mongodb · lsierant · Jul 4, 2025 · Jul 8, 2025 · Jul 10, 2025 · Jul 14, 2025
@@ -1285,3 +1285,18 @@ tasks:
     tags: ["patch-run"]
     commands:
       - func: "e2e_test"
+
+  - name: e2e_search_community_tls
+    tags: ["patch-run"]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_external_basic
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
+  - name: e2e_search_external_tls
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
@@ -688,6 +688,9 @@ task_groups:
     tasks:
       - e2e_community_replicaset_scale
       - e2e_search_community_basic
+      - e2e_search_community_tls
+      - e2e_search_external_basic
+      - e2e_search_external_tls
 
   # This is the task group that contains all the tests run in the e2e_mdb_kind_ubuntu_cloudqa build variant
   - name: e2e_mdb_kind_cloudqa_task_group

@@ -1,6 +1,8 @@
 package search
 
 import (
+	"fmt"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -14,30 +16,76 @@ import (
 )
 
 const (
-	MongotDefaultPort        = 27027
-	MongotDefaultMetricsPort = 9946
+	MongotDefaultPort               = 27027
+	MongotDefaultMetricsPort        = 9946
+	MongotDefautHealthCheckPort     = 8080
+	MongotDefaultSyncSourceUsername = "search-sync-source"
 )
 
 func init() {
 	v1.SchemeBuilder.Register(&MongoDBSearch{}, &MongoDBSearchList{})
 }
 
 type MongoDBSearchSpec struct {
+	// Optional version of MongoDB Search component (mongot). If not set, then the operator will set the most appropriate version of MongoDB Search.
 	// +optional
 	Version string `json:"version"`
+	// MongoDB database connection details from which MongoDB Search will synchronize data to build indexes.
 	// +optional
 	Source *MongoDBSource `json:"source"`
+	// StatefulSetSpec which the operator will apply to the MongoDB Search StatefulSet at the end of the reconcile loop. Use to provide necessary customizations,
+	// which aren't exposed as fields in the MongoDBSearch.spec.
 	// +optional
 	StatefulSetConfiguration *common.StatefulSetConfiguration `json:"statefulSet,omitempty"`
+	// Configure MongoDB Search's persistent volume. If not defined, the operator will request 10GB of storage.
 	// +optional
 	Persistence *common.Persistence `json:"persistence,omitempty"`
+	// Configure resource requests and limits for the MongoDB Search pods.
 	// +optional
 	ResourceRequirements *corev1.ResourceRequirements `json:"resourceRequirements,omitempty"`
+	// Configure security settings of the MongoDB Search server that MongoDB database is connecting to when performing search queries.
+	// +optional
+	Security Security `json:"security"`
 }
 
 type MongoDBSource struct {
 	// +optional
 	MongoDBResourceRef *userv1.MongoDBResourceRef `json:"mongodbResourceRef,omitempty"`
+	// +optional
+	ExternalMongoDBSource *ExternalMongoDBSource `json:"external,omitempty"`
+	// +optional
+	PasswordSecretRef *userv1.SecretKeyRef `json:"passwordSecretRef,omitempty"`
+	// +optional
+	Username *string `json:"username,omitempty"`
+}
+
+type ExternalMongoDBSource struct {
+	HostAndPorts        []string             `json:"hostAndPorts,omitempty"`
+	KeyFileSecretKeyRef *userv1.SecretKeyRef `json:"keyFileSecretRef,omitempty"` // This is the mongod credential used to connect to the external MongoDB deployment
+	// +optional
+	TLS *ExternalMongodTLS `json:"tls,omitempty"` // TLS configuration for the external MongoDB deployment
+}
+
+type ExternalMongodTLS struct {
+	Enabled bool `json:"enabled"`
+	// +optional
+	CA *corev1.LocalObjectReference `json:"ca,omitempty"`
+}
+
+type Security struct {
+	// +optional
+	TLS TLS `json:"tls"`
+}
+
+type TLS struct {
+	Enabled bool `json:"enabled"`
+	// CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS.
+	// The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt".
+	// This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required.
+	// Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided.
+	// If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key
+	// +optional
+	CertificateKeySecret corev1.LocalObjectReference `json:"certificateKeySecretRef"`
 }
 
 type MongoDBSearchStatus struct {
@@ -105,6 +153,25 @@ func (s *MongoDBSearch) MongotConfigConfigMapNamespacedName() types.NamespacedNa
 	return types.NamespacedName{Name: s.Name + "-search-config", Namespace: s.Namespace}
 }
 
+func (s *MongoDBSearch) SourceUserPasswordSecretRef() *userv1.SecretKeyRef {
+	if s.Spec.Source != nil && s.Spec.Source.PasswordSecretRef != nil {
+		return s.Spec.Source.PasswordSecretRef
+	}
+
+	return &userv1.SecretKeyRef{
+		Name: fmt.Sprintf("%s-%s-password", s.Name, MongotDefaultSyncSourceUsername),
+		Key:  "password",
+	}
+}
+
+func (s *MongoDBSearch) SourceUsername() string {
+	if s.Spec.Source != nil && s.Spec.Source.Username != nil {
+		return *s.Spec.Source.Username
+	}
+
+	return MongotDefaultSyncSourceUsername
+}
+
 func (s *MongoDBSearch) StatefulSetNamespacedName() types.NamespacedName {
 	return types.NamespacedName{Name: s.Name + "-search", Namespace: s.Namespace}
 }
@@ -118,13 +185,17 @@ func (s *MongoDBSearch) GetOwnerReferences() []metav1.OwnerReference {
 	return []metav1.OwnerReference{ownerReference}
 }
 
-func (s *MongoDBSearch) GetMongoDBResourceRef() userv1.MongoDBResourceRef {
+func (s *MongoDBSearch) GetMongoDBResourceRef() *userv1.MongoDBResourceRef {
+	if s.IsExternalMongoDBSource() {
+		return nil
+	}
+
 	mdbResourceRef := userv1.MongoDBResourceRef{Namespace: s.Namespace, Name: s.Name}
 	if s.Spec.Source != nil && s.Spec.Source.MongoDBResourceRef != nil && s.Spec.Source.MongoDBResourceRef.Name != "" {
 		mdbResourceRef.Name = s.Spec.Source.MongoDBResourceRef.Name
 	}
 
-	return mdbResourceRef
+	return &mdbResourceRef
 }
 
 func (s *MongoDBSearch) GetMongotPort() int32 {
@@ -134,3 +205,22 @@ func (s *MongoDBSearch) GetMongotPort() int32 {
 func (s *MongoDBSearch) GetMongotMetricsPort() int32 {
 	return MongotDefaultMetricsPort
 }
+
+// TLSSecretNamespacedName will get the namespaced name of the Secret containing the server certificate and key
+func (s *MongoDBSearch) TLSSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Spec.Security.TLS.CertificateKeySecret.Name, Namespace: s.Namespace}
+}
+
+// TLSOperatorSecretNamespacedName will get the namespaced name of the Secret created by the operator
+// containing the combined certificate and key.
+func (s *MongoDBSearch) TLSOperatorSecretNamespacedName() types.NamespacedName {
+	return types.NamespacedName{Name: s.Name + "-search-certificate-key", Namespace: s.Namespace}
+}
+
+func (s *MongoDBSearch) GetMongotHealthCheckPort() int32 {
+	return MongotDefautHealthCheckPort
+}
+
+func (s *MongoDBSearch) IsExternalMongoDBSource() bool {
+	return s.Spec.Source != nil && s.Spec.Source.ExternalMongoDBSource != nil
+}