Skip to content

Search: use ConfigMap instead of Secret for external TLS CA #909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
lsierant wants to merge 2 commits into
base: search/multiple-mongot
Choose a base branch
from
Draft

Search: use ConfigMap instead of Secret for external TLS CA #909

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
68e1904
Search: use ConfigMap instead of Secret for external TLS CA
lsierant Mar 17, 2026
c490ded
Added ca-pem to e2e test
lsierant Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/v1/search/mongodbsearch_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ type ExternalShardConfig struct {
}

type ExternalMongodTLS struct {
// CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
// CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
// The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
CA *corev1.LocalObjectReference `json:"ca"`
}
Expand Down
4 changes: 2 additions & 2 deletions config/crd/bases/mongodb.com_mongodbsearch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,7 +422,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down Expand Up @@ -475,7 +475,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down
4 changes: 2 additions & 2 deletions controllers/searchcontroller/external_search_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ func (r *externalSearchResource) TLSConfig() *TLSSourceConfig {

return &TLSSourceConfig{
CAFileName: tlsCACertName,
CAVolume: statefulset.CreateVolumeFromSecret("ca", r.spec.TLS.CA.Name),
CAVolume: statefulset.CreateVolumeFromConfigMap("ca", r.spec.TLS.CA.Name),
ResourcesToWatch: map[watch.Type][]types.NamespacedName{
watch.Secret: {
watch.ConfigMap: {
{Namespace: r.namespace, Name: r.spec.TLS.CA.Name},
},
},
Expand Down
4 changes: 2 additions & 2 deletions controllers/searchcontroller/sharded_external_search_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,9 @@ func (r *ShardedExternalSearchSource) TLSConfig() *TLSSourceConfig {

return &TLSSourceConfig{
CAFileName: tlsCACertName,
CAVolume: statefulset.CreateVolumeFromSecret("ca", tlsConfig.CA.Name),
CAVolume: statefulset.CreateVolumeFromConfigMap("ca", tlsConfig.CA.Name),
ResourcesToWatch: map[watch.Type][]types.NamespacedName{
watch.Secret: {
watch.ConfigMap: {
{Namespace: r.namespace, Name: tlsConfig.CA.Name},
},
},
Expand Down
9 changes: 5 additions & 4 deletions controllers/searchcontroller/sharded_external_search_source_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"testing"

"github.com/stretchr/testify/assert"

corev1 "k8s.io/api/core/v1"

searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search"
Expand Down Expand Up @@ -380,7 +381,7 @@ func TestShardedExternalSearchSource_TLSConfig(t *testing.T) {
assert.NotNil(t, tlsConfig)
assert.Equal(t, "ca.crt", tlsConfig.CAFileName)
assert.Equal(t, "ca", tlsConfig.CAVolume.Name)
assert.Equal(t, "top-level-ca-secret", tlsConfig.CAVolume.VolumeSource.Secret.SecretName)
assert.Equal(t, "top-level-ca-secret", tlsConfig.CAVolume.ConfigMap.Name)
assert.NotNil(t, tlsConfig.ResourcesToWatch)
})

Expand Down Expand Up @@ -408,7 +409,7 @@ func TestShardedExternalSearchSource_TLSConfig(t *testing.T) {

assert.NotNil(t, tlsConfig)
assert.Equal(t, "ca.crt", tlsConfig.CAFileName)
assert.Equal(t, "router-ca-secret", tlsConfig.CAVolume.VolumeSource.Secret.SecretName)
assert.Equal(t, "router-ca-secret", tlsConfig.CAVolume.ConfigMap.Name)
})

t.Run("Router TLS without top-level TLS", func(t *testing.T) {
Expand All @@ -429,7 +430,7 @@ func TestShardedExternalSearchSource_TLSConfig(t *testing.T) {
tlsConfig := src.TLSConfig()

assert.NotNil(t, tlsConfig)
assert.Equal(t, "router-only-ca-secret", tlsConfig.CAVolume.VolumeSource.Secret.SecretName)
assert.Equal(t, "router-only-ca-secret", tlsConfig.CAVolume.ConfigMap.Name)
})

t.Run("Falls back to top-level TLS when router TLS not specified", func(t *testing.T) {
Expand All @@ -447,6 +448,6 @@ func TestShardedExternalSearchSource_TLSConfig(t *testing.T) {
tlsConfig := src.TLSConfig()

assert.NotNil(t, tlsConfig)
assert.Equal(t, "fallback-ca-secret", tlsConfig.CAVolume.VolumeSource.Secret.SecretName)
assert.Equal(t, "fallback-ca-secret", tlsConfig.CAVolume.ConfigMap.Name)
})
}
6 changes: 2 additions & 4 deletions docker/mongodb-kubernetes-tests/tests/common/search/sharded_search_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import pymongo.errors
import yaml
from kubernetes import client
from kubetester import create_or_update_configmap, create_or_update_secret
from kubetester import create_or_update_configmap
from kubetester.certs import create_tls_certs
from kubetester.kubetester import KubernetesTester, run_periodically
from kubetester.mongodb import MongoDB
Expand Down Expand Up @@ -119,10 +119,8 @@ def create_lb_certificates(

