refactor big file

docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# 1. Self-signed bootstrap issuer
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+ selfSigned: {}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}" --timeout=120s
+
+# 2. CA certificate
+kubectl apply --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${MDB_TLS_CA_CERT_NAME}
+ namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+ isCA: true
+ commonName: ${MDB_TLS_CA_CERT_NAME}
+ secretName: ${MDB_TLS_CA_SECRET_NAME}
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+ kind: ClusterIssuer
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}" --timeout=300s
+
+# 3. CA issuer referencing CA secret
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: ${MDB_TLS_CA_ISSUER}
+spec:
+ ca:
+ secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}" --timeout=120s
+
+# 4. Extract CA cert (only ca.crt) and publish to ConfigMap & Secret
+TMP_CA_CERT="$(mktemp)"; trap 'rm -f "${TMP_CA_CERT}"' EXIT
+ca_b64="$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}")"
+[[ -n "${ca_b64}" ]] || { echo "CA certificate key ca.crt missing in secret ${MDB_TLS_CA_SECRET_NAME}" >&2; exit 1; }
+printf '%s' "${ca_b64}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Create ConfigMap (MongoDBCommunity) and Secret (external search source) containing CA
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+ --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" --from-file=ca.crt="${TMP_CA_CERT}" \
+ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \
+ --from-file=ca.crt="${TMP_CA_CERT}" \
+ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP}, Secret: ${MDB_TLS_CA_SECRET_NAME})."

docs/search/04-search-external-mongod/code_snippets/04_0307_issue_tls_certificates.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Issue server and search certificates
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+# DNS names for MongoDB server certificate
+mongo_dns_names=()
+[[ -n "${MDB_EXTERNAL_HOST_0:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_0%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_1:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_1%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_2:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_2%%:*}")
+mongo_dns_names+=("${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+[[ ${#mongo_dns_names[@]} -gt 0 ]] || { echo "No MongoDB DNS names generated; set MDB_EXTERNAL_HOST_* vars" >&2; exit 1; }
+
+# DNS names for MongoDB Search certificate
+search_dns_names=(
+ "${MDB_SEARCH_SERVICE_NAME}"
+ "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local"
+ "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+ "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+[[ -n "${MDB_SEARCH_HOSTNAME}" ]] && search_dns_names+=("${MDB_SEARCH_HOSTNAME}")
+
+mongo_dns_block="$(printf ' - "%s"\n' "${mongo_dns_names[@]}")"
+search_dns_block="$(printf ' - "%s"\n' "${search_dns_names[@]}")"
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${server_certificate}
+ namespace: ${MDB_NS}
+spec:
+ secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+ issuerRef:
+ name: ${MDB_TLS_CA_ISSUER}
+ kind: ClusterIssuer
+ duration: 240h0m0s
+ renewBefore: 120h0m0s
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+ - client auth
+ dnsNames:
+${mongo_dns_block}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${search_certificate}
+ namespace: ${MDB_NS}
+spec:
+ secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+ issuerRef:
+ name: ${MDB_TLS_CA_ISSUER}
+ kind: ClusterIssuer
+ duration: 240h0m0s
+ renewBefore: 120h0m0s
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+ - client auth
+ dnsNames:
+${search_dns_block}
+EOF
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "Server and Search TLS certificates issued (Secrets: ${MDB_TLS_SERVER_CERT_SECRET_NAME}, ${MDB_SEARCH_TLS_SECRET_NAME})."

docs/search/04-search-external-mongod/test.sh

@@ -18,7 +18,8 @@ run_for_output 04_0090_helm_add_mogodb_repo.sh
 run_for_output 04_0100_install_operator.sh
 run 04_0304_install_cert_manager.sh
 run 04_0305_create_mongodb_community_user_secrets.sh
-run 04_0306_create_tls_secrets.sh
+run 04_0306_prepare_cert_manager_issuer.sh
+run 04_0307_issue_tls_certificates.sh
 run 04_0310_create_mongodb_community_resource.sh
 run_for_output 04_0315_wait_for_community_resource.sh
 run 04_0320_create_mongodb_search_resource.sh