Skip to content

[Feature Request] Add native support for AWS DocumentDB with TLS in Helm charts #452

New issue
New issue
Open
Open
[Feature Request] Add native support for AWS DocumentDB with TLS in Helm charts#452
@denyshubh

Description

@denyshubh
denyshubh
opened on Sep 12, 2025

Summary

The current Litmus Helm chart doesn't properly support AWS DocumentDB connections with TLS, which is required for DocumentDB. The init container and main application containers need modifications to handle DocumentDB's specific connection requirements including TLS certificates, retry writes disabled, and proper connection string format.

Problem Description

When trying to deploy Litmus with AWS DocumentDB as the backend database, the deployment fails because:

  1. Init Container Issue: The wait-for-mongodb init container uses a MongoDB replica set status check that doesn't work with DocumentDB
  2. TLS Certificate Missing: No mechanism to mount and use DocumentDB's CA certificate bundle
  3. Connection String Format: The connection logic doesn't account for DocumentDB-specific parameters like tls=true, retryWrites=false, and tlsCAFile

Current Behavior

  • Init container fails with DocumentDB connection
  • Main application containers cannot establish secure TLS connections to DocumentDB
  • Users must manually patch the Helm templates to make it work

Expected Behavior

  • Helm chart should natively support DocumentDB with minimal configuration
  • Proper TLS certificate handling for DocumentDB CA bundle
  • Init container should use DocumentDB-compatible connection tests
  • Support for DocumentDB-specific connection parameters

Environment

  • Litmus Version: 3.20.0
  • Kubernetes Version: 1.31+
  • Database: AWS DocumentDB (MongoDB-compatible)
  • Deployment Method: Helm Chart
  • TLS: Required (DocumentDB mandates TLS)

Proposed Solution

1. Helm Values Enhancement

Add DocumentDB-specific configuration options:

# External database configuration with DocumentDB support
mongodb:
  enabled: false
  
# DocumentDB specific settings
documentdb:
  enabled: false  # Auto-detected when mongodb.enabled=false and tls settings present
  tls:
    enabled: true
    caBundle: "documentdb-ca-bundle"  # ConfigMap name containing CA bundle
    caBundleKey: "global-bundle.pem"  # Key in ConfigMap
  connectionParams:
    retryWrites: false
    readPreference: "secondaryPreferred"
    serverSelectionTimeoutMS: 30000

2. Template Modifications Required

Init Container Update

The wait-for-mongodb init container needs conditional logic:

{{- if .Values.mongodb.enabled }}
# Current MongoDB replica set check
args: ["until [[ $(mongosh -u ${DB_USER} -p ${DB_PASSWORD} ${DB_SERVER} --eval 'rs.status()' | grep 'ok' | wc -l) -eq 1 ]]; do sleep 5; echo 'Waiting for the MongoDB to be ready...'; done; echo 'Connection with MongoDB established'"]
{{- else }}
# DocumentDB compatible ping test
args: ["until mongosh \"mongodb://${DB_USER}:${DB_PASSWORD}@${DB_SERVER}:${DB_PORT}/admin?tls=true&tlsCAFile=/etc/ssl/documentdb-ca-bundle.crt&retryWrites=false\" --eval 'db.runCommand({ping: 1})' | grep -q '\"ok\" : 1'; do sleep 5; echo 'Waiting for DocumentDB to be ready...'; done; echo 'Connection with DocumentDB established'"]
{{- end }}

Volume Mounts for TLS

Add conditional volume mounts for DocumentDB CA bundle:

{{- if not .Values.mongodb.enabled }}
volumeMounts:
  - mountPath: /etc/ssl/documentdb-ca-bundle.crt
    name: documentdb-ca-bundle
    subPath: {{ .Values.documentdb.tls.caBundleKey | default "global-bundle.pem" }}
volumes:
  - name: documentdb-ca-bundle
    configMap:
      name: {{ .Values.documentdb.tls.caBundle | default "documentdb-ca-bundle" }}
{{- end }}

Environment Variables

Add DocumentDB-specific environment variables:

{{- if not .Values.mongodb.enabled }}
- name: MONGO_TLS_ENABLED
  value: "{{ .Values.documentdb.tls.enabled }}"
- name: MONGO_TLS_CA_FILE
  value: "/etc/ssl/documentdb-ca-bundle.crt"
- name: MONGO_RETRY_WRITES
  value: "{{ .Values.documentdb.connectionParams.retryWrites }}"
{{- end }}

Workaround (Current)

Users currently need to:

  1. Create DocumentDB CA bundle ConfigMap manually
  2. Modify Helm templates to add volume mounts
  3. Update init container args for DocumentDB compatibility
  4. Add DocumentDB-specific environment variables

Additional Context

DocumentDB Connection Requirements

  • TLS: Mandatory for all connections
  • CA Certificate: Requires AWS DocumentDB CA bundle
  • Retry Writes: Must be disabled (retryWrites=false)
  • Connection Format: mongodb://user:pass@host:port/db?tls=true&tlsCAFile=/path/to/ca&retryWrites=false

Files that need modification

  1. templates/portal-server-deployment.yaml - Init container and main container
  2. templates/portal-auth-server-deployment.yaml - If it connects to DB directly
  3. values.yaml - Add DocumentDB configuration options
  4. templates/_helpers.tpl - Add helper functions for DocumentDB settings

Testing

The fix should be tested with:

  • Standard MongoDB (existing functionality)
  • AWS DocumentDB with TLS
  • MongoDB Atlas (should continue working)

Labels

enhancement, helm, database, documentdb, tls, aws

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions