0315_wait_for_community_resource.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0315_wait_for_community_resource.sh @@ -2,10 +2,10 @@ echo "Waiting for MongoDBCommunity resource to reach Running phase..." -kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/${MDB_RESOURCE_NAME} --timeout=400s +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s echo; echo "MongoDBCommunity resource" -kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/${MDB_RESOURCE_NAME} +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/"${MDB_RESOURCE_NAME}" echo; echo "Pods running in cluster ${K8S_CTX}" kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0330_wait_for_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0330_wait_for_community_resource.sh index bd9388957..94f567a17 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0330_wait_for_community_resource.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0330_wait_for_community_resource.sh @@ -1,5 +1,5 @@ echo "Waiting for MongoDBCommunity resource to reach Running phase..." kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \ - --for=jsonpath='{.status.phase}'=Running mdbc/${MDB_RESOURCE_NAME} --timeout=400s + --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s -kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/${MDB_RESOURCE_NAME} --timeout=400s +kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s From 00a8e14359aa680b8d9015eff38d59b5508b69db Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Wed, 12 Nov 2025 14:29:37 +0100 Subject: [PATCH 4/7] refactor big file --- .../04_0306_create_tls_secrets.sh | 159 ------------------ .../04_0306_prepare_cert_manager_issuer.sh | 61 +++++++ .../04_0307_issue_tls_certificates.sh | 73 ++++++++ docs/search/04-search-external-mongod/test.sh | 3 +- 4 files changed, 136 insertions(+), 160 deletions(-) delete mode 100755 docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh create mode 100644 docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh create mode 100644 docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh b/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh deleted file mode 100755 index 21b0be374..000000000 --- a/docs/search/04-search-external-mongod/code_snippets/04_0306_create_tls_secrets.sh +++ /dev/null @@ -1,159 +0,0 @@ -server_certificate="${MDB_RESOURCE_NAME}-server-tls" -search_certificate="${MDB_RESOURCE_NAME}-search-tls" - -kubectl apply --context "${K8S_CTX}" -f - < "${tmp_ca_cert}" - -# Create ConfigMap for MongoDBCommunity TLS (keys: ca-pem, mms-ca.crt, ca.crt) -kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \ - --from-file=ca-pem="${tmp_ca_cert}" \ - --from-file=mms-ca.crt="${tmp_ca_cert}" \ - --from-file=ca.crt="${tmp_ca_cert}" \ - --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - - -# Secret for external MongoDBSearch source TLS (expects ca.crt) -kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \ - --from-file=ca.crt="${tmp_ca_cert}" \ - --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - - -add_unique_dns() { - local -n seen_ref=$1 - local -n collection_ref=$2 - local candidate=$3 - [[ -z "${candidate}" ]] && return 0 - if [[ -z "${seen_ref[${candidate}]:-}" ]]; then - seen_ref["${candidate}"]=1 - collection_ref+=("${candidate}") - fi -} - -render_dns_list() { - local entries=("$@") - for entry in "${entries[@]}"; do - printf " - \"%s\"\n" "${entry}" - done -} - -declare -A mongo_seen=() -mongo_dns_names=() - -for host_var in MDB_EXTERNAL_HOST_0 MDB_EXTERNAL_HOST_1 MDB_EXTERNAL_HOST_2; do - host_value="${!host_var:-}" - if [[ -n "${host_value}" ]]; then - add_unique_dns mongo_seen mongo_dns_names "${host_value%%:*}" - fi -done - -add_unique_dns mongo_seen mongo_dns_names "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" -add_unique_dns mongo_seen mongo_dns_names "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" - -if [[ ${#mongo_dns_names[@]} -eq 0 ]]; then - echo "No MongoDB DNS names generated; ensure MDB_EXTERNAL_HOST_* variables are set" >&2 - exit 1 -fi - -declare -A search_seen=() -search_dns_names=() - -add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}" -add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local" -add_unique_dns search_seen search_dns_names "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" -add_unique_dns search_seen search_dns_names "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" -add_unique_dns search_seen search_dns_names "${MDB_SEARCH_HOSTNAME}" - -kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <&2; exit 1; } +printf '%s' "${ca_b64}" | base64 --decode > "${TMP_CA_CERT}" + +# Create ConfigMap (MongoDBCommunity) and Secret (external search source) containing CA +kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \ + --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" --from-file=ca.crt="${TMP_CA_CERT}" \ + --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - + +kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \ + --from-file=ca.crt="${TMP_CA_CERT}" \ + --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f - + +echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP}, Secret: ${MDB_TLS_CA_SECRET_NAME})." diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh b/docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh new file mode 100644 index 000000000..c12328795 --- /dev/null +++ b/docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Issue server and search certificates +server_certificate="${MDB_RESOURCE_NAME}-server-tls" +search_certificate="${MDB_RESOURCE_NAME}-search-tls" + +# DNS names for MongoDB server certificate +mongo_dns_names=() +[[ -n "${MDB_EXTERNAL_HOST_0:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_0%%:*}") +[[ -n "${MDB_EXTERNAL_HOST_1:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_1%%:*}") +[[ -n "${MDB_EXTERNAL_HOST_2:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_2%%:*}") +mongo_dns_names+=("${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local") +[[ ${#mongo_dns_names[@]} -gt 0 ]] || { echo "No MongoDB DNS names generated; set MDB_EXTERNAL_HOST_* vars" >&2; exit 1; } + +# DNS names for MongoDB Search certificate +search_dns_names=( + "${MDB_SEARCH_SERVICE_NAME}" + "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local" + "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" + "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" +) +[[ -n "${MDB_SEARCH_HOSTNAME}" ]] && search_dns_names+=("${MDB_SEARCH_HOSTNAME}") + +mongo_dns_block="$(printf ' - "%s"\n' "${mongo_dns_names[@]}")" +search_dns_block="$(printf ' - "%s"\n' "${search_dns_names[@]}")" + +kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - < Date: Wed, 12 Nov 2025 14:32:43 +0100 Subject: [PATCH 5/7] remove extraneous changes --- .../04_0305_create_mongodb_community_user_secrets.sh | 2 -- .../code_snippets/04_0306_prepare_cert_manager_issuer.sh | 2 -- .../code_snippets/04_0307_issue_tls_certificates.sh | 3 --- .../code_snippets/04_0315_wait_for_community_resource.sh | 2 -- 4 files changed, 9 deletions(-) diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh b/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh index 6fad0111b..80b655277 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0305_create_mongodb_community_user_secrets.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # Create admin user secret kubectl create secret generic mdb-admin-user-password \ --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \ diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh b/docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh index 3b9f3c975..37a20b3e1 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # 1. Self-signed bootstrap issuer kubectl apply --context "${K8S_CTX}" -f - < Date: Wed, 12 Nov 2025 15:07:27 +0100 Subject: [PATCH 6/7] move non-public tls vars to different file --- docs/search/04-search-external-mongod/env_variables.sh | 6 ------ docs/search/04-search-external-mongod/env_variables_tls.sh | 6 ++++++ .../tests/test_kind_search_external_mongod_snippets.sh | 2 ++ 3 files changed, 8 insertions(+), 6 deletions(-) create mode 100644 docs/search/04-search-external-mongod/env_variables_tls.sh diff --git a/docs/search/04-search-external-mongod/env_variables.sh b/docs/search/04-search-external-mongod/env_variables.sh index 82a7f93ec..20b67205e 100644 --- a/docs/search/04-search-external-mongod/env_variables.sh +++ b/docs/search/04-search-external-mongod/env_variables.sh @@ -11,14 +11,8 @@ export MDB_SEARCH_SYNC_USER_PASSWORD="search-sync-user-password-CHANGE-ME" export MDB_MEMBERS="3" export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca" -export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap" -export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls" export