From 3ec055e95bc39272e9828e2ec5d6aac913a84303 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Mon, 13 Oct 2025 14:23:59 +0200
Subject: [PATCH 1/9] [Search] Implement gRPC and mTLS

---
 api/v1/search/mongodbsearch_types.go          |  18 ++-
 api/v1/search/zz_generated.deepcopy.go        |   8 +-
 controllers/om/deployment.go                  |   2 +-
 .../operator/mongodbsearch_controller.go      |   6 +-
 .../operator/mongodbsearch_controller_test.go |  10 +-
 .../mongodbsearch_reconcile_helper.go         | 121 ++++++++++--------
 .../searchcontroller/search_construction.go   |  59 ++++++---
 ...nity-replicaset-sample-mflix-external.yaml |  45 +------
 .../community-replicaset-sample-mflix.yaml    |   2 +-
 .../enterprise-replicaset-sample-mflix.yaml   |   2 +-
 .../search_community_external_mongod_basic.py |   1 +
 .../search_community_external_mongod_tls.py   |   1 +
 .../tests/search/search_community_tls.py      |  28 +---
 .../tests/search/search_enterprise_tls.py     |  33 +----
 .../pkg/mongot/mongot_config.go               |  20 ++-
 pkg/util/stringutil/stringutil.go             |   2 +-
 16 files changed, 170 insertions(+), 188 deletions(-)

diff --git a/api/v1/search/mongodbsearch_types.go b/api/v1/search/mongodbsearch_types.go
index ce1ef5176..6a429cd29 100644
--- a/api/v1/search/mongodbsearch_types.go
+++ b/api/v1/search/mongodbsearch_types.go
@@ -17,10 +17,13 @@ import (
 )
 
 const (
-	MongotDefaultPort               = 27027
+	MongotDefaultWireprotoPort      = 27027
+	MongotDefaultGrpcPort           = 27028
 	MongotDefaultMetricsPort        = 9946
 	MongotDefautHealthCheckPort     = 8080
 	MongotDefaultSyncSourceUsername = "search-sync-source"
+
+	ForceWireprotoTransportAnnotation = "mongodb.com/v1.force-wireproto-transport"
 )
 
 func init() {
@@ -207,8 +210,12 @@ func (s *MongoDBSearch) GetMongoDBResourceRef() *userv1.MongoDBResourceRef {
 	return &mdbResourceRef
 }
 
-func (s *MongoDBSearch) GetMongotPort() int32 {
-	return MongotDefaultPort
+func (s *MongoDBSearch) GetMongotWireprotoPort() int32 {
+	return MongotDefaultWireprotoPort
+}
+
+func (s *MongoDBSearch) GetMongotGrpcPort() int32 {
+	return MongotDefaultGrpcPort
 }
 
 func (s *MongoDBSearch) GetMongotMetricsPort() int32 {
@@ -241,3 +248,8 @@ func (s *MongoDBSearch) GetLogLevel() mdb.LogLevel {
 
 	return s.Spec.LogLevel
 }
+
+func (s *MongoDBSearch) IsWireprotoForced() bool {
+	val, ok := s.Annotations[ForceWireprotoTransportAnnotation]
+	return ok && val == "true"
+}
diff --git a/api/v1/search/zz_generated.deepcopy.go b/api/v1/search/zz_generated.deepcopy.go
index c66322146..d18d025f8 100644
--- a/api/v1/search/zz_generated.deepcopy.go
+++ b/api/v1/search/zz_generated.deepcopy.go
@@ -159,7 +159,7 @@ func (in *MongoDBSearchSpec) DeepCopyInto(out *MongoDBSearchSpec) {
 		*out = new(v1.ResourceRequirements)
 		(*in).DeepCopyInto(*out)
 	}
-	out.Security = in.Security
+	in.Security.DeepCopyInto(&out.Security)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongoDBSearchSpec.
@@ -231,7 +231,11 @@ func (in *MongoDBSource) DeepCopy() *MongoDBSource {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Security) DeepCopyInto(out *Security) {
 	*out = *in
-	out.TLS = in.TLS
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLS)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Security.
diff --git a/controllers/om/deployment.go b/controllers/om/deployment.go
index fd7f7f776..f32946b58 100644
--- a/controllers/om/deployment.go
+++ b/controllers/om/deployment.go
@@ -874,7 +874,7 @@ func (d Deployment) GetAllProcessNames() (names []string) {
 	for _, p := range d.getProcesses() {
 		names = append(names, p.Name())
 	}
-	return
+	return names
 }
 
 func (d Deployment) getProcesses() []Process {
diff --git a/controllers/operator/mongodbsearch_controller.go b/controllers/operator/mongodbsearch_controller.go
index 16db88027..a4fc8c63e 100644
--- a/controllers/operator/mongodbsearch_controller.go
+++ b/controllers/operator/mongodbsearch_controller.go
@@ -57,7 +57,11 @@ func (r *MongoDBSearchReconciler) Reconcile(ctx context.Context, request reconci
 		return reconcile.Result{RequeueAfter: time.Second * util.RetryTimeSec}, err
 	}
 
