mongodb · anandsyncs · Nov 13, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -2,5 +2,5 @@ helm upgrade --install --debug --kube-context "${K8S_CTX}" \
  --create-namespace \
  --namespace="${MDB_NS}" \
  mongodb-kubernetes \
- --set "${OPERATOR_ADDITIONAL_HELM_VALUES:-"dummy=value"}" \
+ ${OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}} \
  "${OPERATOR_HELM_CHART}"
@@ -0,0 +1,8 @@
+echo "Waiting for operator deployment to be ready..."
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" rollout status --timeout=2m deployment/mongodb-kubernetes-operator
+
+echo "Operator deployment in ${MDB_NS} namespace"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get deployments
+
+echo; echo "Operator pod in ${MDB_NS} namespace"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods -l app=mongodb-kubernetes-operator
@@ -0,0 +1,15 @@
+helm upgrade --install \
+ cert-manager \
+ oci://quay.io/jetstack/charts/cert-manager \
+ --kube-context "${K8S_CTX}" \
+ --namespace "${CERT_MANAGER_NAMESPACE}" \
+ --create-namespace \
+ --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+ kubectl --context "${K8S_CTX}" \
+ -n "${CERT_MANAGER_NAMESPACE}" \
+ wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
@@ -1,11 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
- create secret generic mdb-admin-user-password \
- --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+ --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+ --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
- create secret generic mdbc-rs-search-sync-source-password \
- --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+ --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+ --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
- create secret generic mdb-user-password \
- --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+ --from-literal=password="${MDB_USER_PASSWORD}" \
+ --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
+
+echo "User secrets created."
@@ -0,0 +1,59 @@
+# 1. Self-signed bootstrap issuer
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+ selfSigned: {}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}" --timeout=120s
+
+# 2. CA certificate
+kubectl apply --context "${K8S_CTX}" -n "${CERT_MANAGER_NAMESPACE}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${MDB_TLS_CA_CERT_NAME}
+ namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+ isCA: true
+ commonName: ${MDB_TLS_CA_CERT_NAME}
+ secretName: ${MDB_TLS_CA_SECRET_NAME}
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+ kind: ClusterIssuer
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}" --timeout=300s
+
+# 3. CA issuer referencing CA secret
+kubectl apply --context "${K8S_CTX}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: ${MDB_TLS_CA_ISSUER}
+spec:
+ ca:
+ secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}" --timeout=120s
+
+# 4. Extract CA cert (only ca.crt) and publish to ConfigMap & Secret
+TMP_CA_CERT="$(mktemp)"; trap 'rm -f "${TMP_CA_CERT}"' EXIT
+ca_b64="$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}")"
+[[ -n "${ca_b64}" ]] || { echo "CA certificate key ca.crt missing in secret ${MDB_TLS_CA_SECRET_NAME}" >&2; exit 1; }
+printf '%s' "${ca_b64}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Create ConfigMap (MongoDBCommunity) and Secret (external search source) containing CA
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+ --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" --from-file=ca.crt="${TMP_CA_CERT}" \
+ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \
+ --from-file=ca.crt="${TMP_CA_CERT}" \
+ --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP}, Secret: ${MDB_TLS_CA_SECRET_NAME})."
@@ -0,0 +1,70 @@
+# Issue server and search certificates
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+# DNS names for MongoDB server certificate
+mongo_dns_names=()
+[[ -n "${MDB_EXTERNAL_HOST_0:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_0%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_1:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_1%%:*}")
+[[ -n "${MDB_EXTERNAL_HOST_2:-}" ]] && mongo_dns_names+=("${MDB_EXTERNAL_HOST_2%%:*}")
+mongo_dns_names+=("${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+[[ ${#mongo_dns_names[@]} -gt 0 ]] || { echo "No MongoDB DNS names generated; set MDB_EXTERNAL_HOST_* vars" >&2; exit 1; }
+
+# DNS names for MongoDB Search certificate
+search_dns_names=(
+ "${MDB_SEARCH_SERVICE_NAME}"
+ "${MDB_SEARCH_SERVICE_NAME}.${MDB_NS}.svc.cluster.local"
+ "${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+ "*.${MDB_SEARCH_SERVICE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+[[ -n "${MDB_SEARCH_HOSTNAME}" ]] && search_dns_names+=("${MDB_SEARCH_HOSTNAME}")
+
+mongo_dns_block="$(printf ' - "%s"\n' "${mongo_dns_names[@]}")"
+search_dns_block="$(printf ' - "%s"\n' "${search_dns_names[@]}")"
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${server_certificate}
+ namespace: ${MDB_NS}
+spec:
+ secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+ issuerRef:
+ name: ${MDB_TLS_CA_ISSUER}
+ kind: ClusterIssuer
+ duration: 240h0m0s
+ renewBefore: 120h0m0s
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+ - client auth
+ dnsNames:
+${mongo_dns_block}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${search_certificate}
+ namespace: ${MDB_NS}
+spec:
+ secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+ issuerRef:
+ name: ${MDB_TLS_CA_ISSUER}
+ kind: ClusterIssuer
+ duration: 240h0m0s
+ renewBefore: 120h0m0s
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+ - client auth
+ dnsNames:
+${search_dns_block}
+EOF
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "Server and Search TLS certificates issued (Secrets: ${MDB_TLS_SERVER_CERT_SECRET_NAME}, ${MDB_SEARCH_TLS_SECRET_NAME})."
@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
- name: mdbc-rs
+ name: ${MDB_RESOURCE_NAME}
 spec:
  version: ${MDB_VERSION}
  type: ReplicaSet
  members: 3
  security:
+ tls:
+ enabled: true
+ certificateKeySecretRef:
+ name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+ caConfigMapRef:
+ name: ${MDB_TLS_CA_CONFIGMAP}
  authentication:
  ignoreUnknownUsers: true
  modes:
@@ -17,7 +23,7 @@ spec:
  mongotHost: ${MDB_SEARCH_HOSTNAME}:27028
  searchIndexManagementHostAndPort: ${MDB_SEARCH_HOSTNAME}:27028
  skipAuthenticationToSearchIndexManagementServer: false
- searchTLSMode: disabled
+ searchTLSMode: requireTLS
  useGrpcForSearch: true
  agent:
  logLevel: DEBUG
@@ -71,8 +77,8 @@ spec:
  db: admin
  # a reference to the secret that will be used to generate the user's password
  passwordSecretRef:
- name: mdbc-rs-search-sync-source-password
- scramCredentialsSecretName: mdbc-rs-search-sync-source
+ name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+ scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
  roles:
  - name: searchCoordinator
  db: admin

@@ -1,7 +1,9 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
- --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s
+
 echo; echo "MongoDBCommunity resource"
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/mdbc-rs
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/"${MDB_RESOURCE_NAME}"
+
 echo; echo "Pods running in cluster ${K8S_CTX}"
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
@@ -2,18 +2,25 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
- name: mdbs
+ name: ${MDB_SEARCH_RESOURCE_NAME:-mdbs}
 spec:
  source:
  external:
  hostAndPorts:
  - ${MDB_EXTERNAL_HOST_0}
  - ${MDB_EXTERNAL_HOST_1}
  - ${MDB_EXTERNAL_HOST_2}
+ tls:
+ ca:
+ name: ${MDB_TLS_CA_SECRET_NAME}
  username: search-sync-source
  passwordSecretRef:
  name: ${MDB_RESOURCE_NAME}-search-sync-source-password
  key: password
+ security:
+ tls:
+ certificateKeySecretRef:
+ name: ${MDB_SEARCH_TLS_SECRET_NAME}
  resourceRequirements:
  limits:
  cpu: "3"

@@ -6,7 +6,7 @@ metadata:
 spec:
  type: LoadBalancer
  selector:
- app: mdbs-search-svc
+ app: ${MDB_SEARCH_RESOURCE_NAME:-mdbs}-search-svc
  ports:
  - name: mongot
  port: 27028

@@ -1,3 +1,3 @@
 echo "Waiting for MongoDBSearch resource to reach Running phase..."
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
- --for=jsonpath='{.status.phase}'=Running mdbs/mdbs --timeout=300s
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbs/"${MDB_SEARCH_RESOURCE_NAME:-mdbs}" --timeout=300s
@@ -1,3 +1,5 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
- --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+ --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running mdbc/"${MDB_RESOURCE_NAME}" --timeout=400s
@@ -8,6 +8,9 @@ export MDB_ADMIN_USER_PASSWORD="admin-user-password-CHANGE-ME"
 export MDB_USER_PASSWORD="mdb-user-password-CHANGE-ME"
 export MDB_SEARCH_SYNC_USER_PASSWORD="search-sync-user-password-CHANGE-ME"
 
+export MDB_TLS_CA_SECRET_NAME="ca"
+export MDB_SEARCH_TLS_SECRET_NAME="mdbs-search-tls"
+
 export MDB_SEARCH_SERVICE_NAME="mdbs-search"
 export MDB_SEARCH_HOSTNAME="mdbs-search.example.com"
 
@@ -23,4 +26,4 @@ export MDB_EXTERNAL_REPLICA_SET_NAME="mdbc-rs"
 export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_EXTERNAL_HOST_0}/?replicaSet=${MDB_EXTERNAL_REPLICA_SET_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_EXTERNAL_HOST_0}/?replicaSet=${MDB_EXTERNAL_REPLICA_SET_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
@@ -0,0 +1,11 @@
+export MDB_RESOURCE_NAME="mdbc-rs"
+export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+
+export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer"
+export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca"
+export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"
@@ -16,7 +16,10 @@ run 04_0046_create_image_pull_secrets.sh
 run 04_0048_configure_prerelease_image_pullsecret.sh
 run_for_output 04_0090_helm_add_mogodb_repo.sh
 run_for_output 04_0100_install_operator.sh
+run 04_0304_install_cert_manager.sh
 run 04_0305_create_mongodb_community_user_secrets.sh
+run 04_0306_prepare_cert_manager_issuer.sh
+run 04_0307_issue_tls_certificates.sh
 run 04_0310_create_mongodb_community_resource.sh
 run_for_output 04_0315_wait_for_community_resource.sh
 run 04_0320_create_mongodb_search_resource.sh

@@ -20,12 +20,14 @@ trap dump_logs EXIT
 
 test_dir="./docs/search/04-search-external-mongod"
 source "${test_dir}/env_variables.sh"
+source "${test_dir}/env_variables_tls.sh"
+
 echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 # shellcheck disable=SC1090
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 
 export MDB_RESOURCE_NAME="mdbc-rs"
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
 ${test_dir}/test.sh