CLOUDP-392735: Search: support multiple mongots and envoy load balancer (#817)

<!-- start git-machete generated -->

# Based on PR #806

## Chain of upstream PRs as of 2026-03-23

* PR #806:
  `master` <- `search/base`

  * **PR #817 (THIS ONE)**:
    `search/base` <- `search/multiple-mongot`

<!-- end git-machete generated -->

# Summary

This PR adds support for **multiple mongot instances** per MongoDB
source, with L7 load balancing and sharded cluster integration. It
builds on `search/base` (#806) and introduces three major capabilities:

1. **Multiple mongot replicas** with managed (Envoy) or unmanaged (BYO)
load balancing
2. **Sharded cluster support** for both operator-managed and external
MongoDB
3. **X509 client certificate authentication** for mongot-to-MongoDB sync
source connections
4. **JVM flags** for mongot process configuration

---

## API/CRD Changes

The `MongoDBSearch` CRD gains the following new fields:

```yaml
spec:
  # New: Load balancer configuration (exactly one of managed/unmanaged must be set)
  loadBalancer:                          # was: spec.lb with mode enum
    managed:                             # operator-deployed Envoy proxy
      externalHostname: "..."            # SNI hostname, supports {shardName} placeholder
      resourceRequirements: { ... }      # Envoy container resources (default: 100m/128Mi req, 500m/512Mi lim)
      deployment: { ... }               # Envoy Deployment overrides (same convention as spec.statefulSet)
    unmanaged:                           # BYO L7 load balancer
      endpoint: "lb.example.com:27029"   # supports {shardName} placeholder for sharded

  # New: X509 client certificate auth for sync source (mutually exclusive with username/password)
  source:
    x509:
      clientCertificateSecretRef:
        name: "mongot-x509-cert"       # Secret with tls.crt, tls.key (required), tls.keyFilePassword (optional)

  # New: JVM flags for mongot
  jvmFlags: ["-Xms2g", "-Xmx2g"]

  # New: External sharded cluster source
  source:
    external:
      shardedCluster:
        router:
          hosts: ["mongos-0.example.com:27017"]
        shards:
          - shardName: "shard-0"
            hosts: ["shard0-rs0.example.com:27017"]
          - shardName: "shard-1"
            hosts: ["shard1-rs0.example.com:27017"]
```

Key structural change: `spec.lb.mode` (Managed/Unmanaged enum) was
replaced with `spec.loadBalancer.managed` /
`spec.loadBalancer.unmanaged` (mutually exclusive sub-objects, enforced
via CEL validation).

---

## Resource Naming Conventions

All search resource names include a hardcoded `-0-` cluster index to
reserve the naming scheme for future multi-cluster support.

### ReplicaSet (Non-Sharded) Resources

| Resource | Name Pattern |
|----------|-------------|
| StatefulSet | `{name}-search` |
| Headless Service | `{name}-search-svc` |
| ConfigMap | `{name}-search-config` |
| TLS Secret | `[{prefix}-]{name}-search-0-cert` |
| TLS Client Secret | `[{prefix}-]{name}-search-0-client-cert` |
| X509 Client Cert Secret | `{name}-x509-client-cert` |
| Proxy Service (Envoy) | `{name}-search-0-proxy-svc` |
| LB Deployment | `{name}-search-lb-0` |
| LB ConfigMap | `{name}-search-lb-0-config` |
| LB Server Cert | `[{prefix}-]{name}-search-lb-0-cert` |
| LB Client Cert | `[{prefix}-]{name}-search-lb-0-client-cert` |

### Sharded Resources (Per-Shard)

| Resource | Name Pattern |
|----------|-------------|
| StatefulSet | `{name}-search-0-{shard}` |
| Headless Service | `{name}-search-0-{shard}-svc` |
| ConfigMap | `{name}-search-0-{shard}-config` |
| TLS Secret | `[{prefix}-]{name}-search-0-{shard}-cert` |
| Proxy Service (Envoy) | `{name}-search-0-{shard}-proxy-svc` |
| LB Server Cert (per-shard) |
`[{prefix}-]{name}-search-lb-0-{shard}-cert` |

---

## Architecture

### Reconciliation Paths

The `MongoDBSearchReconcileHelper` dispatches to:

- **`reconcileNonSharded`**: Creates a single set of resources (1
StatefulSet, 1 Service, 1 ConfigMap). All mongot pods connect to the
same RS host seeds.
- **`reconcileSharded`**: Creates per-shard resources -- one
StatefulSet, Service, ConfigMap, and TLS secret per shard. Each shard's
mongot connects to that shard's mongod hosts. A `Router` section in the
mongot config points to mongos for query routing.