-	r.watch.AddWatchedResourceIfNotAdded(searchSource.KeyfileSecretName(), mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName())
+	if mdbSearch.IsWireprotoForced() {
+		log.Info("Enabling the mongot wireproto server as required by annotation")
+		// the keyfile secret is necessary for wireproto authentication
+		r.watch.AddWatchedResourceIfNotAdded(searchSource.KeyfileSecretName(), mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName())
+	}
 
 	// Watch for changes in database source CA certificate secrets or configmaps
 	tlsSourceConfig := searchSource.TLSConfig()
diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go
index 472ea419a..49d99888d 100644
--- a/controllers/operator/mongodbsearch_controller_test.go
+++ b/controllers/operator/mongodbsearch_controller_test.go
@@ -115,13 +115,9 @@ func buildExpectedMongotConfig(search *searchv1.MongoDBSearch, mdbc *mdbcv1.Mong
 			DataPath: searchcontroller.MongotDataPath,
 		},
 		Server: mongot.ConfigServer{
-			Wireproto: &mongot.ConfigWireproto{
-				Address: "0.0.0.0:27027",
-				Authentication: &mongot.ConfigAuthentication{
-					Mode:    "keyfile",
-					KeyFile: searchcontroller.TempKeyfilePath,
-				},
-				TLS: mongot.ConfigTLS{Mode: mongot.ConfigTLSModeDisabled},
+			Grpc: &mongot.ConfigGrpc{
+				Address: fmt.Sprintf("0.0.0.0:%d", search.GetMongotGrpcPort()),
+				TLS:     &mongot.ConfigGrpcTLS{Mode: mongot.ConfigTLSModeDisabled},
 			},
 		},
 		Metrics: mongot.ConfigMetrics{
diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
index a763be9a6..a8d50df5b 100644
--- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
+++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
@@ -97,11 +97,15 @@ func (r *MongoDBSearchReconcileHelper) reconcile(ctx context.Context, log *zap.S
 		return workflow.Failed(err)
 	}
 
-	keyfileStsModification, err := r.ensureSourceKeyfile(ctx, log)
-	if apierrors.IsNotFound(err) {
-		return workflow.Pending("Waiting for keyfile secret to be created")
-	} else if err != nil {
-		return workflow.Failed(err)
+	keyfileStsModification := statefulset.NOOP()
+	if r.mdbSearch.IsWireprotoForced() {
+		var err error
+		keyfileStsModification, err = r.ensureSourceKeyfile(ctx, log)
+		if apierrors.IsNotFound(err) {
+			return workflow.Pending("Waiting for keyfile secret to be created")
+		} else if err != nil {
+			return workflow.Failed(err)
+		}
 	}
 
 	if err := r.ensureSearchService(ctx, r.mdbSearch); err != nil {
@@ -113,11 +117,9 @@ func (r *MongoDBSearchReconcileHelper) reconcile(ctx context.Context, log *zap.S
 		return workflow.Failed(err)
 	}
 
-	egressTlsMongotModification, egressTlsStsModification, err := r.ensureEgressTlsConfig(ctx)
-	if err != nil {
-		return workflow.Failed(err)
-	}
+	egressTlsMongotModification, egressTlsStsModification := r.ensureEgressTlsConfig(ctx)
 
+	// the egress TLS modification needs to always be applied after the ingress one, because it toggles mTLS based on the mode set by the ingress modification
 	configHash, err := r.ensureMongotConfig(ctx, log, createMongotConfig(r.mdbSearch, r.db), ingressTlsMongotModification, egressTlsMongotModification)
 	if err != nil {
 		return workflow.Failed(err)
@@ -140,6 +142,7 @@ func (r *MongoDBSearchReconcileHelper) reconcile(ctx context.Context, log *zap.S
 	return workflow.OK()
 }
 
+// This is called only if the wireproto server is enabled, to set up they keyfile necessary for authentication.
 func (r *MongoDBSearchReconcileHelper) ensureSourceKeyfile(ctx context.Context, log *zap.SugaredLogger) (statefulset.Modification, error) {
 	keyfileSecretName := kube.ObjectKey(r.mdbSearch.GetNamespace(), r.db.KeyfileSecretName())
 	keyfileSecret := &corev1.Secret{}
@@ -154,6 +157,7 @@ func (r *MongoDBSearchReconcileHelper) ensureSourceKeyfile(ctx context.Context,
 				"keyfileHash": hashBytes(keyfileSecret.Data[MongotKeyfileFilename]),
 			},
 		)),
+		CreateKeyfileModificationFunc(r.db.KeyfileSecretName()),
 	), nil
 }
 
@@ -229,10 +233,7 @@ func (r *MongoDBSearchReconcileHelper) ensureMongotConfig(ctx context.Context, l
 
 func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification, error) {
 	if r.mdbSearch.Spec.Security.TLS == nil {
-		mongotModification := func(config *mongot.Config) {
-			config.Server.Wireproto.TLS.Mode = mongot.ConfigTLSModeDisabled
-		}
-		return mongotModification, statefulset.NOOP(), nil
+		return mongot.NOOP(), statefulset.NOOP(), nil
 	}
 
 	// TODO: validate that the certificate in the user-provided Secret in .spec.security.tls.certificateKeySecret is issued by the CA in the operator's CA Secret
@@ -244,8 +245,12 @@ func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Contex
 
 	mongotModification := func(config *mongot.Config) {
 		certPath := tls.OperatorSecretMountPath + certFileName
-		config.Server.Wireproto.TLS.Mode = mongot.ConfigTLSModeTLS
-		config.Server.Wireproto.TLS.CertificateKeyFile = ptr.To(certPath)
+		config.Server.Grpc.TLS.Mode = mongot.ConfigTLSModeTLS
+		config.Server.Grpc.TLS.CertificateKeyFile = ptr.To(certPath)
+		if config.Server.Wireproto != nil {
+			config.Server.Wireproto.TLS.Mode = mongot.ConfigTLSModeTLS
+			config.Server.Wireproto.TLS.CertificateKeyFile = ptr.To(certPath)
+		}
 	}
 
 	tlsSecret := r.mdbSearch.TLSOperatorSecretNamespacedName()
@@ -261,46 +266,34 @@ func (r *MongoDBSearchReconcileHelper) ensureIngressTlsConfig(ctx context.Contex
 	return mongotModification, statefulsetModification, nil
 }
 
-func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification, error) {
+func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context) (mongot.Modification, statefulset.Modification) {
 	tlsSourceConfig := r.db.TLSConfig()
 	if tlsSourceConfig == nil {
-		return mongot.NOOP(), statefulset.NOOP(), nil
+		return mongot.NOOP(), statefulset.NOOP()
 	}
 
 	mongotModification := func(config *mongot.Config) {
 		config.SyncSource.ReplicaSet.TLS = ptr.To(true)
+		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + "/" + tlsSourceConfig.CAFileName)
+
+		// if the gRPC server is configured to accept TLS connections then toggle mTLS as well
+		if config.Server.Grpc.TLS.Mode == mongot.ConfigTLSModeTLS {
+			config.Server.Grpc.TLS.Mode = mongot.ConfigTLSModeMTLS
+			config.Server.Grpc.TLS.CertificateAuthorityFile = config.SyncSource.CertificateAuthorityFile
+		}
 	}
 