def create_issuer_ca(issuer_ca_filepath: str, namespace: str, ca_configmap_name: str) -> str:
ca = open(issuer_ca_filepath).read()
configmap_data = {"ca-pem": ca, "mms-ca.crt": ca}
configmap_data = {"ca-pem": ca, "mms-ca.crt": ca, "ca.crt": ca}
create_or_update_configmap(namespace, ca_configmap_name, configmap_data)
secret_data = {"ca.crt": ca}
create_or_update_secret(namespace, ca_configmap_name, secret_data)
return ca_configmap_name


Expand Down
7 changes: 3 additions & 4 deletions docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from kubetester import create_or_update_secret, try_load
from kubetester import create_or_update_configmap, create_or_update_secret, try_load
from kubetester.certs import create_tls_certs
from kubetester.kubetester import fixture as yaml_fixture
from kubetester.mongodb_community import MongoDBCommunity
Expand Down Expand Up @@ -26,7 +26,6 @@
MDBC_RESOURCE_NAME = "mdbc-rs"
MDBS_RESOURCE_NAME = "mdbs"
TLS_SECRET_NAME = "tls-secret"
TLS_CA_SECRET_NAME = "tls-ca-secret"
# MongoDBSearch TLS configuration — convention: {name}-search-cert
MDBS_TLS_SECRET_NAME = search_resource_names.mongot_tls_cert_name(MDBS_RESOURCE_NAME)

Expand Down Expand Up @@ -115,8 +114,8 @@ def test_install_tls_secrets_and_configmaps(

ca = open(issuer_ca_filepath).read()

ca_secret_name = f"{mdbc.name}-ca"
create_or_update_secret(namespace=namespace, name=ca_secret_name, data={"ca.crt": ca})
ca_configmap_name = f"{mdbc.name}-ca"
create_or_update_configmap(namespace=namespace, name=ca_configmap_name, data={"ca-pem": ca, "ca.crt": ca})


@mark.e2e_search_community_external_mongod_tls
Expand Down
10 changes: 3 additions & 7 deletions docs/search/04-search-external-mongod/code_snippets/04_0306_prepare_cert_manager_issuer.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,19 +41,15 @@ spec:
EOF
kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}" --timeout=120s

# 4. Extract CA cert (only ca.crt) and publish to ConfigMap & Secret
# 4. Extract CA cert (only ca.crt) and publish to ConfigMap
TMP_CA_CERT="$(mktemp)"; trap 'rm -f "${TMP_CA_CERT}"' EXIT
ca_b64="$(kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}")"
[[ -n "${ca_b64}" ]] || { echo "CA certificate key ca.crt missing in secret ${MDB_TLS_CA_SECRET_NAME}" >&2; exit 1; }
printf '%s' "${ca_b64}" | base64 --decode > "${TMP_CA_CERT}"

# Create ConfigMap (MongoDBCommunity) and Secret (external search source) containing CA
# Create ConfigMap containing CA (used by both MongoDBCommunity and external search source)
kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
--from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" --from-file=ca.crt="${TMP_CA_CERT}" \
--dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -

kubectl --context "${K8S_CTX}" create secret generic "${MDB_TLS_CA_SECRET_NAME}" -n "${MDB_NS}" \
--from-file=ca.crt="${TMP_CA_CERT}" \
--dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -

echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP}, Secret: ${MDB_TLS_CA_SECRET_NAME})."
echo "CA issuer and artifacts prepared (ConfigMap: ${MDB_TLS_CA_CONFIGMAP})."
2 changes: 1 addition & 1 deletion .../search/04-search-external-mongod/code_snippets/04_0320_create_mongodb_search_resource.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ spec:
- ${MDB_EXTERNAL_HOST_2}
tls:
ca:
name: ${MDB_TLS_CA_SECRET_NAME}
name: ${MDB_TLS_CA_CONFIGMAP}
username: search-sync-source
passwordSecretRef:
name: ${MDB_RESOURCE_NAME}-search-sync-source-password
Expand Down
4 changes: 2 additions & 2 deletions helm_chart/crds/mongodb.com_mongodbsearch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,7 +422,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down Expand Up @@ -475,7 +475,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down
4 changes: 2 additions & 2 deletions public/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4444,7 +4444,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down Expand Up @@ -4497,7 +4497,7 @@ spec:
properties:
ca:
description: |-
CA is a reference to a Secret containing the CA certificate that issued mongod's TLS certificate.
CA is a reference to a ConfigMap containing the CA certificate that issued mongod's TLS certificate.
The CA certificate is expected to be PEM encoded and available at the "ca.crt" key.
properties:
name:
Expand Down