[draft] Community TLS and cert manager

[anandsyncs]

Summary

This pull request introduces comprehensive changes to the MongoDB Search community deployment scripts and documentation, with a primary focus on enabling and validating TLS (Transport Layer Security) throughout the deployment process. The updates ensure secure communication between components, improve environment validation, and streamline certificate management and resource creation. Additionally, the test suite and code snippets are updated to reflect these changes and enhance reliability.

TLS enablement and certificate management:

• Added scripts to install cert-manager, bootstrap self-signed CA issuers, issue TLS certificates for MongoDB and Search, and expose CA bundles via ConfigMaps, ensuring all resources use TLS for secure communication. [1] [2] [3]
• Updated environment variable definitions and resource manifests to consistently reference TLS secrets, CA configmaps, and enable TLS in both MongoDBCommunity and MongoDBSearch resources. [1] [2] [3] [4] [5]

Environment validation and deployment reliability:

• Introduced a script to validate required and optional environment variables before running deployment scripts, reducing configuration errors.
• Modified user secret creation scripts to use kubectl apply with --dry-run, making secret creation idempotent and safer.

Test suite and deployment flow updates:

• Updated the test harness to run environment validation and all new TLS/cert-manager setup steps before resource creation, ensuring the deployment process is robust and secure.
• Enhanced resource wait scripts and added status output for easier debugging and verification. [1] [2]

Code snippet and usage improvements:

• Updated connection strings and pod manifests to use TLS and mount CA certificates, ensuring client tools can connect securely. [1] [2] [3] [4] [5]
• Minor updates to output files and test scripts to reflect new resource and certificate IDs. [1] [2]

Testing and configuration:

• Added a new unit test for GetMongodConfigParameters to verify correct transport and port selection based on wire protocol annotations.

Proof of Work

Checklist

• Have you linked a jira ticket and/or is the ticket in the title?
• Have you checked whether your jira ticket required DOCSP changes?
• Have you added changelog file?
  • use skip-changelog label if not needed
  • refer to Changelog files and Release Notes section in CONTRIBUTING.md for more details

[anandsyncs]

Remove this file, it was broken down into 3 steps

[lsierant]

while this is nice, let's remember that all the snippets should be optimized for copy&paste execution, not an automated one.
So we should aim for the simplest snippets possible and I think defining functions might be a bit too much. But I'm open to discussing it!

[anandsyncs]

I agree, thanks for the comment.

[lsierant]

if we're going with additional scripts or functions, then we could define them in env_variables.sh or another script that is sourced in env_variables.sh.

The assumption is that sourcing env_variables.sh is a prerequisite step. But also let's remember that in the doc page we tell user "source the following env vars "
we don't sa anything about "source also this script containing helper functions".

[lsierant]

having this in each snippet will not look great on the rendered docs page

[anandsyncs]

I have replaced these with a step that checks everything at once.

[lsierant]

why do we need that?

[lsierant]

can we standardize on --tls? I believe --ssl is deprecated

[lsierant]

also, we should probably check if the connection MDB_CONNECTION_STRING contains tls=true and only in that case add tls and ca params.

[lsierant]

also consider injecting those path directly into conn str:
with tlsCAFile=/path/to/ca.pem

This way we could keep search-query-usage guide TLS-agnostic?

[lsierant]

if we're going with tls params in connection string (I'd recommend that), then let's put an example here for tls as well

The assumption is that whatever connection string is defined in previous snippet modules (community, enterprise, external) should work in this module keeping it generic

[lsierant]

how the cert manager installation here is different from the snippet module that we have for Reference Architectures?
https://github.com/mongodb/mongodb-kubernetes/tree/master/public/architectures/setup-multi-cluster/ra-05-setup-cert-manager/code_snippets

Apart from the difference in the K8S_CLUSTER_0_CONTEXT_NAME, we could probably just refer users to the steps in that module or just copy the module next to search for now. Unless we're doing something completely different, I'd prefer to not create a completely different cert-manager scripts that what we already have.

It's even better to copy the ref arch's snippets and keep the same snippet structure than write them again.

WE have the cert-manager snippet module documented here: https://www.mongodb.com/docs/kubernetes/current/reference-architectures/multi-cluster/ca-certs/

If not for the difference in the env var we could even import it in here similarly how it's done in the GKE's snippets

[anandsyncs]

Added these logs so that it is easier for LLMs to debug issues

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.6.0 Release Notes

New Features

• MongoDBCommunity: Added support to configure custom cluster domain via newly introduced spec.clusterDomain resource field. If spec.clusterDomain is not set, environment variable CLUSTER_DOMAIN is used as cluster domain. If the environment variable CLUSTER_DOMAIN is also not set, operator falls back to cluster.local as default cluster domain.
• Helm Chart: Introduced two new helm fields operator.podSecurityContext and operator.securityContext that can be used to configure securityContext for Operator deployment through Helm Chart.
• MongoDBSearch: Switch to gRPC and mTLS for internal communication
  Since MCK 1.4 the mongod and mongot processess communicated using the MongoDB Wire Protocol and used keyfile authentication. This release switches that to gRPC with mTLS authentication. gRPC will allow for load-balancing search queries against multiple mongot processes in the future, and mTLS decouples the internal cluster authentication mode and credentials among mongod processes from the connection to the mongot process. The Operator will automatically enable gRPC for existing and new workloads, and will enable mTLS authentication if both Database Server and MongoDBSearch resource are configured for TLS.

Bug Fixes

• Fixed parsing of the customEnvVars Helm value when values contain = characters.
• ReplicaSet: Blocked disabling TLS and changing member count simultaneously. These operations must now be applied separately to prevent configuration inconsistencies.

Other Changes

• Simplified MongoDB Search setup: Removed the custom Search Coordinator polyfill (a piece of compatibility code previously needed to add the required permissions), as MongoDB 8.2.0 and later now include the necessary permissions via the built-in searchCoordinator role.
• kubectl-mongodb plugin: cosign, the signing tool that is used to sign kubectl-mongodb plugin binaries, has been updated to version 3.0.2. With this change, released binaries will be bundled with .bundle files containing both signature and certificate information. For more information on how to verify signatures using new cosign version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md