(DOCSP-12507): Add MutualTLS options (#398)

melissamahoney-mongodb · jwilliams-mongo · commit 8e7938a34db2 · 2025-04-14T17:11:17.000-05:00
* (DOCSP-12507): Add MutualTLS options * Tech review
diff --git a/source/includes/options-k8s-replica-set.yaml b/source/includes/options-k8s-replica-set.yaml
@@ -338,6 +338,20 @@ inherit:
   file: options-k8s-shared.yaml
 ---
 program: k8sRsConf
+name: spec.security.authentication.requireClientTLSAuthentication
+inherit:
+  name: spec.security.authentication.requireClientTLSAuthentication
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.agents.clientCertificateSecretRef.name
+inherit:
+  name: spec.security.authentication.agents.clientCertificateSecretRef.name
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
 name: spec.security.authentication.enabled
 inherit:
   name: spec.security.authentication.enabled
diff --git a/source/includes/options-k8s-shared.yaml b/source/includes/options-k8s-shared.yaml
@@ -579,6 +579,21 @@ description: |
      Omit this setting if you want to manage authentication using the
      |com| UI or APIs.
 
+---
+program: _shared
+name: spec.security.authentication.requireClientTLSAuthentication
+type: boolean
+directive: setting
+optional: true
+default: "``false``"
+description: |
+
+  Specifies whether the MongoDB host requires clients to connect using a |tls| certificate. If ``true``, you must:
+
+  - Specify a certificate for the {+mdbagent+} in
+    :setting:`spec.security.authentication.agents.clientCertificateSecretRef.name`.
+  - Set :setting:`spec.security.tls.enabled` to ``true``.
+
 ---
 program: _shared
 name: spec.security.authentication.ignoreUnknownUsers
@@ -1043,6 +1058,31 @@ description: |
   ``LDAP``.
 ---
 program: _shared
+name: spec.security.authentication.agents.clientCertificateSecretRef.name
+type: string
+directive: setting
+optional: true
+description: |
+
+  Specifies the |k8s-secret| that contains the {+mdbagent+}'s
+  |tls| certificate.
+  
+  You must create this secret in the same namespace to which you
+  deploy the |k8s-op-short|:
+
+  .. code-block:: sh
+
+     kubectl create secret generic agent-cert \
+     --from-file=mms-automation-agent-pem=agent-cert.pem -n <namespace>
+
+  This secret must contain a ``mms-automation-agent-pem`` key, the value
+  of which is a |tls| certificate that can be validated by the server.
+
+  This setting is required if 
+  :setting:`spec.security.authentication.requireClientTLSAuthentication` is ``true``.
+
+---
+program: _shared
 name: spec.additionalMongodConfig.net.ssl.mode
 type: string
 directive: setting
diff --git a/source/reference/k8s-operator-specification.txt b/source/reference/k8s-operator-specification.txt
@@ -224,6 +224,7 @@ cluster resource types:
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.enabled.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.modes.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.internalCluster.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.requireClientTLSAuthentication.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.servers.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.transportSecurity.rst
@@ -242,6 +243,7 @@ cluster resource types:
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.agents.automationPasswordSecretRef.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.agents.automationPasswordSecretRef.name.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.agents.automationPasswordSecretRef.key.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.agents.clientCertificateSecretRef.name.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.roles.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.roles.role.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.roles.db.rst
diff --git a/source/release-notes.txt b/source/release-notes.txt
@@ -40,10 +40,10 @@ MongoDB Resource Changes
 
 - Introduces new configuration fields:
 
-  - ``spec.security.authentication.requireClientTLSAuthentication`` for using 
+  - :setting:`spec.security.authentication.requireClientTLSAuthentication` for using 
     the MongoDB Agent client certificate authentication in conjunction with any 
     other authentication mechanism. 
-  - ``spec.security.authentication.agents.clientCertificateSecretRef`` for 
+  - :setting:`spec.security.authentication.agents.clientCertificateSecretRef` for 
     configuring the client TLS certificate used by the MongoDB Agent when 
     enabling ClientTLSAuthentication.
 
