mongodb · mircea-cosbuc · Mar 18, 2026
@@ -38,6 +38,7 @@ const (
 	performCleanupEnv                   = "PERFORM_CLEANUP"
 	CommunityHelmChartAndDeploymentName = "mongodb-community-operator"
 	MCKHelmChartAndDeploymentName       = util.OperatorName
+	TestPKIHelmChartName                = "mongodb-test-pki"
 )
 
 func Setup(ctx context.Context, t *testing.T) *e2eutil.TestContext {
@@ -47,7 +48,7 @@ func Setup(ctx context.Context, t *testing.T) *e2eutil.TestContext {
 	}
 
 	config := LoadTestConfigFromEnv()
-	if err := DeployMCKOperator(ctx, t, config, "mdb", false, false); err != nil {
+	if err := DeployMCKOperator(ctx, t, config, false, false); err != nil {
 		t.Fatal(err)
 	}
 
@@ -65,7 +66,11 @@ func SetupWithTLS(ctx context.Context, t *testing.T, resourceName string, additi
 		t.Fatal(err)
 	}
 
-	if err := DeployMCKOperator(ctx, t, config, resourceName, true, false, additionalHelmArgs...); err != nil {
+	// if err := SetupCertificates(t, resourceName); err != nil {
+
+	// }
+
+	if err := DeployMCKOperator(ctx, t, config, true, false, additionalHelmArgs...); err != nil {
 		t.Fatal(err)
 	}
 
@@ -84,7 +89,7 @@ func SetupWithTestConfig(ctx context.Context, t *testing.T, testConfig TestConfi
 		}
 	}
 
-	if err := DeployMCKOperator(ctx, t, testConfig, resourceName, withTLS, defaultOperator); err != nil {
+	if err := DeployMCKOperator(ctx, t, testConfig, withTLS, defaultOperator); err != nil {
 		t.Fatal(err)
 	}
 
@@ -149,7 +154,7 @@ func extractRegistryNameAndVersion(fullImage string) (string, string, string) {
 }
 
 // getHelmArgs returns a map of helm arguments that are required to install the operator.
-func getHelmArgs(testConfig TestConfig, watchNamespace string, resourceName string, withTLS bool, defaultOperator bool, additionalHelmArgs ...HelmArg) map[string]string {
+func getHelmArgs(testConfig TestConfig, watchNamespace string, withTLS bool, defaultOperator bool, additionalHelmArgs ...HelmArg) map[string]string {
 	agentRegistry, agentName, agentVersion := extractRegistryNameAndVersion(testConfig.AgentImage)
 	versionUpgradeHookRegistry, versionUpgradeHookName, versionUpgradeHookVersion := extractRegistryNameAndVersion(testConfig.VersionUpgradeHookImage)
 	readinessProbeRegistry, readinessProbeName, readinessProbeVersion := extractRegistryNameAndVersion(testConfig.ReadinessProbeImage)
@@ -181,12 +186,6 @@ func getHelmArgs(testConfig TestConfig, watchNamespace string, resourceName stri
 		helmArgs["readinessProbe.version"] = readinessProbeVersion
 	}
 
-	// only used for one mco tls test
-	helmArgs["community.createResource"] = strconv.FormatBool(false)
-	helmArgs["community.resource.name"] = resourceName
-	helmArgs["community.resource.tls.enabled"] = strconv.FormatBool(withTLS)
-	helmArgs["community.resource.tls.useCertManager"] = strconv.FormatBool(withTLS)
-
 	for _, arg := range additionalHelmArgs {
 		helmArgs[arg.Name] = arg.Value
 	}
@@ -195,7 +194,7 @@ func getHelmArgs(testConfig TestConfig, watchNamespace string, resourceName stri
 }
 
 // getMCOHelmArgs returns a map of helm arguments that were used to install mco with the mco chart
-func getMCOHelmArgs(testConfig TestConfig, watchNamespace string, resourceName string, withTLS bool, additionalHelmArgs ...HelmArg) map[string]string {
+func getMCOHelmArgs(testConfig TestConfig, watchNamespace string, additionalHelmArgs ...HelmArg) map[string]string {
 	agentRegistry, agentName, agentVersion := extractRegistryNameAndVersion(testConfig.AgentImage)
 	versionUpgradeHookRegistry, versionUpgradeHookName, versionUpgradeHookVersion := extractRegistryNameAndVersion(testConfig.VersionUpgradeHookImage)
 	readinessProbeRegistry, readinessProbeName, readinessProbeVersion := extractRegistryNameAndVersion(testConfig.ReadinessProbeImage)
@@ -225,11 +224,6 @@ func getMCOHelmArgs(testConfig TestConfig, watchNamespace string, resourceName s
 	helmArgs["registry.readinessProbe"] = readinessProbeRegistry
 	helmArgs["registry.imagePullSecrets"] = "image-registries-secret"
 
-	helmArgs["createResource"] = strconv.FormatBool(false)
-	helmArgs["resource.name"] = resourceName
-	helmArgs["resource.tls.enabled"] = strconv.FormatBool(withTLS)
-	helmArgs["resource.tls.useCertManager"] = strconv.FormatBool(withTLS)
-
 	for _, arg := range additionalHelmArgs {
 		helmArgs[arg.Name] = arg.Value
 	}
@@ -238,7 +232,7 @@ func getMCOHelmArgs(testConfig TestConfig, watchNamespace string, resourceName s
 }
 
 // DeployMCKOperator installs all resources required by the operator using helm.
-func DeployMCKOperator(ctx context.Context, t *testing.T, config TestConfig, resourceName string, withTLS bool, defaultOperator bool, additionalHelmArgs ...HelmArg) error {
+func DeployMCKOperator(ctx context.Context, t *testing.T, config TestConfig, withTLS bool, defaultOperator bool, additionalHelmArgs ...HelmArg) error {
 	e2eutil.OperatorNamespace = config.Namespace
 
 	if config.LocalOperator {
@@ -256,7 +250,7 @@ func DeployMCKOperator(ctx context.Context, t *testing.T, config TestConfig, res
 		return err
 	}
 
-	helmArgs := getHelmArgs(config, watchNamespace, resourceName, withTLS, defaultOperator, additionalHelmArgs...)
+	helmArgs := getHelmArgs(config, watchNamespace, withTLS, defaultOperator, additionalHelmArgs...)
 	helmFlags := map[string]string{
 		"namespace": config.Namespace,
 	}
@@ -316,6 +310,25 @@ func deployCertManager(t *testing.T, config TestConfig) error {
 	return nil
 }
 
+func SetupCertificates(t *testing.T, config TestConfig, resourceName string, useX509 bool, userX509Cert bool) error {
+	if err := helm.Uninstall(t, TestPKIHelmChartName, config.Namespace); err != nil {
+		return err
+	}
+	helmArgs := map[string]string{
+		"resourceName":   resourceName,
+		"useX509":        strconv.FormatBool(useX509),
+		"sampleX509User": strconv.FormatBool((userX509Cert)),
+	}
+	helmFlags := map[string]string{
+		"namespace": config.Namespace,
+	}
+
+	if err := helm.Install(t, config.TestPKIChartPath, TestPKIHelmChartName, helmFlags, helmArgs); err != nil {
+		return err
+	}
+	return nil
+}
+
 // hasDeploymentRequiredReplicas returns a condition function that indicates whether the given deployment
 // currently has the required amount of replicas in the ready state as specified in spec.replicas
 func hasDeploymentRequiredReplicas(dep *appsv1.Deployment) wait.ConditionWithContextFunc {
@@ -367,7 +380,7 @@ func InstallCommunityOperatorViaHelm(ctx context.Context, t *testing.T, config T
 		"namespace": namespace,
 	}
 
-	helmArgs := getMCOHelmArgs(config, namespace, "mdb", false, additionalHelmArgs...)
+	helmArgs := getMCOHelmArgs(config, namespace, additionalHelmArgs...)
 	helmArgs["operator.name"] = CommunityHelmChartAndDeploymentName
 
 	// Apply any additional helm args

@@ -26,6 +26,7 @@ type TestConfig struct {
 	AgentImage              string
 	ReadinessProbeImage     string
 	HelmChartPath           string
+	TestPKIChartPath        string
 	MongoDBImage            string
 	MongoDBRepoUrl          string
 	LocalOperator           bool
@@ -53,6 +54,7 @@ func LoadTestConfigFromEnv() TestConfig {
 		PerformCleanup:      envvar.ReadBool(performCleanupEnvName),                                                                              // nolint:forbidigo
 		ReadinessProbeImage: envvar.GetEnvOrDefault(construct.ReadinessProbeImageEnv, "quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.3"), // nolint:forbidigo
 		HelmChartPath:       "../../../../helm_chart",                                                                                            // TODO: MCK update this later once we change folder or choose a different solution, alternatives, copy helm chart to test folder/search for helm_chart folder
-		LocalOperator:       envvar.ReadBool(LocalOperatorEnvName),                                                                               // nolint:forbidigo // TODO MCK: combine with meko one
+		TestPKIChartPath:    "./test-pki",
+		LocalOperator:       envvar.ReadBool(LocalOperatorEnvName), // nolint:forbidigo // TODO MCK: combine with meko one
 	}
 }
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: test-pki
+description: A Helm chart setting up testing TLS certificates for the community operator
+type: application
+version: 0.1.0
@@ -0,0 +1,105 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: tls-selfsigned-issuer
+  namespace: {{ .Values.namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tls-selfsigned-ca
+  namespace: {{ .Values.namespace }}
+spec:
+  isCA: true
+  commonName: "*.{{ .Values.resourceName }}-svc.{{ .Values.namespace }}.svc.cluster.local"
+  dnsNames:
+    - "*.{{ .Values.resourceName }}-svc.{{ .Values.namespace }}.svc.cluster.local"
+  secretName: {{ .Values.caCertificateSecretRef }}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: tls-selfsigned-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: tls-ca-issuer
+  namespace: {{ .Values.namespace }}
+spec:
+  ca:
+    secretName: {{ .Values.caCertificateSecretRef }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-tls-certificate
+  namespace: {{ .Values.namespace }}
+spec:
+  secretName: {{ .Values.certificateKeySecretRef }}
+  issuerRef:
+    name: tls-ca-issuer
+    kind: Issuer
+  duration: {{ .Values.certDuration }}
+  renewBefore: {{ .Values.renewCertBefore }}
+  commonName: "*.{{ .Values.resourceName }}-svc.{{ .Values.namespace }}.svc.cluster.local"
+  dnsNames:
+    - "*.{{ .Values.resourceName }}-svc.{{ .Values.namespace }}.svc.cluster.local"
+{{- if .Values.useX509 }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: agent-certs
+  namespace: {{ .Values.namespace }}
+spec:
+  commonName: mms-automation-agent
+  dnsNames:
+    - automation
+  duration: 240h0m0s
+  issuerRef:
+    name: tls-ca-issuer
+  renewBefore: 120h0m0s
+  secretName: agent-certs
+  subject:
+    countries:
+      - US
+    localities:
+      - NY
+    organizationalUnits:
+      - a-1635241837-m5yb81lfnrz
+    organizations:
+      - cluster.local-agent
+    provinces:
+      - NY
+  usages:
+    - digital signature
+    - key encipherment
+    - client auth
+{{- end }}
+{{- if .Values.sampleX509User }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: x509-user-cert
+  namespace: {{ .Values.namespace }}
+spec:
+  commonName: my-x509-user
+  duration: 240h0m0s
+  issuerRef:
+    name: tls-ca-issuer
+  renewBefore: 120h0m0s
+  secretName: my-x509-user-cert
+  subject:
+    organizationalUnits:
+      - organizationalunit
+    organizations:
+      - organization
+  usages:
+    - digital signature
+    - client auth
+{{- end }}
@@ -0,0 +1,8 @@
+namespace: mongodb
+resourceName: example-mongodb
+caCertificateSecretRef: ca-key-pair
+certificateKeySecretRef: tls-certificate
+certDuration: "8760h"
+renewCertBefore: "720h"
+useX509: false
+sampleX509User: false