### MongoDBSearchEnvoyReconciler (New Controller)

A dedicated controller that manages the Envoy proxy infrastructure when
`spec.loadBalancer.managed` is set:

- **ReplicaSet**: 1 Envoy Deployment + 1 ConfigMap + 1 ClusterIP proxy
Service
- **Sharded**: 1 Envoy Deployment + 1 ConfigMap + N ClusterIP proxy
Services (one per shard)

For sharded clusters, all shard routes are multiplexed through a
**single Envoy deployment** using SNI-based routing. Each shard gets a
dedicated proxy Service that resolves to the same Envoy pods. Envoy
reads the SNI hostname from the TLS ClientHello to route traffic to the
correct shard's mongot backend.

The controller:
- Watches `MongoDBSearch`, `MongoDB`, and `MongoDBCommunity` resources
- Owns Deployment and ConfigMap resources
- Returns early with `Pending` status if no routes can be configured
- Updates LB sub-status on the MongoDBSearch CR at every return path
- Uses TLS 1.3 exclusively for Envoy-to-mongot connections

### X509 Client Certificate Authentication

When `spec.source.x509` is configured, mongot authenticates to the
MongoDB sync source using x509 client certificates instead of
username/password:

- **Mutually exclusive** with `spec.source.passwordSecretRef` and
`spec.source.username` (enforced by validation)
- **Requires TLS** to be enabled on the sync source
- The operator reads the user-provided Secret (containing `tls.crt`,
`tls.key`, and optionally `tls.keyFilePassword`), combines them into an
operator-managed Secret (`{name}-x509-client-cert`), and mounts it into
the mongot container
- Mongot config is modified to clear username/password fields and set
`authSource: $external` with `x509.tlsCertificateKeyFile` pointing to
the mounted cert
- For sharded clusters, x509 config is applied to both the ReplicaSet
sync source and the Router section
- Optional key password support: if `tls.keyFilePassword` is present in
the Secret, it is mounted separately and referenced via
`tlsCertificateKeyFilePasswordFile`

The `x509AuthResource` adapter implements the `TLSConfigurableResource`
interface, allowing reuse of the existing `tls.EnsureTLSSecret`
infrastructure.

### Endpoint Resolution

How `mongod.setParameter.mongotHost` resolves for each topology + LB
mode:

| Topology | LB Mode | mongotHost |
|----------|---------|------------|
| RS | None (single replica) |
`{name}-search-svc.{ns}.svc.{domain}:27028` |
| RS | Unmanaged | User-provided `spec.loadBalancer.unmanaged.endpoint`
|
| RS | Managed | `{name}-search-0-proxy-svc.{ns}.svc.{domain}:27029` |
| Sharded | None | `{name}-search-0-{shard}-svc.{ns}.svc.{domain}:27028`
(per shard) |
| Sharded | Unmanaged | Endpoint template with `{shardName}` substituted
per shard |
| Sharded | Managed |
`{name}-search-0-{shard}-proxy-svc.{ns}.svc.{domain}:27029` (per shard)
|

### Sharded Controller Integration

The `mongodbshardedcluster_controller` is extended to watch
MongoDBSearch resources via `lookupCorrespondingSearchResource()`. It
applies search config to each shard via
`applySearchParametersForShards()`:
- Per-shard mongod config points to each shard's own mongot endpoint
- Mongos config gets `mongotHost` pointing to the first shard's endpoint

---

## Test Coverage

### E2E Tests (Python)

| # | Topology | Source | Mongot Count | LB Mode | Test File |
|---|----------|--------|-------------|---------|-----------|
| 1 | RS | External | Single | None |
`search_replicaset_external_mongodb_single_mongot.py` |
| 2 | RS | External | Multi | Unmanaged |
`search_replicaset_external_mongodb_multi_mongot_unmanaged_lb.py` |
| 3 | RS | Internal | Multi | Unmanaged |
`search_replicaset_internal_mongodb_multi_mongot_unmanaged_lb.py` |
| 4 | RS | External | Multi | Managed |
`search_replicaset_external_mongodb_multi_mongot_managed_lb.py` |
| 5 | RS | Internal | Multi | Managed |
`search_replicaset_internal_mongodb_multi_mongot_managed_lb.py` |
| 6 | RS | External | - | Proxy Svc |
`search_replicaset_external_mongodb_proxy_service.py` |
| 7 | RS | - | - | X509 | `search_mongot_replicaset_x509_auth.py` |
| 8 | RS | Community | Multi | Managed |
`search_community_auto_embedding_multi_mongot.py` |
| 9 | Sharded | Internal | Single | None |
`search_sharded_internal_mongodb_single_mongot.py` |
| 10 | Sharded | External | Single | None |
`search_sharded_external_mongodb_single_mongot.py` |
| 11 | Sharded | Internal | Multi | Unmanaged |
`search_sharded_internal_mongodb_multi_mongot_unmanaged_lb.py` |
| 12 | Sharded | External | Multi | Unmanaged |
`search_sharded_external_mongodb_multi_mongot_unmanaged_lb.py` |
| 13 | Sharded | Internal | Multi | Managed |
`search_sharded_internal_mongodb_multi_mongot_managed_lb.py` |
| 14 | Sharded | External (Ent) | Multi | Managed |
`search_sharded_enterprise_external_mongod_managed_lb.py` |

### Unit Tests (Go) 

| File | Lines | Coverage |
|------|-------|----------|
| `mongodbsearch_reconcile_helper_test.go` | 2,313 | Per-shard
mongod/mongos config, LB endpoint resolution, validation |
| `sharded_external_search_source_test.go` | 452 | External sharded
source, shard name validation, host lists |
| `enterprise_search_source_test.go` | 373 | Enterprise RS source, error
returns (no panic) |
| `envoy_config_builder_test.go` | 318 | Envoy JSON generation,
TLS/non-TLS, single/multi route |
| `mongodbsearch_validation_test.go` | 300 | Shard names, X509 auth
config |
| `mongodbsearchenvoy_controller_test.go` | 255 | Route building, pod
spec, deployment overrides |
| `mongodbsearch_validation_test.go` (api/) | 212 | JVM flags, LB
config, endpoint template |
| `search_construction_test.go` | 209 | StatefulSet construction, JVM
flags generation |
| `mongodbsearch_types_test.go` | 132 | Resource name generation |

---

## Other Changes

- **Error handling**: `panic()` calls in `HostSeeds()` implementations
replaced with `fmt.Errorf` returns across `enterprise_search_source.go`,
`external_search_source.go`, `community_search_source.go`
- **Keyfile handling**: Extracted `ensureKeyfileModification()` helper
to deduplicate keyfile blocks between `reconcileNonSharded` and
`reconcileSharded`
- **Endpoint resolution**: Extracted `mongotEndpointForShard()` helper
for consistent endpoint resolution across managed/unmanaged/direct modes
- **File renames**: `sharded_enterprise_search_source.go` renamed to
`sharded_internal_search_source.go` (struct
`ShardedInternalSearchSource`)
- **Changelog**: Consolidated all search changes into a single entry
(`20260318_feature_mongodbsearch_improvements.md`)
- **RBAC**: Added `deployments` permission to `apps` API group for Envoy
Deployment management
- **Helm chart**: New `MDB_ENVOY_IMAGE` env var for configuring the
Envoy container image
- **Readiness probe** for mongot containers
- **Auto-heap sizing**: JVM `-Xms`/`-Xmx` set to 50% of memory request
when not explicitly provided
- **Duplicate function consolidation**: `verify_rs_mongod_parameters`
consolidated into `replicaset_search_helper.py`
- **IsShardedEndpoint()**: Extracted helper method for checking sharded
endpoint configuration
- **Status updates**: `updateLBStatus()` patches LB sub-status on
MongoDBSearch CR at every reconcile return path
- **Test infrastructure**: `SearchDeploymentHelper`, `SearchTester`
factories, `search_resource_names` utilities, `ToolsPod` for in-cluster
mongorestore

