mongodb · lsierant · Feb 18, 2026
@@ -121,6 +121,18 @@ tasks:
       - func: test_code_snippets
       - func: archive_snippets_output
 
+  - name: test_kind_search_sharded_enterprise_external_lb_snippets.sh
+    tags: [ "code_snippets", "patch-run" ]
+    commands:
+      - func: test_code_snippets
+      - func: archive_snippets_output
+
+  - name: test_kind_search_external_sharded_snippets.sh
+    tags: [ "code_snippets", "patch-run" ]
+    commands:
+      - func: test_code_snippets
+      - func: archive_snippets_output
+
 task_groups:
   - name: gke_code_snippets_task_group
     <<: *setup_and_teardown_group_gke_code_snippets
@@ -136,6 +148,8 @@ task_groups:
       - test_kind_search_community_snippets.sh
       - test_kind_search_enterprise_snippets.sh
       - test_kind_search_external_mongod_snippets.sh
+      - test_kind_search_sharded_enterprise_external_lb_snippets.sh
+      - test_kind_search_external_sharded_snippets.sh
 
 buildvariants:
   # These variants are used to test the code snippets and each one can be used in patches

@@ -1,10 +1,10 @@
 export K8S_CTX="kind-kind"
 
 # patch id from evergreen patch
-version_id="688de361d940720007dc0267"
+version_id="6969124ffd1e5d00076895fa"
 
-search_image_repo="268558157000.dkr.ecr.eu-west-1.amazonaws.com/mongot"
-search_image_hash="fbd60fb055dd500058edcb45677ea85d19421f47"
+#search_image_repo="268558157000.dkr.ecr.eu-west-1.amazonaws.com/mongot"
+#search_image_hash="fbd60fb055dd500058edcb45677ea85d19421f47"
 
 ecr="268558157000.dkr.ecr.us-east-1.amazonaws.com"
 declare -a helm_values=(
@@ -20,9 +20,9 @@ declare -a helm_values=(
 "initOpsManager.version=${version_id}"
 "initDatabase.version=${version_id}"
 "database.version=${version_id}"
-"search.community.repo=${search_image_repo}"
-"search.community.name=community"
-"search.community.version=${search_image_hash}"
+#"search.community.repo=${search_image_repo}"
+#"search.community.name=community"
+#"search.community.version=${search_image_hash}"
 )
 
 SCRIPT_PATH="${BASH_SOURCE[0]}"

@@ -0,0 +1,36 @@
+# Validate required environment variables
+required_vars=(
+  "K8S_CTX"
+  "MDB_NS"
+  "MDB_RESOURCE_NAME"
+  "MDB_SHARD_COUNT"
+  "MDB_MONGODS_PER_SHARD"
+  "MDB_MONGOS_COUNT"
+  "MDB_CONFIG_SERVER_COUNT"
+  "MDB_VERSION"
+  "OPS_MANAGER_API_URL"
+  "OPS_MANAGER_API_USER"
+  "OPS_MANAGER_API_KEY"
+  "OPS_MANAGER_ORG_ID"
+  "OPS_MANAGER_PROJECT_NAME"
+)
+
+for var in "${required_vars[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "Error: Required environment variable ${var} is not set"
+    exit 1
+  fi
+done
+
+# Default MDB_MONGOT_REPLICAS to 1 if not set
+export MDB_MONGOT_REPLICAS="${MDB_MONGOT_REPLICAS:-1}"
+
+echo "All required environment variables are set"
+echo "Sharded cluster configuration:"
+echo "  Shards: ${MDB_SHARD_COUNT}"
+echo "  Mongods per shard: ${MDB_MONGODS_PER_SHARD}"
+echo "  Mongot replicas per shard: ${MDB_MONGOT_REPLICAS}"
+
+if [[ "${MDB_MONGOT_REPLICAS}" -gt 1 ]]; then
+  echo "  Note: Multiple mongot replicas configured - external LB endpoints will be used"
+fi
@@ -0,0 +1,2 @@
+kubectl create namespace "${MDB_NS}" --context "${K8S_CTX}" --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" -f -
+
@@ -0,0 +1,4 @@
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" \
+    create secret generic "image-registries-secret" \
+      --from-file=.dockerconfigjson="${HOME}/.docker/config.json" --type=kubernetes.io/dockerconfigjson \
+      --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f -
@@ -0,0 +1,4 @@
+helm repo add mongodb https://mongodb.github.io/helm-charts
+helm repo update mongodb
+helm search repo mongodb/mongodb-kubernetes
+
@@ -0,0 +1,5 @@
+helm upgrade --install mongodb-kubernetes "${OPERATOR_HELM_CHART}" \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${MDB_NS}" \
+  --set operator.watchNamespace="${MDB_NS}" \
+  ${OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}}
@@ -0,0 +1,24 @@
+# Create ConfigMap for Ops Manager/Cloud Manager project configuration
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: om-project
+data:
+  projectName: ${OPS_MANAGER_PROJECT_NAME}
+  baseUrl: ${OPS_MANAGER_API_URL}
+  orgId: ${OPS_MANAGER_ORG_ID}
+EOF
+
+# Create Secret for Ops Manager/Cloud Manager credentials
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: om-credentials
+type: Opaque
+stringData:
+  user: ${OPS_MANAGER_API_USER}
+  publicApiKey: ${OPS_MANAGER_API_KEY}
+EOF
+
@@ -0,0 +1,16 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
+
@@ -0,0 +1,54 @@
+# Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+trap 'rm -f "${TMP_CA_CERT}"' EXIT
+
+kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
@@ -0,0 +1,164 @@
+# Generate TLS certificates for sharded cluster and MongoDBSearch
+#
+# For sharded clusters, the operator expects separate certificates for each component:
+# - certs-<name>-mongos-cert for mongos pods
+# - certs-<name>-config-cert for config server pods
+# - certs-<name>-<shard>-cert for each shard's mongod pods
+# - MongoDBSearch (mongot) pods - one per shard for external LB mode
+
+render_dns_list() {
+  local dns_list=("$@")
+  for dns in "${dns_list[@]}"; do
+    printf "      - \"%s\"\n" "${dns}"
+  done
+}
+
+# Create certificate for mongos
+mongos_dns_names=()
+for ((member = 0; member < MDB_MONGOS_COUNT; member++)); do
+  mongos_dns_names+=("${MDB_RESOURCE_NAME}-mongos-${member}")
+  mongos_dns_names+=("${MDB_RESOURCE_NAME}-mongos-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+done
+mongos_dns_names+=(
+  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+)
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-mongos-tls
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-mongos-cert
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${mongos_dns_names[@]}")
+EOF_MANIFEST
+
+# Create certificate for config servers
+config_dns_names=()
+for ((member = 0; member < MDB_CONFIG_SERVER_COUNT; member++)); do
+  config_dns_names+=("${MDB_RESOURCE_NAME}-config-${member}")
+  config_dns_names+=("${MDB_RESOURCE_NAME}-config-${member}.${MDB_RESOURCE_NAME}-cs.${MDB_NS}.svc.cluster.local")
+done
+config_dns_names+=(
+  "${MDB_RESOURCE_NAME}-cs.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-cs.${MDB_NS}.svc.cluster.local"
+)
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-config-tls
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-config-cert
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${config_dns_names[@]}")
+EOF_MANIFEST
+
+# Create certificate for each shard
+# Note: The operator uses mdb-sh-sh as the headless service for all shards
+for ((shard = 0; shard < MDB_SHARD_COUNT; shard++)); do
+  shard_dns_names=()
+  for ((member = 0; member < MDB_MONGODS_PER_SHARD; member++)); do
+    shard_dns_names+=("${MDB_RESOURCE_NAME}-${shard}-${member}")
+    # The operator uses mdb-sh-sh as the headless service for shards
+    shard_dns_names+=("${MDB_RESOURCE_NAME}-${shard}-${member}.${MDB_RESOURCE_NAME}-sh.${MDB_NS}.svc.cluster.local")
+  done
+  shard_dns_names+=(
+    "${MDB_RESOURCE_NAME}-sh.${MDB_NS}.svc.cluster.local"
+    "*.${MDB_RESOURCE_NAME}-sh.${MDB_NS}.svc.cluster.local"
+  )
+
+  kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-${shard}-tls
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-${shard}-cert
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${shard_dns_names[@]}")
+EOF_MANIFEST
+done
+
+# Create per-shard certificates for MongoDBSearch (mongot)
+# Each shard gets its own certificate following the pattern: {prefix}-{shardName}-search-cert
+# This enables per-shard TLS where each mongot StatefulSet uses its own unique certificate
+for ((shard = 0; shard < MDB_SHARD_COUNT; shard++)); do
+  shard_name="${MDB_RESOURCE_NAME}-${shard}"
+
+  # Build DNS names for this shard's mongot services
+  shard_search_dns_names=(
+    "${MDB_RESOURCE_NAME}-mongot-${shard_name}-svc.${MDB_NS}.svc.cluster.local"
+    "*.${MDB_RESOURCE_NAME}-mongot-${shard_name}-svc.${MDB_NS}.svc.cluster.local"
+  )
+
+  kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${shard_name}-search-tls
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_CERT_PREFIX}-${shard_name}-search-cert
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${shard_search_dns_names[@]}")
+EOF_MANIFEST
+done
+
+# Wait for all certificates to be ready
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${MDB_RESOURCE_NAME}-mongos-tls" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${MDB_RESOURCE_NAME}-config-tls" --timeout=300s
+for ((shard = 0; shard < MDB_SHARD_COUNT; shard++)); do
+  # Wait for shard mongod TLS certificate
+  kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${MDB_RESOURCE_NAME}-${shard}-tls" --timeout=300s
+  # Wait for per-shard search TLS certificate
+  kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${MDB_RESOURCE_NAME}-${shard}-search-tls" --timeout=300s
+done
+
+echo "TLS certificates created for sharded cluster and MongoDBSearch (per-shard)"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		kubectl create namespace "${MDB_NS}" --context "${K8S_CTX}" --dry-run=client -o yaml \| kubectl apply --context "${K8S_CTX}" -f -