-	_, containerSecurityContext := podtemplatespec.WithDefaultSecurityContextsModifications()
 	caVolume := tlsSourceConfig.CAVolume
-	trustStoreVolume := statefulset.CreateVolumeFromEmptyDir("cacerts")
 	statefulsetModification := statefulset.WithPodSpecTemplate(podtemplatespec.Apply(
 		podtemplatespec.WithVolume(caVolume),
-		podtemplatespec.WithVolume(trustStoreVolume),
-		podtemplatespec.WithInitContainer("init-cacerts", container.Apply(
-			container.WithImage(r.buildImageString()),
-			containerSecurityContext,
-			container.WithVolumeMounts([]corev1.VolumeMount{
-				statefulset.CreateVolumeMount(caVolume.Name, tls.CAMountPath, statefulset.WithReadOnly(true)),
-				statefulset.CreateVolumeMount(trustStoreVolume.Name, "/java/trust-store", statefulset.WithReadOnly(false)),
-			}),
-			container.WithCommand([]string{"sh"}),
-			container.WithArgs([]string{
-				"-c",
-				fmt.Sprintf(`
-cp /mongot-community/bin/jdk/lib/security/cacerts /java/trust-store/cacerts
-/mongot-community/bin/jdk/bin/keytool -keystore /java/trust-store/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias mongodcert -file %s/%s
-							`, tls.CAMountPath, tlsSourceConfig.CAFileName),
-			}),
-		)),
 		podtemplatespec.WithContainer(MongotContainerName, container.Apply(
 			container.WithVolumeMounts([]corev1.VolumeMount{
-				statefulset.CreateVolumeMount(trustStoreVolume.Name, "/mongot-community/bin/jdk/lib/security/cacerts", statefulset.WithReadOnly(true), statefulset.WithSubPath("cacerts")),
+				statefulset.CreateVolumeMount(caVolume.Name, tls.CAMountPath, statefulset.WithReadOnly(true)),
 			}),
 		)),
 	))
 
-	return mongotModification, statefulsetModification, nil
+	return mongotModification, statefulsetModification
 }
 
 func hashBytes(bytes []byte) string {
@@ -325,10 +318,17 @@ func buildSearchHeadlessService(search *searchv1.MongoDBSearch) corev1.Service {
 		SetOwnerReferences(search.GetOwnerReferences())
 
 	serviceBuilder.AddPort(&corev1.ServicePort{
-		Name:       "mongot",
+		Name:       "mongot-wireproto",
+		Protocol:   corev1.ProtocolTCP,
+		Port:       search.GetMongotWireprotoPort(),
+		TargetPort: intstr.FromInt32(search.GetMongotWireprotoPort()),
+	})
+
+	serviceBuilder.AddPort(&corev1.ServicePort{
+		Name:       "mongot-grpc",
 		Protocol:   corev1.ProtocolTCP,
-		Port:       search.GetMongotPort(),
-		TargetPort: intstr.FromInt32(search.GetMongotPort()),
+		Port:       search.GetMongotGrpcPort(),
+		TargetPort: intstr.FromInt32(search.GetMongotGrpcPort()),
 	})
 
 	serviceBuilder.AddPort(&corev1.ServicePort{
@@ -366,13 +366,24 @@ func createMongotConfig(search *searchv1.MongoDBSearch, db SearchSourceDBResourc
 			DataPath: MongotDataPath,
 		}
 		config.Server = mongot.ConfigServer{
-			Wireproto: &mongot.ConfigWireproto{
-				Address: "0.0.0.0:27027",
+			Grpc: &mongot.ConfigGrpc{
+				Address: fmt.Sprintf("0.0.0.0:%d", search.GetMongotGrpcPort()),
+				TLS: &mongot.ConfigGrpcTLS{
+					Mode: mongot.ConfigTLSModeDisabled,
+				},
+			},
+		}
+		if search.IsWireprotoForced() {
+			config.Server.Wireproto = &mongot.ConfigWireproto{
+				Address: fmt.Sprintf("0.0.0.0:%d", search.GetMongotWireprotoPort()),
 				Authentication: &mongot.ConfigAuthentication{
 					Mode:    "keyfile",
 					KeyFile: TempKeyfilePath,
 				},
-			},
+				TLS: &mongot.ConfigWireprotoTLS{
+					Mode: mongot.ConfigTLSModeDisabled,
+				},
+			}
 		}
 		config.Metrics = mongot.ConfigMetrics{
 			Enabled: true,
@@ -393,19 +404,27 @@ func GetMongodConfigParameters(search *searchv1.MongoDBSearch) map[string]any {
 	if search.Spec.Security.TLS != nil {
 		searchTLSMode = automationconfig.TLSModeRequired
 	}
+
+	parameters := map[string]any{
+		"mongotHost":                                      mongotHostAndPort(search),
+		"searchIndexManagementHostAndPort":                mongotHostAndPort(search),
+		"skipAuthenticationToSearchIndexManagementServer": false,
+		"searchTLSMode":                                   string(searchTLSMode),
+		"useGrpcForSearch":                                !search.IsWireprotoForced(),
+	}
+
 	return map[string]any{
-		"setParameter": map[string]any{
-			"mongotHost":                                      mongotHostAndPort(search),
-			"searchIndexManagementHostAndPort":                mongotHostAndPort(search),
-			"skipAuthenticationToSearchIndexManagementServer": false,
-			"searchTLSMode":                                   string(searchTLSMode),
-		},
+		"setParameter": parameters,
 	}
 }
 