---

## Known Limitations / Follow-ups

- **Envoy log level**: Currently hardcoded to `"info"` -- needs a
configurable field in `ManagedLBConfig`
- **`rs_search_helper.py`**: Should be consolidated into
`replicaset_search_helper.py` and removed
- **Reconcile loop tests**: `mongodbsearchenvoy_controller_test.go`
covers route building and pod spec but lacks full reconcile loop
integration tests
- **Test file naming**: Some test files don't follow a consistent naming
convention from the test matrix

## Checklist

- [ ] Have you linked a jira ticket and/or is the ticket in the title?
- [ ] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you added changelog file?
    - use `skip-changelog` label if not needed
- refer to [Changelog files and Release
Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes)
section in [CONTRIBUTING.md](http://CONTRIBUTING.md) for more details

---------

Co-authored-by: Julien Benhaim <julien.benhaim@mongodb.com>
Co-authored-by: Vivek Singh <vsingh.ggits.2010@gmail.com>
Co-authored-by: Julien-Ben <33035980+Julien-Ben@users.noreply.github.com>
Co-authored-by: Anand <13899132+anandsyncs@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
Co-authored-by: Vivek Singh <vivek.s@mongodb.com>

Author: 5 people

.evergreen-tasks.yml

@@ -1325,17 +1325,22 @@ tasks:
     commands:
       - func: "e2e_test"
 
+  - name: e2e_search_community_auto_embedding_multi_mongot
+    tags: ["patch-run"]
+    commands:
+      - func: "e2e_test"
+
   - name: e2e_search_community_tls
     tags: ["patch-run"]
     commands:
       - func: "e2e_test"
 
-  - name: e2e_search_external_basic
+  - name: e2e_search_community_external_mongod_basic
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"
 
-  - name: e2e_search_external_tls
+  - name: e2e_search_community_external_mongod_tls
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"
@@ -1355,7 +1360,66 @@ tasks:
     commands:
       - func: "e2e_test"
 
-  - name: e2e_search_sharded_external_mongod_single_mongot
+  - name: e2e_search_sharded_internal_mongodb_multi_mongot_unmanaged_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_sharded_internal_mongodb_multi_mongot_managed_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_replicaset_internal_mongodb_multi_mongot_managed_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_replicaset_external_mongodb_multi_mongot_managed_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_replicaset_external_mongodb_proxy_service
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_sharded_external_mongodb_multi_mongot_unmanaged_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_sharded_enterprise_external_mongod_managed_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_sharded_external_mongodb_single_mongot
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+  - name: e2e_search_replicaset_external_mongodb_single_mongot
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_replicaset_external_mongodb_multi_mongot_unmanaged_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_replicaset_internal_mongodb_multi_mongot_unmanaged_lb
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_sharded_internal_mongodb_single_mongot
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_mongot_replicaset_x509_auth
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"

.evergreen.yml

@@ -669,11 +669,6 @@ task_groups:
     <<: *setup_and_teardown_task
     tasks:
       - e2e_community_replicaset_scale
-      - e2e_search_community_basic
-      - e2e_search_community_auto_embedding
-      - e2e_search_community_tls
-      - e2e_search_external_basic
-      - e2e_search_external_tls
 
   # This is the task group that contains all the tests run in the e2e_mdb_kind_ubi_cloudqa build variant
   - name: e2e_mdb_kind_cloudqa_task_group
@@ -806,11 +801,85 @@ task_groups:
       - e2e_replica_set_oidc_workforce
       - e2e_sharded_cluster_oidc_m2m_group
       - e2e_sharded_cluster_oidc_m2m_user
-      # MongoDBSearch test group
+    <<: *teardown_group
+
+  # All MongoDBSearch tests that fit on large instances (mongot requires 2 CPU).
+  # Added to cloudqa-large variants.
+  - name: e2e_mdb_kind_search_task_group
+    max_hosts: -1
+    <<: *setup_group
+    <<: *setup_and_teardown_task_cloudqa
+    tasks:
+      - e2e_search_community_basic
+      - e2e_search_community_auto_embedding
+      - e2e_search_community_auto_embedding_multi_mongot
+      - e2e_search_community_tls
+      - e2e_search_community_external_mongod_basic
+      - e2e_search_community_external_mongod_tls
       - e2e_search_enterprise_basic
+      - e2e_search_replicaset_external_mongodb_single_mongot
+      - e2e_search_sharded_internal_mongodb_single_mongot
       - e2e_search_enterprise_tls
       - e2e_search_enterprise_x509_cluster_auth
-      - e2e_search_sharded_external_mongod_single_mongot
+      - e2e_search_sharded_external_mongodb_single_mongot
+      - e2e_search_sharded_external_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_replicaset_external_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_replicaset_internal_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_mongot_replicaset_x509_auth
+    <<: *teardown_group
+
+  # MongoDBSearch tests that require a large instance (multiple mongots per shard:
+  # 2 shards x 2 mongots x 2 CPU = 8 CPU). Added to cloudqa-large variants.
+  - name: e2e_mdb_kind_search_large_task_group
+    max_hosts: -1
+    <<: *setup_group
+    <<: *setup_and_teardown_task_cloudqa
+    tasks:
+      - e2e_search_sharded_internal_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_sharded_internal_mongodb_multi_mongot_managed_lb
+      - e2e_search_sharded_enterprise_external_mongod_managed_lb
+      - e2e_search_replicaset_internal_mongodb_multi_mongot_managed_lb
+      - e2e_search_replicaset_external_mongodb_multi_mongot_managed_lb
+      - e2e_search_replicaset_external_mongodb_proxy_service
+    <<: *teardown_group
+
+  # Same as e2e_mdb_kind_search_task_group but for om80 variants.
+  # Uses setup_and_teardown_task (not cloudqa) since ops_manager_version is not 'cloud_qa'.
+  - name: e2e_om80_kind_search_task_group
+    max_hosts: -1
+    <<: *setup_group
+    <<: *setup_and_teardown_task
+    tasks:
+      - e2e_search_community_basic
+      - e2e_search_community_auto_embedding
+      - e2e_search_community_auto_embedding_multi_mongot
+      - e2e_search_community_tls
+      - e2e_search_community_external_mongod_basic
+      - e2e_search_community_external_mongod_tls
+      - e2e_search_enterprise_basic
+      - e2e_search_replicaset_external_mongodb_single_mongot
+      - e2e_search_sharded_internal_mongodb_single_mongot
+      - e2e_search_enterprise_tls
+      - e2e_search_enterprise_x509_cluster_auth
+      - e2e_search_sharded_external_mongodb_single_mongot
+      - e2e_search_sharded_external_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_replicaset_external_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_replicaset_internal_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_mongot_replicaset_x509_auth
+    <<: *teardown_group
+
+  # Same as e2e_mdb_kind_search_large_task_group but for om80 variants.
+  # Uses setup_and_teardown_task (not cloudqa) since ops_manager_version is not 'cloud_qa'.
+  - name: e2e_om80_kind_search_large_task_group
+    max_hosts: -1
+    <<: *setup_group
+    <<: *setup_and_teardown_task
+    tasks:
+      - e2e_search_sharded_internal_mongodb_multi_mongot_unmanaged_lb
+      - e2e_search_sharded_internal_mongodb_multi_mongot_managed_lb
+      - e2e_search_replicaset_internal_mongodb_multi_mongot_managed_lb
+      - e2e_search_replicaset_external_mongodb_multi_mongot_managed_lb
+      - e2e_search_replicaset_external_mongodb_proxy_service
     <<: *teardown_group
 
   # this task group contains just a one task, which is smoke testing whether the operator
@@ -1241,8 +1310,6 @@ task_groups:
     <<: *setup_group
     <<: *setup_and_teardown_task
     tasks:
-      - e2e_search_enterprise_tls
-      - e2e_search_enterprise_x509_cluster_auth
       - e2e_om_ops_manager_backup_object_lock
     <<: *teardown_group
 
@@ -1361,6 +1428,26 @@ buildvariants:
     tasks:
       - name: e2e_custom_domain_task_group
 
