mongodb · anandsyncs · Oct 13, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025
@@ -0,0 +1,24 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("$v"); done
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - $m" >&2; done
+fi
+
+echo "All required environment variables present."
@@ -1,12 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+  --from-literal=password="${MDB_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
+echo "User secrets created."
@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
@@ -0,0 +1,60 @@
+# Bootstrap a self-signed ClusterIssuer that will mint the CA material consumed by
+# the MongoDBCommunity deployment.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+# Create the CA certificate and secret in the cert-manager namespace.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+# Publish a cluster-scoped issuer that fronts the generated CA secret so all namespaces can reuse it.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+
+kubectl --context "${K8S_CTX}" \
+  get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \
+  -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Expose the CA bundle through a ConfigMap for workloads and the MongoDBCommunity resource.
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "Cluster-wide CA issuer ${MDB_TLS_CA_ISSUER} is ready."
@@ -0,0 +1,70 @@
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+mongo_dns_names=()
+for ((member = 0; member < ${MDB_MEMBERS}; member++)); do
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+done
+mongo_dns_names+=(
+  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+)
+
+search_dns_names=(
+  "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+
+render_dns_list() {
+  local dns_list=("$@")
+  for dns in "${dns_list[@]}"; do
+    printf "      - \"%s\"\n" "${dns}"
+  done
+}
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${server_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${mongo_dns_names[@]}")
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${search_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${search_dns_names[@]}")
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "MongoDB TLS certificates have been issued."
@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
   version: ${MDB_VERSION}
   type: ReplicaSet
-  members: 3
+  members: ${MDB_MEMBERS}
   security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
@@ -68,8 +74,8 @@ spec:
       db: admin
       # a reference to the secret that will be used to generate the user's password
       passwordSecretRef:
-        name: mdbc-rs-search-sync-source-password
-      scramCredentialsSecretName: mdbc-rs-search-sync-source
+        name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+      scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
       roles:
         - name: searchCoordinator
           db: admin

@@ -2,8 +2,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"

@@ -1,3 +1,3 @@
 echo "Waiting for MongoDBSearch resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=jsonpath='{.status.phase}'=Running mdbs/mdbc-rs --timeout=300s
+  --for=jsonpath='{.status.phase}'=Running mdbs/"${MDB_RESOURCE_NAME}" --timeout=300s
@@ -1,3 +1,7 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
   --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+echo; echo "MongoDBCommunity resource"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/mdbc-rs
+echo; echo "Pods running in cluster ${K8S_CTX}"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
@@ -4,6 +4,21 @@ export K8S_CTX="<local cluster context>"
 # the following namespace will be created if not exists
 export MDB_NS="mongodb"
 
+# MongoDBCommunity resource name referenced throughout the guide
+export MDB_RESOURCE_NAME="mdbc-rs"
+# Number of replica set members deployed in the sample MongoDBCommunity
+export MDB_MEMBERS=3
+
+# TLS-related secret names used for MongoDBCommunity and MongoDBSearch
+export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer"
+export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca"
+export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer"
+
 # minimum required MongoDB version for running MongoDB Search is 8.2.0
 export MDB_VERSION="8.2.0"
 
@@ -18,4 +33,7 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@mdbc-rs-0.mdbc-rs-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=mdbc-rs"
+# TLS is mandatory; connection string must include tls=true
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"
@@ -11,13 +11,19 @@ cd "${script_dir}"
 
 prepare_snippets
 
+run 01_0040_validate_env.sh
 run 01_0045_create_namespaces.sh
 run 01_0046_create_image_pull_secrets.sh
 run 01_0048_configure_prerelease_image_pullsecret.sh
 run_for_output 01_0090_helm_add_mogodb_repo.sh
 run_for_output 01_0100_install_operator.sh
 run_for_output 01_0110_wait_for_operator_deployment.sh
 run 01_0305_create_mongodb_community_user_secrets.sh
+
+run 01_0306_install_cert_manager.sh
+run 01_0307_prepare_cert_manager_issuer.sh
+run 01_0308_issue_tls_certificates.sh
+
 run 01_0310_create_mongodb_community_resource.sh
 run_for_output 01_0315_wait_for_community_resource.sh
 run 01_0320_create_mongodb_search_resource.sh

@@ -11,9 +11,20 @@ spec:
     image: mongodb/mongodb-community-server:${MDB_VERSION%-ent}-ubi8
     command: ["/bin/bash", "-c"]
     args: ["sleep infinity"]
+    volumeMounts:
+    - name: mongo-ca
+      mountPath: /tls
+      readOnly: true
   restartPolicy: Never
+  volumes:
+  - name: mongo-ca
+    configMap:
+      name: ${MDB_TLS_CA_CONFIGMAP}
+      optional: true
+      items:
+      - key: ca.crt
+        path: ca.crt
 EOF
 
 echo "Waiting for the mongodb-tools to be ready..."
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=condition=Ready pod/mongodb-tools-pod --timeout=60s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready pod/mongodb-tools-pod --timeout=60s
@@ -1,8 +1,9 @@
+# Restore sample_mflix database. Provide any TLS parameters directly within MDB_CONNECTION_STRING.
 kubectl exec -n "${MDB_NS}" --context "${K8S_CTX}" \
-  mongodb-tools-pod -- /bin/bash -eu -c "$(cat <<EOF
+  mongodb-tools-pod -- env MDB_CONNECTION_STRING="${MDB_CONNECTION_STRING}" /bin/bash -eu -c "$(cat <<'EOF'
 echo "Downloading sample database archive..."
-curl https://atlas-education.s3.amazonaws.com/sample_mflix.archive \
-  -o /tmp/sample_mflix.archive
+curl -fSL https://atlas-education.s3.amazonaws.com/sample_mflix.archive -o /tmp/sample_mflix.archive
+
 echo "Restoring sample database"
 mongorestore \
   --archive=/tmp/sample_mflix.archive \

@@ -1,5 +1,4 @@
 kubectl exec --context "${K8S_CTX}" -n "${MDB_NS}" mongodb-tools-pod -- \
-  mongosh --quiet \
-    "${MDB_CONNECTION_STRING}" \
+  mongosh --quiet "${MDB_CONNECTION_STRING}" \
     --eval "use sample_mflix" \
     --eval 'db.movies.createSearchIndex("default", { mappings: { dynamic: true } });'
@@ -15,6 +15,14 @@
 # user only for the connection string in MDB_CONNECTION_STRING env var below
 #export MDB_RESOURCE_NAME="mdbc-rs"
 
+# TLS-related resources used by the snippets in this module
+#export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+#export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+#export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+#export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
 # default connection string if MongoDB database is deployed using the operator
 #export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+# To enable TLS for the shared snippets, append driver options directly to the connection string, for example:
+#export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=%2Ftls%2Fca.crt"
 
@@ -31,7 +31,6 @@ echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 
 export MDB_RESOURCE_NAME="mdbc-rs"
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
 ${test_dir}/test.sh
-