 func mongotHostAndPort(search *searchv1.MongoDBSearch) string {
 	svcName := search.SearchServiceNamespacedName()
-	return fmt.Sprintf("%s.%s.svc.cluster.local:%d", svcName.Name, svcName.Namespace, search.GetMongotPort())
+	port := search.GetMongotGrpcPort()
+	if search.IsWireprotoForced() {
+		port = search.GetMongotWireprotoPort()
+	}
+	return fmt.Sprintf("%s.%s.svc.cluster.local:%d", svcName.Name, svcName.Namespace, port)
 }
 
 func (r *MongoDBSearchReconcileHelper) ValidateSingleMongoDBSearchForSearchSource(ctx context.Context) error {
diff --git a/controllers/searchcontroller/search_construction.go b/controllers/searchcontroller/search_construction.go
index 4c9181e44..c1884c040 100644
--- a/controllers/searchcontroller/search_construction.go
+++ b/controllers/searchcontroller/search_construction.go
@@ -62,15 +62,11 @@ func CreateSearchStatefulSetFunc(mdbSearch *searchv1.MongoDBSearch, sourceDBReso
 	tmpVolumeMount := statefulset.CreateVolumeMount(tmpVolume.Name, tempVolumePath, statefulset.WithReadOnly(false))
 
 	dataVolumeName := "data"
-	keyfileVolumeName := "keyfile"
 	sourceUserPasswordVolumeName := "password"
 	mongotConfigVolumeName := "config"
 
 	pvcVolumeMount := statefulset.CreateVolumeMount(dataVolumeName, MongotDataPath, statefulset.WithSubPath("data"))
 
-	keyfileVolume := statefulset.CreateVolumeFromSecret(keyfileVolumeName, sourceDBResource.KeyfileSecretName())
-	keyfileVolumeMount := statefulset.CreateVolumeMount(keyfileVolumeName, MongotKeyfilePath, statefulset.WithReadOnly(true), statefulset.WithSubPath(MongotKeyfileFilename))
-
 	sourceUserPasswordSecretKey := mdbSearch.SourceUserPasswordSecretRef()
 	sourceUserPasswordVolume := statefulset.CreateVolumeFromSecret(sourceUserPasswordVolumeName, sourceUserPasswordSecretKey.Name)
 	sourceUserPasswordVolumeMount := statefulset.CreateVolumeMount(sourceUserPasswordVolumeName, MongotSourceUserPasswordPath, statefulset.WithReadOnly(true), statefulset.WithSubPath(sourceUserPasswordSecretKey.Key))
@@ -90,7 +86,6 @@ func CreateSearchStatefulSetFunc(mdbSearch *searchv1.MongoDBSearch, sourceDBReso
 
 	volumeMounts := []corev1.VolumeMount{
 		pvcVolumeMount,
-		keyfileVolumeMount,
 		tmpVolumeMount,
 		mongotConfigVolumeMount,
 		sourceUserPasswordVolumeMount,
@@ -98,7 +93,6 @@ func CreateSearchStatefulSetFunc(mdbSearch *searchv1.MongoDBSearch, sourceDBReso
 
 	volumes := []corev1.Volume{
 		tmpVolume,
-		keyfileVolume,
 		mongotConfigVolume,
 		sourceUserPasswordVolume,
 	}
@@ -135,6 +129,26 @@ func CreateSearchStatefulSetFunc(mdbSearch *searchv1.MongoDBSearch, sourceDBReso
 	return statefulset.Apply(stsModifications...)
 }
 
+func CreateKeyfileModificationFunc(keyfileSecretName string) statefulset.Modification {
+	keyfileVolumeName := "keyfile"
+	keyfileVolume := statefulset.CreateVolumeFromSecret(keyfileVolumeName, keyfileSecretName)
+	keyfileVolumeMount := statefulset.CreateVolumeMount(keyfileVolumeName, MongotKeyfilePath, statefulset.WithReadOnly(true), statefulset.WithSubPath(MongotKeyfileFilename))
+
+	return statefulset.Apply(
+		statefulset.WithPodSpecTemplate(
+			podtemplatespec.Apply(
+				podtemplatespec.WithVolumes([]corev1.Volume{keyfileVolume}),
+				podtemplatespec.WithContainer(MongotContainerName,
+					container.Apply(
+						container.WithVolumeMounts([]corev1.VolumeMount{keyfileVolumeMount}),
+						prependCommand(sensitiveFilePermissionsWorkaround(MongotKeyfilePath, TempKeyfilePath)),
+					),
+				),
+			),
+		),
+	)
+}
+
 func mongodbSearchContainer(mdbSearch *searchv1.MongoDBSearch, volumeMounts []corev1.VolumeMount, searchImage string) container.Modification {
 	_, containerSecurityContext := podtemplatespec.WithDefaultSecurityContextsModifications()
 	return container.Apply(
@@ -148,18 +162,9 @@ func mongodbSearchContainer(mdbSearch *searchv1.MongoDBSearch, volumeMounts []co
 		container.WithCommand([]string{"sh"}),
 		container.WithArgs([]string{
 			"-c",
-			fmt.Sprintf(`
-cp %[1]s %[2]s
-chown 2000:2000 %[2]s
-chmod 0600 %[2]s
-
-cp %[3]s %[4]s
-chown 2000:2000 %[4]s
-chmod 0600 %[4]s
-
-/mongot-community/mongot --config /mongot/config.yml
-`, MongotKeyfilePath, TempKeyfilePath, MongotSourceUserPasswordPath, TempSourceUserPasswordPath),
+			"/mongot-community/mongot --config /mongot/config.yml",
 		}),
+		prependCommand(sensitiveFilePermissionsWorkaround(MongotSourceUserPasswordPath, TempSourceUserPasswordPath)),
 		containerSecurityContext,
 	)
 }
@@ -217,3 +222,23 @@ func newSearchDefaultRequirements() corev1.ResourceRequirements {
 		},
 	}
 }
+
+// The container command is set to "sh" and args is ["-c", "<script>"]
+// this modifies the second argument to prepend a command to the script
+// a new line is always inserted after the prepended command
+func prependCommand(commands string) container.Modification {
+	return func(c *corev1.Container) {
+		c.Args[1] = fmt.Sprintf("%s\n%s", commands, c.Args[1])
+	}
+}
+
+// mongot requires certain senstive files to have 600 permissions
+// but we can't get secret subPaths to have those permissions directly
+// so we copy them to a temp folder and set the permissions there
+func sensitiveFilePermissionsWorkaround(filePath, tempFilePath string) string {
+	return fmt.Sprintf(`
+cp %[1]s %[2]s
+chown 2000:2000 %[2]s
+chmod 0600 %[2]s
+`, filePath, tempFilePath)
+}
diff --git a/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix-external.yaml b/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix-external.yaml
index 45e332fd3..29bdb8976 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix-external.yaml
+++ b/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix-external.yaml
@@ -4,7 +4,7 @@ kind: MongoDBCommunity
 metadata:
   name: mdbc-rs
 spec:
-  version: 8.0.10
+  version: 8.2.0
   type: ReplicaSet
   members: 3
   security:
@@ -12,49 +12,6 @@ spec:
       ignoreUnknownUsers: true
       modes:
         - SCRAM
-    roles:
-      - role: searchCoordinator
-        db: admin
-        roles:
-          - name: clusterMonitor
-            db: admin
-          - name: directShardOperations
-            db: admin
-          - name: readAnyDatabase
-            db: admin
-        privileges:
-          - resource:
-              db: "__mdb_internal_search"
-              collection: ""
-            actions:
-              - "changeStream"
-              - "collStats"
-              - "dbHash"
-              - "dbStats"
-              - "find"
-              - "killCursors"
-              - "listCollections"
-              - "listIndexes"
-              - "listSearchIndexes"
-              - "planCacheRead"
-              - "cleanupStructuredEncryptionData"
-              - "compactStructuredEncryptionData"
-              - "convertToCapped"
-              - "createCollection"
-              - "createIndex"
-              - "createSearchIndexes"
-              - "dropCollection"
-              - "dropIndex"
-              - "dropSearchIndex"
-              - "insert"
-              - "remove"
-              - "renameCollectionSameDB"
-              - "update"
-              - "updateSearchIndex"
-          - resource:
-              cluster: true
-            actions:
-              - "bypassDefaultMaxTimeMS"
   agent:
     logLevel: DEBUG
   statefulSet:
diff --git a/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix.yaml b/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix.yaml
index fe54d614d..29bdb8976 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix.yaml
+++ b/docker/mongodb-kubernetes-tests/tests/search/fixtures/community-replicaset-sample-mflix.yaml
@@ -4,7 +4,7 @@ kind: MongoDBCommunity
 metadata:
   name: mdbc-rs
 spec:
-  version: 8.0.10
+  version: 8.2.0
   type: ReplicaSet
   members: 3
   security:
diff --git a/docker/mongodb-kubernetes-tests/tests/search/fixtures/enterprise-replicaset-sample-mflix.yaml b/docker/mongodb-kubernetes-tests/tests/search/fixtures/enterprise-replicaset-sample-mflix.yaml
index 926aed93d..e76f52595 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/fixtures/enterprise-replicaset-sample-mflix.yaml
+++ b/docker/mongodb-kubernetes-tests/tests/search/fixtures/enterprise-replicaset-sample-mflix.yaml
@@ -5,7 +5,7 @@ metadata:
   name: mdb-rs
 spec:
   members: 3
-  version: 8.0.10-ent
+  version: 8.2.0-ent
   type: ReplicaSet
   opsManager:
     configMapRef:
diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
index e9facccb2..d3c0ea339 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
@@ -48,6 +48,7 @@ def mdbc(namespace: str) -> MongoDBCommunity:
             "searchIndexManagementHostAndPort": mongot_host,
             "skipAuthenticationToSearchIndexManagementServer": False,
             "searchTLSMode": "disabled",
+            "useGrpcForSearch": True,
         }
     )
 
diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
index a3d367636..538727556 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
@@ -52,6 +52,7 @@ def mdbc(namespace: str) -> MongoDBCommunity:
             "searchIndexManagementHostAndPort": mongot_host,
             "skipAuthenticationToSearchIndexManagementServer": False,
             "searchTLSMode": "requireTLS",
+            "useGrpcForSearch": True,
         }
     )
 
diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_tls.py
index af4e9121e..beabfe955 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_community_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_tls.py
@@ -1,4 +1,3 @@
-import pymongo
 from kubetester import create_or_update_secret, try_load
 from kubetester.certs import create_tls_certs
 from kubetester.kubetester import fixture as yaml_fixture
@@ -42,6 +41,8 @@ def mdbc(namespace: str) -> MongoDBCommunity:
     if try_load(resource):
         return resource
 
+    resource.set_version("8.2.0")
+
     # Add TLS configuration
     resource["spec"]["security"]["tls"] = {
         "enabled": True,
@@ -122,31 +123,6 @@ def test_wait_for_community_resource_ready(mdbc: MongoDBCommunity):
     mdbc.assert_reaches_phase(Phase.Running, timeout=300)
 
 
-@mark.e2e_search_community_tls
-def test_validate_tls_connections(mdbc: MongoDBCommunity, mdbs: MongoDBSearch, namespace: str, issuer_ca_filepath: str):
-    with pymongo.MongoClient(
-        f"mongodb://{mdbc.name}-0.{mdbc.name}-svc.{namespace}.svc.cluster.local:27017/?replicaSet={mdbc.name}",
-        tls=True,
-        tlsCAFile=issuer_ca_filepath,
-        tlsAllowInvalidHostnames=False,
-        serverSelectionTimeoutMS=30000,
-        connectTimeoutMS=20000,
-    ) as mongodb_client:
-        mongodb_info = mongodb_client.admin.command("hello")
-        assert mongodb_info.get("ok") == 1, "MongoDBCommunity connection failed"
-
-    with pymongo.MongoClient(
-        f"mongodb://{mdbs.name}-search-svc.{namespace}.svc.cluster.local:27027",
-        tls=True,
-        tlsCAFile=issuer_ca_filepath,
-        tlsAllowInvalidHostnames=False,
-        serverSelectionTimeoutMS=10000,
-        connectTimeoutMS=10000,
-    ) as search_client:
-        search_info = search_client.admin.command("hello")
-        assert search_info.get("ok") == 1, "MongoDBSearch connection failed"
-
-
 @fixture(scope="function")
 def sample_movies_helper(mdbc: MongoDBCommunity, issuer_ca_filepath: str) -> SampleMoviesSearchHelper:
     return movies_search_helper.SampleMoviesSearchHelper(
diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
index 8f03dafa7..9fd0156bc 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
@@ -1,4 +1,3 @@
-import pymongo
 import yaml
 from kubetester import create_or_update_secret, run_periodically, try_load
 from kubetester.certs import create_mongodb_tls_certs, create_tls_certs
@@ -34,6 +33,7 @@
 
