configure the docdb example trust bundle

README.md

@@ -54,6 +54,7 @@ This will:
     * Use the etcd key-value store.
 * Demonstrate how to automatically deploy the [`docdb-example` workload](stacks/eks-workloads/docdb-example.tf).
   * Use [the deployed example AWS DocumentDB](stacks/eks/docdb.tf).
+  * Use a `trust-manager` managed CA certificates volume that includes the [Amazon RDS CA certificates (i.e. `global-bundle.pem`)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions).
 
 The main components are:
 
@@ -407,6 +408,16 @@ while [ -z "$(dig +short "$docdb_example_host")" ]; do sleep 5; done && dig "$do
 wget -qO- "$docdb_example_url"
 ```
 
+Verify the trusted CA certificates, this should include the Amazon RDS CA
+certificates (e.g. `Amazon RDS eu-west-1 Root CA RSA2048 G1`):
+
+```bash
+kubectl exec --stdin deployment/docdb-example -- bash <<'EOF'
+openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt \
+  | openssl pkcs7 -print_certs -text -noout
+EOF
+```
+
 List all the used container images:
 
 ```bash

config.tm.hcl

@@ -75,6 +75,13 @@ globals "terraform" "providers" "helm" {
   version = "2.13.2"
 }
 
+# see https://registry.terraform.io/providers/hashicorp/http
+# see https://github.com/hashicorp/terraform-provider-http
+globals "terraform" "providers" "http" {
+  # renovate: datasource=terraform-provider depName=hashicorp/http
+  version = "3.4.2"
+}
+
 # see https://registry.terraform.io/providers/hashicorp/local
 # see https://github.com/hashicorp/terraform-provider-local
 globals "terraform" "providers" "local" {

stacks/eks-workloads/_providers.tf

@@ -15,6 +15,10 @@ terraform {
       source  = "hashicorp/helm"
       version = "2.13.2"
     }
+    http = {
+      source  = "hashicorp/http"
+      version = "3.4.2"
+    }
     kubernetes = {
       source  = "hashicorp/kubernetes"
       version = "2.30.0"

stacks/eks-workloads/docdb-example.tf

@@ -2,7 +2,7 @@ locals {
   docdb_example_fqdn = "docdb-example.${var.ingress_domain}"
   # see Connecting Programmatically to Amazon DocumentDB at https://docs.aws.amazon.com/documentdb/latest/developerguide/
   docdb_example_master_connection_string = format(
-    "mongodb://%s:%s@%s:%d/?tls=true&tlsCAFile=global-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false",
+    "mongodb://%s:%s@%s:%d/?tls=true&tlsCAFile=/etc/ssl/certs/ca-certificates.crt&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false",
     urlencode("master"),
     urlencode("Ex0mple!"),
     data.external.docdb_example.result.endpoint,
@@ -176,6 +176,12 @@ resource "kubernetes_deployment_v1" "docdb_example" {
               }
             }
           }
+          # see https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/root_linux.go
+          volume_mount {
+            name       = "ca-certificates"
+            mount_path = "/etc/ssl/certs"
+            read_only  = true
+          }
           port {
             name           = "web"
             container_port = 8000
@@ -197,6 +203,70 @@ resource "kubernetes_deployment_v1" "docdb_example" {
             }
           }
         }
+        volume {
+          name = "ca-certificates"
+          config_map {
+            name         = kubernetes_manifest.docdb_example_ca_certificates.manifest.metadata.name
+            default_mode = "0444"
+          }
+        }
+      }
+    }
+  }
+}
+
+# see https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled
+# see https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http
+data "http" "aws_rds_ca_certificates" {
+  url = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
+}
+
+# see https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled
+# see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1
+resource "kubernetes_config_map_v1" "aws_rds_ca_certificates" {
+  metadata {
+    namespace = "cert-manager"
+    name      = "aws-rds-ca-certificates"
+  }
+  data = {
+    "ca-certificates.crt" = data.http.aws_rds_ca_certificates.response_body
+  }
+}
+
+# NB the bundle object will create the docdb-example-ca-certificates configmap.
+# NB this is a kubernetes cluster level object.
+# see https://cert-manager.io/docs/trust/trust-manager/api-reference/
+# see https://cert-manager.io/docs/tutorials/getting-started-with-trust-manager/
+# see https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/root_linux.go
+# see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest
+resource "kubernetes_manifest" "docdb_example_ca_certificates" {
+  manifest = {
+    apiVersion = "trust.cert-manager.io/v1alpha1"
+    kind       = "Bundle"
+    metadata = {
+      name = "docdb-example-ca-certificates"
+    }
+    spec = {
+      sources = [
+        {
+          useDefaultCAs = true
+        },
+        {
+          configMap = {
+            name = kubernetes_config_map_v1.aws_rds_ca_certificates.metadata[0].name
+            key  = "ca-certificates.crt"
+          }
+        },
+      ]
+      target = {
+        namespaceSelector = {
+          matchLabels = {
+            "kubernetes.io/metadata.name" = "default"
+          }
+        }
+        configMap = {
+          key = "ca-certificates.crt"
+        }
       }
     }
   }

stacks/eks-workloads/providers.tm.hcl

@@ -21,6 +21,12 @@ generate_hcl "_providers.tf" {
           source  = "hashicorp/helm"
           version = global.terraform.providers.helm.version
         }
+        # see https://registry.terraform.io/providers/hashicorp/http
+        # see https://github.com/hashicorp/terraform-provider-http
+        http = {
+          source  = "hashicorp/http"
+          version = global.terraform.providers.http.version
+        }
         # see https://registry.terraform.io/providers/hashicorp/external
         # see https://github.com/hashicorp/terraform-provider-external
         external = {