Search Public Preview - main feature branch

.evergreen-tasks.yml

@@ -1285,3 +1285,8 @@ tasks:
     tags: ["patch-run"]
     commands:
       - func: "e2e_test"
+
+  - name: e2e_search_community_tls
+    tags: ["patch-run"]
+    commands:
+      - func: "e2e_test"

.evergreen.yml

@@ -686,6 +686,7 @@ task_groups:
     tasks:
       - e2e_community_replicaset_scale
       - e2e_search_community_basic
+      - e2e_search_community_tls
 
   # This is the task group that contains all the tests run in the e2e_mdb_kind_ubuntu_cloudqa build variant
   - name: e2e_mdb_kind_cloudqa_task_group

api/v1/search/mongodbsearch_types.go

@@ -1,6 +1,8 @@
 package search
 
 import (
+	"fmt"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -14,30 +16,61 @@ import (
 )
 
 const (
-	MongotDefaultPort        = 27027
-	MongotDefaultMetricsPort = 9946
+	MongotDefaultPort               = 27027
+	MongotDefaultMetricsPort        = 9946
+	MongotDefautHealthCheckPort     = 8080
+	MongotDefaultSyncSourceUsername = "search-sync-source"
 )
 
 func init() {
 	v1.SchemeBuilder.Register(&MongoDBSearch{}, &MongoDBSearchList{})
 }
 
 type MongoDBSearchSpec struct {
+	// Optional version of MongoDB Search component (mongot). If not set, then the operator will set the most appropriate version of MongoDB Search.
 	// +optional
 	Version string `json:"version"`
+	// MongoDB database connection details from which MongoDB Search will synchronize data to build indexes.
 	// +optional
 	Source *MongoDBSource `json:"source"`
+	// StatefulSetSpec which the operator will apply to the MongoDB Search StatefulSet at the end of the reconcile loop. Use to provide necessary customizations,
+	// which aren't exposed as fields in the MongoDBSearch.spec.
 	// +optional
 	StatefulSetConfiguration *common.StatefulSetConfiguration `json:"statefulSet,omitempty"`
+	// Configure MongoDB Search's persistent volume. If not defined, the operator will request 10GB of storage.
 	// +optional
 	Persistence *common.Persistence `json:"persistence,omitempty"`
+	// Configure resource requests and limits for the MongoDB Search pods.
 	// +optional
 	ResourceRequirements *corev1.ResourceRequirements `json:"resourceRequirements,omitempty"`
+	// Configure security settings of the MongoDB Search server that MongoDB database is connecting to when performing search queries.
+	// +optional
+	Security Security `json:"security"`
 }
 
 type MongoDBSource struct {
 	// +optional
 	MongoDBResourceRef *userv1.MongoDBResourceRef `json:"mongodbResourceRef,omitempty"`
+	// +optional
+	PasswordSecretRef *userv1.SecretKeyRef `json:"passwordSecretRef,omitempty"`
+	// +optional
+	Username *string `json:"username,omitempty"`
+}
+
+type Security struct {
+	// +optional
+	TLS TLS `json:"tls"`
+}
+
+type TLS struct {
+	Enabled bool `json:"enabled"`
+	// CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
+	// The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
+	// This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
+	// Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.
+	// If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key
+	// +optional
+	CertificateKeySecret corev1.LocalObjectReference `json:"certificateKeySecretRef"`
 }
 
 type MongoDBSearchStatus struct {
@@ -105,6 +138,25 @@ func (s *MongoDBSearch) MongotConfigConfigMapNamespacedName() types.NamespacedNa
 	return types.NamespacedName{Name: s.Name + "-search-config", Namespace: s.Namespace}
 }
 
+func (s *MongoDBSearch) SourceUserPasswordSecretRef() *userv1.SecretKeyRef {
+	if s.Spec.Source != nil && s.Spec.Source.PasswordSecretRef != nil {
+		return s.Spec.Source.PasswordSecretRef
+	}
+
+	return &userv1.SecretKeyRef{
+		Name: fmt.Sprintf("%s-%s-password", s.Name, MongotDefaultSyncSourceUsername),
+		Key:  "password",
+	}
+}
+
+func (s *MongoDBSearch) SourceUsername() string {
+	if s.Spec.Source != nil && s.Spec.Source.Username != nil {
+		return *s.Spec.Source.Username
+	}
+
+	return MongotDefaultSyncSourceUsername
+}
+
 func (s *MongoDBSearch) StatefulSetNamespacedName() types.NamespacedName {
 	return types.NamespacedName{Name: s.Name + "-search", Namespace: s.Namespace}
 }
@@ -134,3 +186,18 @@ func (s *MongoDBSearch) GetMongotPort() int32 {
 func (s *MongoDBSearch) GetMongotMetricsPort() int32 {
 	return MongotDefaultMetricsPort
 }
+
+// TLSSecretNamespacedName will get the namespaced name of the Secret containing the server certificate and key
+func (s *MongoDBSearch) TLSSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Spec.Security.TLS.CertificateKeySecret.Name, Namespace: s.Namespace}
+}
+
+// TLSOperatorSecretNamespacedName will get the namespaced name of the Secret created by the operator
+// containing the combined certificate and key.
+func (s *MongoDBSearch) TLSOperatorSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Name + "-search-certificate-key", Namespace: s.Namespace}
+}
+
+func (s *MongoDBSearch) GetMongotHealthCheckPort() int32 {
+	return MongotDefautHealthCheckPort
+}

config/crd/bases/mongodb.com_mongodbsearch.yaml

@@ -149,6 +149,37 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
+              security:
+                properties:
+                  tls:
+                    properties:
+                      certificateKeySecretRef:
+                        description: |-
+                          CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
+                          The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
+                          This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
+                          Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.
+                          If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key
+                        properties:
+                          name:
+                            default: ""
+                            description: |-
+                              Name of the referent.
+                              This field is effectively required, but due to backwards compatibility is
+                              allowed to be empty. Instances of this type with an empty value here are
+                              almost certainly wrong.
+                              TODO: Add other useful fields. apiVersion, kind, uid?
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      enabled:
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                type: object
               source:
                 properties:
                   mongodbResourceRef:
@@ -160,6 +191,21 @@ spec:
                     required:
                     - name
                     type: object
+                  passwordSecretRef:
+                    description: |-
+                      SecretKeyRef is a reference to a value in a given secret in the same
+                      namespace. Based on:
+                      https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#secretkeyselector-v1-core
+                    properties:
+                      key:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  username:
+                    type: string
                 type: object
               statefulSet:
                 description: |-

config/manager/manager.yaml

@@ -392,10 +392,10 @@ spec:
             - name: RELATED_IMAGE_MONGODB_IMAGE_8_0_0_ubi9
               value: "quay.io/mongodb/mongodb-enterprise-server:8.0.0-ubi9"
             - name: RELATED_IMAGE_MDB_SEARCH_IMAGE_1_47_0
-              value: "quay.io/mongodb/mongodb-search-community:1.47.0"
+              value: "268558157000.dkr.ecr.eu-west-1.amazonaws.com/mongot/community:1.47.0"
             - name: MDB_SEARCH_COMMUNITY_REPO_URL
-              value: "quay.io/mongodb"
+              value: "268558157000.dkr.ecr.eu-west-1.amazonaws.com"
             - name: MDB_SEARCH_COMMUNITY_NAME
-              value: "mongodb-search-community"
+              value: "mongot/community"
             - name: MDB_SEARCH_COMMUNITY_VERSION
               value: "1.47.0"

controllers/operator/mongodbsearch_controller.go

@@ -13,6 +13,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search"
@@ -67,7 +68,7 @@ func getSourceMongoDBForSearch(ctx context.Context, kubeClient client.Client, se
 	mdbcName := types.NamespacedName{Namespace: search.GetNamespace(), Name: sourceMongoDBResourceRef.Name}
 	mdbc := &mdbcv1.MongoDBCommunity{}
 	if err := kubeClient.Get(ctx, mdbcName, mdbc); err != nil {
-		return nil, xerrors.Errorf("error getting MongoDBCommunity %s", mdbcName)
+		return nil, xerrors.Errorf("error getting MongoDBCommunity %s: %w", mdbcName, err)
 	}
 	return search_controller.NewSearchSourceDBResourceFromMongoDBCommunity(mdbc), nil
 }
@@ -89,5 +90,6 @@ func AddMongoDBSearchController(ctx context.Context, mgr manager.Manager, operat
 		For(&searchv1.MongoDBSearch{}).
 		Watches(&mdbcv1.MongoDBCommunity{}, r.mdbcWatcher).
 		Owns(&appsv1.StatefulSet{}).
+		Owns(&corev1.Secret{}).
 		Complete(r)
 }