use cluster issuer

mongodb · anandsyncs · Oct 13, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025
commit 86d13a78d292b8c95460e362e9fb68cc49e81770
@@ -1,16 +1,14 @@
-# Bootstrap a self-signed Issuer scoped to the cert-manager namespace. This is
-# only used to mint the CA secret and is not referenced by application
-# workloads.
-kubectl apply --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" -f - <<EOF_MANIFEST
+# Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
 spec:
  selfSigned: {}
 EOF_MANIFEST
 
-kubectl --context "${K8S_CTX}" wait --namespace "${CERT_MANAGER_NAMESPACE}" --for=condition=Ready issuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
 
 kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
@@ -27,37 +25,29 @@ spec:
  size: 256
  issuerRef:
  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
- kind: Issuer
+ kind: ClusterIssuer
 EOF_MANIFEST
 
 kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
 
-TMP_DIR="$(mktemp -d)"
-trap 'rm -rf "${TMP_DIR}"' EXIT
-
-kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_DIR}/ca.crt"
-
-cat "${TMP_DIR}/ca.crt" > "${TMP_DIR}/mms-ca.crt"
-
-kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
- --from-file=ca-pem="${TMP_DIR}/mms-ca.crt" --from-file=mms-ca.crt="${TMP_DIR}/mms-ca.crt" \
- --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
-
-# Ensure CA secret also exists in application namespace for mounts expecting a Secret (root-secret)
-if ! kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get secret "${MDB_TLS_CA_SECRET_NAME}" >/dev/null 2>&1; then
- kubectl --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" get secret "${MDB_TLS_CA_SECRET_NAME}" -o yaml \
- | sed 's/namespace: .*/namespace: '"${MDB_NS}"'/' \
- | kubectl --context "${K8S_CTX}" apply -n "${MDB_NS}" -f - || echo "Warning: failed to copy ${MDB_TLS_CA_SECRET_NAME} to ${MDB_NS}" >&2
-fi
-
-kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
  name: ${MDB_TLS_CA_ISSUER}
 spec:
  ca:
  secretName: ${MDB_TLS_CA_SECRET_NAME}
 EOF_MANIFEST
 
-kubectl --context "${K8S_CTX}" wait --namespace "${MDB_NS}" --for=condition=Ready issuer "${MDB_TLS_CA_ISSUER}"
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+trap 'rm -f "${TMP_CA_CERT}"' EXIT
+
+kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+ --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+ --from-file=ca.crt="${TMP_CA_CERT}" \
+ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
@@ -7,7 +7,7 @@ spec:
  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
  issuerRef:
  name: ${MDB_TLS_CA_ISSUER}
- kind: Issuer
+ kind: ClusterIssuer
  duration: 240h0m0s
  renewBefore: 120h0m0s
  usages:
@@ -31,7 +31,7 @@ spec:
  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
  issuerRef:
  name: ${MDB_TLS_CA_ISSUER}
- kind: Issuer
+ kind: ClusterIssuer
  duration: 240h0m0s
  renewBefore: 120h0m0s
  usages:

@@ -18,8 +18,11 @@ spec:
  restartPolicy: Never
  volumes:
  - name: mongo-ca
- secret:
- secretName: ${MDB_TLS_CA_SECRET_NAME}
+ configMap:
+ name: ${MDB_TLS_CA_CONFIGMAP}
+ items:
+ - key: ca.crt
+ path: ca.crt
 EOF
 
 echo "Waiting for the mongodb-tools to be ready..."