CLOUDP-90359: Tested split-horizon and added docs (#629)

* CLOUDP-90359: Tested split-horizon and added docs

Tested split horizon, added docs and example manifests for deploying MongoDB with external access.

* CLOUDP-90359: Added kube-linter annotation to ignore

Added kube-linter annotation to ignore external_services.yaml

* CLOUDP-90359: Fixed annotation

Fixed kube-linter annotation

* Update docs/external_access.md

Co-authored-by: Nikolas De Giorgis <[email protected]>

* CLOUDP-90359: Implemented PR feedback

Removed namespaces from yml files, corrected cert retrieval step, misc other changes

Co-authored-by: Nikolas De Giorgis <[email protected]>

Author: priyolahiri

config/samples/external_access/cert-manager-certificate.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: cert-manager-certificate
+spec:
+  secretName: mongodb-tls
+  issuerRef:
+    name: ca-issuer
+    kind: Issuer
+  commonName: "*.<mongodb-name>-svc.<your-namespace>.svc.cluster.local"
+  dnsNames:
+  - "*.<mongodb-name>-svc.<your-namespace>.svc.cluster.local"
+  - <domain-rs-1>
+  - <domain-rs-2>
+  - <domain-rs-3>

config/samples/external_access/cert-manager-issuer.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: ca-issuer
+spec:
+  ca:
+    secretName: ca-key-pair

config/samples/external_access/external_services.yaml

@@ -0,0 +1,53 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: external-mongo-service-0
+  annotations:
+    kube-linter.io/ignore-all: "used for sample"
+spec:
+  type: NodePort
+  selector:
+    app: <mongodb-name>-svc
+    statefulset.kubernetes.io/pod-name: <mongodb-name>-0
+  ports:
+    - protocol: TCP
+      nodePort: 31181
+      port: 31181
+      targetPort: 27017
+
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: external-mongo-service-1
+  annotations:
+    kube-linter.io/ignore-all: "used for sample"
+spec:
+  type: NodePort
+  selector:
+    app: <mongodb-name>-svc
+    statefulset.kubernetes.io/pod-name: <mongodb-name>-1
+  ports:  
+    - nodePort: 31182
+      port: 31182
+      targetPort: 27017
+
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: external-mongo-service-2
+  annotations:
+    kube-linter.io/ignore-all: "used for sample"
+spec:
+  type: NodePort
+  selector:
+    app: <mongodb-name>-svc
+    statefulset.kubernetes.io/pod-name: <mongodb-name>-2
+  ports:  
+    - nodePort: 31183
+      port: 31183
+      targetPort: 27017

config/samples/external_access/mongodb.com_v1_mongodbcommunity_cr.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: <mongodb-name>
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "4.2.6"
+  replicaSetHorizons:
+  - horizon: <domain-rs-1>:31181
+  - horizon: <domain-rs-2>:31182
+  - horizon: <domain-rs-3>:31183
+  security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: mongodb-tls
+      caConfigMapRef:
+        name: ca-config-map
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: my-user
+      db: admin
+      passwordSecretRef: # a reference to the secret that will be used to generate the user's password
+        name: my-user-password
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: userAdminAnyDatabase
+          db: admin
+      scramCredentialsSecretName: my-scram
+
+
+# the user credentials will be generated from this secret
+# once the credentials are generated, this secret is no longer required
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-user-password
+type: Opaque
+stringData:
+  password: <your-admin-password>
+

docs/external_access.md

@@ -0,0 +1,88 @@
+## Enabling External Access to MongoDB deployment
+
+This guide assumes that the operator is installed and a MongoDB deployment is yet to be done but you have a chosen namespace that you are installing into. We will install cert-manager and then generate certificates and configure split-horizon to support internal and external DNS names for configuring external access to the replicaset.
+
+### Install cert-manager
+
+```sh
+kubectl create namespace cert-manager
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --version v1.3.1 \
+  --set installCRDs=true
+```
+
+### Install mkcert and generate CA
+
+```sh
+brew install mkcert # for Mac
+#for Linux / Windows systems look at https://github.com/FiloSottile/mkcert
+mkcert -install
+```
+
+Execute ```mkcert --CAROOT``` to note the location of the generated root CA key and cert.
+
+### Retrieve the CA and create configmaps and secrets
+
+Use the files that you found in the previous step. Replace ```<your-namespace>``` with your chosen namespace
+
+```sh
+kubectl create configmap ca-config-map --from-file=ca.crt --namespace <your-namespace>
+
+kubectl create secret tls ca-key-pair  --cert=ca.crt  --key=ca.key --namespace <your-namespace>
+```
+
+### Create the Cert Manager issuer and secret
+
+Edit the file ```cert-manager-certificate.yaml``` to replace ```<mongodb-name>``` with your MongoDB deployment name. Also replace ```<domain-rs-1>```, ```<domain-rs-2>```, and ```<domain-rs-3>``` with the external FQDNs of the MongoDB replicaset members. Please remember that you will have to add an equal number of entries for each member of the replicaset.
+
+Apply the manifests. Replace ```<your-namespace>``` with the namespace you are using for the deployment.
+
+```sh
+kubectl apply -f config/samples/external_access/cert-manager-issuer.yaml --namespace <your-namespace>
+kubectl apply -f config/samples/external_access/cert-manager-certificate.yaml --namespace <your-namespace>
+```
+
+### Create the MongoDB deployment
+
+Edit ```config/samples/external_access/mongodb.com_v1_mongodbcommunity_cr.yaml```. Replace <mongodb-name> with the desired MongoDB deployment name -- this should be the same as in the previous step. Replace ```<domain-rs-1>```, ```<domain-rs-2>```, and ```<domain-rs-3>``` with the external FQDNs of the MongoDB replicaset members. Please remember that you should have the same number of entries in this section as the number of your replicaset members. You can also edit the ports for external access to your preferred numbers in this section -- you will have to remember to change them in the next step too. Change ```<your-admin-password>``` to your desired admin password for MongoDB.
+
+Apply the manifest.
+
+```sh
+kubectl apply -f config/samples/external_access/mongodb.com_v1_mongodbcommunity_cr.yaml
+```
+
+Wait for the replicaset to be available.
+
+### Create the external NodePort services for accessing the MongoDB deployment from outside the Kubernetes cluster
+
+Edit ```config/samples/external_access/external_services.yaml``` and replace ```<mongodb-name>``` with the MongoDB deployment name that you have used in the preceeding steps. You can change the ```nodePort``` and ```port``` to reflect the changes (if any) you have made in the previous steps.
+
+Apply the manifest.
+
+```sh
+kubectl apply -f config/samples/external_access/external_services.yaml
+```
+
+### Retrieve the certificates from a MongoDB replicaset member
+
+```sh
+kubectl exec --namespace mcommunity -it <mongodb-name>-0 -c mongod -- bash
+```
+
+Once inside the container ```cat``` and copy the contents of the ```.pem``` file in ```/var/lib/tls/server``` into a file on your local system.
+
+### Connect to the MongoDB deployment from outside the Kubernetes cluster
+
+This is an example to connect to the MongoDB cluster with Mongo shell. Use the CA from ```mkcert``` and the certificate from the previous step. Replace the values in the command from the preceeding steps.
+
+```sh
+mongosh --tls --tlsCAfile ca.crt --tlsCertificateKeyFile key.pem --username my-user --password <your-admin-password> mongodb://<domain-rs-1>:31181,<domain-rs-2>:31182,<domain-rs-3>:31183
+```
+
+### Conclusion
+At this point, you should be able to connect to the MongoDB deployment from outside the cluster. Make sure that you can resolve to the FQDNs for the replicaset members where you have the Mongo client installed.