MDB_SEARCH_TLS_SECRET_NAME="mdbs-search-tls" -export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer" -export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca" -export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer" - export MDB_SEARCH_SERVICE_NAME="mdbs-search" export MDB_SEARCH_HOSTNAME="mdbs-search.example.com" diff --git a/docs/search/04-search-external-mongod/env_variables_tls.sh b/docs/search/04-search-external-mongod/env_variables_tls.sh new file mode 100644 index 000000000..a9259d39f --- /dev/null +++ b/docs/search/04-search-external-mongod/env_variables_tls.sh @@ -0,0 +1,6 @@ +export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap" +export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls" + +export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer" +export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca" +export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer" diff --git a/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh b/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh index d76f42fde..e9082c1f8 100755 --- a/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh +++ b/scripts/code_snippets/tests/test_kind_search_external_mongod_snippets.sh @@ -20,6 +20,8 @@ trap dump_logs EXIT test_dir="./docs/search/04-search-external-mongod" source "${test_dir}/env_variables.sh" +source "${test_dir}/env_variables_tls.sh" + echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor" # shellcheck disable=SC1090 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" From 8af448e65a6284137bf3c1bcee2deadad665c1e2 Mon Sep 17 00:00:00 2001 From: Anand Singh Date: Wed, 12 Nov 2025 16:32:44 +0100 Subject: [PATCH 7/7] small refactor --- .../04_0310_create_mongodb_community_resource.sh | 6 +++--- docs/search/04-search-external-mongod/env_variables.sh | 6 +----- docs/search/04-search-external-mongod/env_variables_tls.sh | 5 +++++ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh index fa49e83e0..0b4c22650 100644 --- a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh +++ b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh @@ -6,14 +6,14 @@ metadata: spec: version: ${MDB_VERSION} type: ReplicaSet - members: ${MDB_MEMBERS} + members: 3 security: tls: enabled: true certificateKeySecretRef: name: ${MDB_TLS_SERVER_CERT_SECRET_NAME} - caCertificateSecretRef: - name: ${MDB_TLS_CA_SECRET_NAME} + caConfigMapRef: + name: ${MDB_TLS_CA_CONFIGMAP} authentication: ignoreUnknownUsers: true modes: diff --git a/docs/search/04-search-external-mongod/env_variables.sh b/docs/search/04-search-external-mongod/env_variables.sh index 20b67205e..ab562719c 100644 --- a/docs/search/04-search-external-mongod/env_variables.sh +++ b/docs/search/04-search-external-mongod/env_variables.sh @@ -2,15 +2,13 @@ export K8S_CTX="" export MDB_NS="mongodb" -export MDB_RESOURCE_NAME="mdbc-rs" export MDB_VERSION="8.2.0" export MDB_ADMIN_USER_PASSWORD="admin-user-password-CHANGE-ME" export MDB_USER_PASSWORD="mdb-user-password-CHANGE-ME" export MDB_SEARCH_SYNC_USER_PASSWORD="search-sync-user-password-CHANGE-ME" -export MDB_MEMBERS="3" -export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca" +export MDB_TLS_CA_SECRET_NAME="ca" export MDB_SEARCH_TLS_SECRET_NAME="mdbs-search-tls" export MDB_SEARCH_SERVICE_NAME="mdbs-search" @@ -29,5 +27,3 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes" export OPERATOR_ADDITIONAL_HELM_VALUES="" export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_EXTERNAL_HOST_0}/?replicaSet=${MDB_EXTERNAL_REPLICA_SET_NAME}&tls=true&tlsCAFile=/tls/ca.crt" - -export CERT_MANAGER_NAMESPACE="cert-manager" diff --git a/docs/search/04-search-external-mongod/env_variables_tls.sh b/docs/search/04-search-external-mongod/env_variables_tls.sh index a9259d39f..ee04d97f1 100644 --- a/docs/search/04-search-external-mongod/env_variables_tls.sh +++ b/docs/search/04-search-external-mongod/env_variables_tls.sh @@ -1,6 +1,11 @@ +export MDB_RESOURCE_NAME="mdbc-rs" +export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca" + export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap" export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls" export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer" export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca" export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer" + +export CERT_MANAGER_NAMESPACE="cert-manager"