+  - name: e2e_mdb_kind_ubi_cloudqa_large
+    display_name: e2e_mdb_kind_ubi_cloudqa_large
+    tags: [ "pr_patch", "staging", "e2e_test_suite", "cloudqa", "cloudqa_non_static" ]
+    run_on:
+      - ubuntu2404-large
+    <<: *base_no_om_image_dependency
+    tasks:
+      - name: e2e_mdb_kind_search_task_group
+      - name: e2e_mdb_kind_search_large_task_group
+
+  - name: e2e_static_mdb_kind_ubi_cloudqa_large
+    display_name: e2e_static_mdb_kind_ubi_cloudqa_large
+    tags: [ "pr_patch", "staging", "e2e_test_suite", "cloudqa", "static" ]
+    run_on:
+      - ubuntu2404-large
+    <<: *base_no_om_image_dependency
+    tasks:
+      - name: e2e_mdb_kind_search_task_group
+      - name: e2e_mdb_kind_search_large_task_group
+
   # We do not want to run openshift variants on every PR.
   - name: e2e_mdb_openshift_ubi_cloudqa
     display_name: e2e_mdb_openshift_ubi_cloudqa
@@ -1470,6 +1557,26 @@ buildvariants:
       - name: e2e_static_ops_manager_kind_6_0_only_task_group
       - name: e2e_ops_manager_upgrade_only_task_group
 
+  - name: e2e_om80_kind_ubi_large
+    display_name: e2e_om80_kind_ubi_large
+    tags: [ "pr_patch", "staging", "e2e_test_suite" ]
+    run_on:
+      - ubuntu2404-large
+    <<: *base_om8_dependency
+    tasks:
+      - name: e2e_om80_kind_search_task_group
+      - name: e2e_om80_kind_search_large_task_group
+
+  - name: e2e_static_om80_kind_ubi_large
+    display_name: e2e_static_om80_kind_ubi_large
+    tags: [ "pr_patch", "staging", "e2e_test_suite", "static" ]
+    run_on:
+      - ubuntu2404-large
+    <<: *base_om8_dependency
+    tasks:
+      - name: e2e_om80_kind_search_task_group
+      - name: e2e_om80_kind_search_large_task_group
+
   - name: e2e_operator_race_ubi_with_telemetry
     display_name: e2e_operator_race_ubi_with_telemetry
     tags: [ "staging", "e2e_test_suite", "race" ]

.pre-commit-config.yaml

@@ -129,6 +129,16 @@ repos:
             ^scripts/funcs/[^/]+$
           )
 
+  - repo: local
+    hooks:
+      - id: ty-search
+        name: ty (search tests)
+        entry: bash -c 'cd docker/mongodb-kubernetes-tests && uvx ty check tests/search/ tests/common/search/'
+        language: system
+        pass_filenames: false
+        files: docker/mongodb-kubernetes-tests/tests/(common/)?search/.*\.py$
+        stages: [pre-commit]
+
   - repo: https://github.com/golangci/golangci-lint
     rev: v2.0.2
     hooks:

LICENSE-THIRD-PARTY

@@ -1,12 +1,17 @@
 
+cel.dev/expr,v0.25.1,https://github.com/google/cel-spec/blob/v0.25.1/LICENSE,Apache-2.0
 github.com/Masterminds/semver/v3,v3.4.0,https://github.com/Masterminds/semver/blob/v3.4.0/LICENSE.txt,MIT
 github.com/beorn7/perks/quantile,v1.0.1,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT
 github.com/blang/semver,v3.5.1,https://github.com/blang/semver/blob/v3.5.1/LICENSE,MIT
 github.com/cenkalti/backoff/v4,v4.3.0,https://github.com/cenkalti/backoff/blob/v4.3.0/LICENSE,MIT
 github.com/cenkalti/backoff/v5,v5.0.3,https://github.com/cenkalti/backoff/blob/v5.0.3/LICENSE,MIT
 github.com/cespare/xxhash/v2,v2.3.0,https://github.com/cespare/xxhash/blob/v2.3.0/LICENSE.txt,MIT
+github.com/cncf/xds/go,v0.0.0-20251210132809-ee656c7534f5,https://github.com/cncf/xds/blob/ee656c7534f5/go/LICENSE,Apache-2.0
 github.com/davecgh/go-spew/spew,v1.1.2-0.20180830191138-d8f796af33cc,https://github.com/davecgh/go-spew/blob/d8f796af33cc/LICENSE,ISC
 github.com/emicklei/go-restful/v3,v3.11.0,https://github.com/emicklei/go-restful/blob/v3.11.0/LICENSE,MIT
+github.com/envoyproxy/go-control-plane/envoy,v1.36.0,https://github.com/envoyproxy/go-control-plane/blob/envoy/v1.36.0/envoy/LICENSE,Apache-2.0
+github.com/envoyproxy/go-control-plane/pkg/wellknown,v0.14.0,https://github.com/envoyproxy/go-control-plane/blob/v0.14.0/LICENSE,Apache-2.0
+github.com/envoyproxy/protoc-gen-validate/validate,v1.3.0,https://github.com/envoyproxy/protoc-gen-validate/blob/v1.3.0/LICENSE,Apache-2.0
 github.com/evanphx/json-patch/v5,v5.9.11,https://github.com/evanphx/json-patch/blob/v5.9.11/v5/LICENSE,BSD-3-Clause
 github.com/fsnotify/fsnotify,v1.8.0,https://github.com/fsnotify/fsnotify/blob/v1.8.0/LICENSE,BSD-3-Clause
 github.com/fxamacker/cbor/v2,v2.7.0,https://github.com/fxamacker/cbor/blob/v2.7.0/LICENSE,MIT
@@ -74,7 +79,7 @@ go.uber.org/multierr,v1.11.0,https://github.com/uber-go/multierr/blob/v1.11.0/LI
 go.uber.org/zap,v1.27.1,https://github.com/uber-go/zap/blob/v1.27.1/LICENSE,MIT
 go.yaml.in/yaml/v2,v2.4.2,https://github.com/yaml/go-yaml/blob/v2.4.2/LICENSE,Apache-2.0
 gomodules.xyz/jsonpatch/v2,v2.4.0,https://github.com/gomodules/jsonpatch/blob/v2.4.0/v2/LICENSE,Apache-2.0
-google.golang.org/genproto/googleapis/api/httpbody,v0.0.0-20260209200024-4cfbd4190f57,https://github.com/googleapis/go-genproto/blob/4cfbd4190f57/googleapis/api/LICENSE,Apache-2.0
+google.golang.org/genproto/googleapis/api,v0.0.0-20260209200024-4cfbd4190f57,https://github.com/googleapis/go-genproto/blob/4cfbd4190f57/googleapis/api/LICENSE,Apache-2.0
 google.golang.org/genproto/googleapis/rpc,v0.0.0-20260209200024-4cfbd4190f57,https://github.com/googleapis/go-genproto/blob/4cfbd4190f57/googleapis/rpc/LICENSE,Apache-2.0
 google.golang.org/grpc,v1.79.3,https://github.com/grpc/grpc-go/blob/v1.79.3/LICENSE,Apache-2.0
 google.golang.org/protobuf,v1.36.11,https://github.com/protocolbuffers/protobuf-go/blob/v1.36.11/LICENSE,BSD-3-Clause

api/v1/mdb/mongodb_types.go

@@ -1678,6 +1678,14 @@ func (m *MongoDB) CalculateFeatureCompatibilityVersion() string {
 	return fcv.CalculateFeatureCompatibilityVersion(m.Spec.Version, m.Status.FeatureCompatibilityVersion, m.Spec.FeatureCompatibilityVersion)
 }
 
+func (m *MongoDB) ShardNames() []string {
+	shardNames := make([]string, m.Spec.ShardCount)
+	for shardIdx := 0; shardIdx < m.Spec.ShardCount; shardIdx++ {
+		shardNames[shardIdx] = m.ShardRsName(shardIdx)
+	}
+	return shardNames
+}
+
 func (m *MongoDbSpec) IsInChangeVersion(lastSpec *MongoDbSpec) bool {
 	if lastSpec != nil && (lastSpec.Version != m.Version) {
 		return true

api/v1/mdb/mongodb_validation.go

@@ -419,7 +419,7 @@ func specWithExactlyOneSchema(d DbCommonSpec) v1.ValidationResult {
 	}
 
 	if count != 1 {
-		return v1.ValidationError("must validate one and only one schema")
+		return v1.ValidationError("either spec.cloudManager or spec.opsManager can be set")
 	}
 	return v1.ValidationSuccess()
 }