Search: remove external.tls.enabled (#442)

# Summary This pull request refactors the TLS configuration for MongoDB Search resources by removing the `enabled` boolean flag and relying solely on the presence or absence of TLS configuration objects to determine if TLS should be enabled. It also updates the CRD schemas, controller logic, tests, and documentation to reflect this change, and clarifies the usage of CA certificates for external mongod sources. **API and CRD schema changes:** * Removed the `enabled` boolean from both `spec.security.tls` and `spec.source.external.tls`, making TLS activation dependent on whether the TLS configuration is provided. Updated required fields and descriptions for CA certificates in the CRDs (`config/crd/bases/mongodb.com_mongodbsearch.yaml`, `helm_chart/crds/mongodb.com_mongodbsearch.yaml`, `public/crds.yaml`). [[1]](diffhunk://#diff-8621604e23ddaa9863d6c6e98dda3f3b71bd29740cdab99b8b3fa32177f4c89eL182-R183) [[2]](diffhunk://#diff-8621604e23ddaa9863d6c6e98dda3f3b71bd29740cdab99b8b3fa32177f4c89eL214-R213) [[3]](diffhunk://#diff-8621604e23ddaa9863d6c6e98dda3f3b71bd29740cdab99b8b3fa32177f4c89eL228-R227) [[4]](diffhunk://#diff-dba1285752e5d0324f36d8c959e29913fcbf02c90263cdd7d6d96447180bbe8dL4204-R4205) [[5]](diffhunk://#diff-dba1285752e5d0324f36d8c959e29913fcbf02c90263cdd7d6d96447180bbe8dL4236-R4235) [[6]](diffhunk://#diff-dba1285752e5d0324f36d8c959e29913fcbf02c90263cdd7d6d96447180bbe8dL4250-R4249) * Updated the Go API types to remove the `Enabled` field from `ExternalMongodTLS` and `TLS`, clarified CA certificate documentation, and made `Security.TLS` an optional pointer. (`api/v1/search/mongodbsearch_types.go`) **Controller logic updates:** * Refactored controller code to check for the presence of TLS configuration objects instead of the `Enabled` flag when determining TLS behavior in reconciliation and config generation. (`controllers/operator/mongodbsearch_controller.go`, `controllers/searchcontroller/external_search_source.go`, `controllers/searchcontroller/mongodbsearch_reconcile_helper.go`) [[1]](diffhunk://#diff-ff8b89a9eaadf42605cba2f2884310f60e46bf00162ef5e0173a8d34d1fb466dL73-R73) [[2]](diffhunk://#diff-0f0be42909b701181f9550c76be0b3bcf63ed7c2825a51bbbfc098006c88fc1eL29-R29) [[3]](diffhunk://#diff-9b1183581cc6af6723f6445d7a14ae4ae7b435dc3b93ca5d82247cda13f7ca39L231-R231) [[4]](diffhunk://#diff-9b1183581cc6af6723f6445d7a14ae4ae7b435dc3b93ca5d82247cda13f7ca39L393-R393) **Test and documentation updates:** * Updated tests and documentation to remove references to the `enabled` field in TLS configurations and to use the new structure. (`docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py`, `docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py`, `docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py`, `docs/search/04-search-external-mongod/README.md`, `docs/search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh`) [[1]](diffhunk://#diff-b2921000399e050cf60a6d3c4abbb21a0c6a9484af6cd4857b6a3217c0a36d1cL74) [[2]](diffhunk://#diff-83229428104eb15a5b4108d84eae1dce6c34940aae703481c902b52e020f1a32L141-R148) [[3]](diffhunk://#diff-7ac66a583299039225a2f886ef60cd00a230029416d6d809e4e68b4d55edc29bL62-R62) [[4]](diffhunk://#diff-78a9bbf913195ad01e7814be0a2937858af6c019f895fa45726b5730974bc78cL185-L186) [[5]](diffhunk://#diff-17ce6ba340db65b4ae7338b809e03258b9e0cf148f4894872fb0dcefd2c41c4cL16-L17) **Evergreen build changes:** * Added a new Evergreen task and included it in the relevant task group to test external mongod search code snippets. (`.evergreen-snippets.yml`) [[1]](diffhunk://#diff-567852169488d3138501958aeebe87ca49e1c19b4b2d5a746e52c93b0fd4dc0eR124-R129) [[2]](diffhunk://#diff-567852169488d3138501958aeebe87ca49e1c19b4b2d5a746e52c93b0fd4dc0eR144) ## Proof of Work Tests pass

Author: anandsyncs

.evergreen-snippets.yml

@@ -121,6 +121,12 @@ tasks:
  - func: test_code_snippets
  - func: sample_commit_output
 
+ - name: test_kind_search_external_mongod_snippets.sh
+ tags: [ "code_snippets", "patch-run" ]
+ commands:
+ - func: test_code_snippets
+ - func: sample_commit_output
+
 task_groups:
  - name: gke_code_snippets_task_group
  <<: *setup_and_teardown_group_gke_code_snippets
@@ -135,6 +141,7 @@ task_groups:
  tasks:
  - test_kind_search_community_snippets.sh
  - test_kind_search_enterprise_snippets.sh
+ - test_kind_search_external_mongod_snippets.sh
 
 buildvariants:
  # These variants are used to test the code snippets and each one can be used in patches

api/v1/search/mongodbsearch_types.go

@@ -69,22 +69,20 @@ type ExternalMongoDBSource struct {
 }
 
 type ExternalMongodTLS struct {
-Enabled bool `json:"enabled"`
-// +optional
-CA *corev1.LocalObjectReference `json:"ca,omitempty"`
+// CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
+// The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
+CA *corev1.LocalObjectReference `json:"ca"`
 }
 
 type Security struct {
 // +optional
-TLS TLS `json:"tls"`
+TLS *TLS `json:"tls,omitempty"`
 }
 
 type TLS struct {
-Enabled bool `json:"enabled"`
 // CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
 // The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
 // This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
-// +optional
 CertificateKeySecret corev1.LocalObjectReference `json:"certificateKeySecretRef"`
 }
 

config/crd/bases/mongodb.com_mongodbsearch.yaml

@@ -179,10 +179,8 @@ spec:
  type: string
  type: object
  x-kubernetes-map-type: atomic
- enabled:
- type: boolean
  required:
- - enabled
+  - certificateKeySecretRef
  type: object
  type: object
  source:
@@ -211,8 +209,8 @@ spec:
  properties:
  ca:
  description: |-
- LocalObjectReference contains enough information to let you locate the
- referenced object inside the same namespace.
+ CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
+ The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
  properties:
  name:
  default: ""
@@ -225,10 +223,8 @@ spec:
  type: string
  type: object
  x-kubernetes-map-type: atomic
- enabled:
- type: boolean
  required:
- - enabled
+  - ca
  type: object
  type: object
  mongodbResourceRef:

controllers/operator/mongodbsearch_controller.go

@@ -70,7 +70,7 @@ func (r *MongoDBSearchReconciler) Reconcile(ctx context.Context, request reconci
 }
 
 // Watch our own TLS certificate secret for changes
-if mdbSearch.Spec.Security.TLS.Enabled {
+if mdbSearch.Spec.Security.TLS != nil {
 r.watch.AddWatchedResourceIfNotAdded(mdbSearch.Spec.Security.TLS.CertificateKeySecret.Name, mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName())
 }
 

controllers/searchcontroller/external_search_source.go

@@ -26,7 +26,7 @@ func (r *externalSearchResource) Validate() error {
 }
 
 func (r *externalSearchResource) TLSConfig() *TLSSourceConfig {
-if r.spec.TLS == nil || !r.spec.TLS.Enabled {
+if r.spec.TLS == nil {
 return nil
 }
 

controllers/searchcontroller/mongodbsearch_reconcile_helper.go

@@ -228,7 +228,7 @@ func (r *MongoDBSearchReconcileHelper) ensureMongotConfig(ctx context.Context, l
 }
 
 func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification, error) {
-if !r.mdbSearch.Spec.Security.TLS.Enabled {
+if r.mdbSearch.Spec.Security.TLS == nil {
 mongotModification := func(config *mongot.Config) {
 config.Server.Wireproto.TLS.Mode = mongot.ConfigTLSModeDisabled
 }
@@ -390,7 +390,7 @@ func createMongotConfig(search *searchv1.MongoDBSearch, db SearchSourceDBResourc
 
 func GetMongodConfigParameters(search *searchv1.MongoDBSearch) map[string]any {
 searchTLSMode := automationconfig.TLSModeDisabled
-if search.Spec.Security.TLS.Enabled {
+if search.Spec.Security.TLS != nil {
 searchTLSMode = automationconfig.TLSModeRequired
 }
 return map[string]any{

docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py

@@ -71,7 +71,6 @@ def mdbs(namespace: str, mdbc: MongoDBCommunity) -> MongoDBSearch:
  "external": {
  "hostAndPorts": seeds,
  "keyfileSecretRef": {"name": f"{mdbc.name}-keyfile", "key": "keyfile"},
- "tls": {"enabled": False},
  },
  "passwordSecretRef": {"name": f"{MDBC_RESOURCE_NAME}-{MONGOT_USER_NAME}-password", "key": "password"},
  "username": MONGOT_USER_NAME,

docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py

@@ -138,15 +138,14 @@ def test_create_search_resource(mdbs: MongoDBSearch, mdbc: MongoDBCommunity):
  "hostAndPorts": seeds,
  "keyfileSecretRef": {"name": f"{mdbc.name}-keyfile"},
  "tls": {
- "enabled": True,
  "ca": {"name": f"{mdbc.name}-ca"},
  },
  },
  "passwordSecretRef": {"name": f"{MDBC_RESOURCE_NAME}-{MONGOT_USER_NAME}-password", "key": "password"},
  "username": MONGOT_USER_NAME,
  }
 
- mdbs["spec"]["security"] = {"tls": {"enabled": True, "certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}}
+ mdbs["spec"]["security"] = {"tls": {"certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}}
 
  mdbs.update()
  mdbs.assert_reaches_phase(Phase.Running, timeout=300)

docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py

@@ -59,7 +59,7 @@ def mdbs(namespace: str) -> MongoDBSearch:
  if "spec" not in resource:
  resource["spec"] = {}
 
- resource["spec"]["security"] = {"tls": {"enabled": True, "certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}}
+ resource["spec"]["security"] = {"tls": {"certificateKeySecretRef": {"name": MDBS_TLS_SECRET_NAME}}}
 
  return resource
 

docs/search/04-search-external-mongod/README.md

@@ -182,8 +182,6 @@ spec:
  keyfileSecretRef:
  name: ${MDB_EXTERNAL_KEYFILE_SECRET_NAME}
  key: keyfile
- tls:
- enabled: false
  username: search-sync-source
  passwordSecretRef:
  name: mdbc-rs-search-sync-source-password