 MDB_VERSION_WITHOUT_BUILT_IN_ROLE = "8.0.10-ent"
 MDB_VERSION_WITH_BUILT_IN_ROLE = "8.2.0-ent"
+MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION = "mongodb.com/v1.force-wireproto-transport"
 
 
 @fixture(scope="function")
@@ -45,6 +45,7 @@ def mdb(namespace: str, issuer_ca_configmap: str) -> MongoDB:
     )
     resource.configure(om=get_ops_manager(namespace), project_name=MDB_RESOURCE_NAME)
     resource.set_version(MDB_VERSION_WITHOUT_BUILT_IN_ROLE)
+    resource["metadata"]["annotations"] = {MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION: "true"}
 
     if try_load(resource):
         return resource
@@ -220,11 +221,6 @@ def test_wait_for_agents_ready(mdb: MongoDB):
     mdb.assert_reaches_phase(Phase.Running, timeout=300)
 
 
-@mark.e2e_search_enterprise_tls
-def test_validate_tls_connections(mdb: MongoDB, mdbs: MongoDBSearch, namespace: str):
-    validate_tls_connections(mdb, mdbs, namespace)
-
-
 @mark.e2e_search_enterprise_tls
 def test_search_restore_sample_database(mdb: MongoDB):
     get_admin_sample_movies_helper(mdb).restore_sample_database()
@@ -263,6 +259,7 @@ def test_check_polyfilled_role_in_ac(self, mdb: MongoDB):
 
     def test_upgrade_to_mongo_8_2(self, mdb: MongoDB):
         mdb.set_version(MDB_VERSION_WITH_BUILT_IN_ROLE)
+        del mdb["metadata"]["annotations"][MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION]
         mdb.update()
         mdb.assert_reaches_phase(Phase.Running, timeout=600)
 
@@ -302,27 +299,3 @@ def get_user_sample_movies_helper(mdb):
             get_connection_string(mdb, USER_NAME, USER_PASSWORD), use_ssl=True, ca_path=get_issuer_ca_filepath()
         )
     )
-
-
-def validate_tls_connections(mdb: MongoDB, mdbs: MongoDBSearch, namespace: str):
-    with pymongo.MongoClient(
-        f"mongodb://{mdb.name}-0.{mdb.name}-svc.{namespace}.svc.cluster.local:27017/?replicaSet={mdb.name}",
-        tls=True,
-        tlsCAFile=get_issuer_ca_filepath(),
-        tlsAllowInvalidHostnames=False,
-        serverSelectionTimeoutMS=30000,
-        connectTimeoutMS=20000,
-    ) as mongodb_client:
-        mongodb_info = mongodb_client.admin.command("hello")
-        assert mongodb_info.get("ok") == 1, "MongoDB connection failed"
-
-    with pymongo.MongoClient(
-        f"mongodb://{mdbs.name}-search-svc.{namespace}.svc.cluster.local:27027",
-        tls=True,
-        tlsCAFile=get_issuer_ca_filepath(),
-        tlsAllowInvalidHostnames=False,
-        serverSelectionTimeoutMS=10000,
-        connectTimeoutMS=10000,
-    ) as search_client:
-        search_info = search_client.admin.command("hello")
-        assert search_info.get("ok") == 1, "MongoDBSearch connection failed"
diff --git a/mongodb-community-operator/pkg/mongot/mongot_config.go b/mongodb-community-operator/pkg/mongot/mongot_config.go
index c8126b173..fe11a6ac1 100644
--- a/mongodb-community-operator/pkg/mongot/mongot_config.go
+++ b/mongodb-community-operator/pkg/mongot/mongot_config.go
@@ -24,7 +24,8 @@ type Config struct {
 }
 
 type ConfigSyncSource struct {
-	ReplicaSet ConfigReplicaSet `json:"replicaSet"`
+	ReplicaSet               ConfigReplicaSet `json:"replicaSet"`
+	CertificateAuthorityFile *string          `json:"caFile,omitempty"`
 }
 
 type ConfigReplicaSet struct {
@@ -42,12 +43,18 @@ type ConfigStorage struct {
 
 type ConfigServer struct {
 	Wireproto *ConfigWireproto `json:"wireproto,omitempty"`
+	Grpc      *ConfigGrpc      `json:"grpc,omitempty"`
 }
 
 type ConfigWireproto struct {
 	Address        string                `json:"address"`
 	Authentication *ConfigAuthentication `json:"authentication,omitempty"`
-	TLS            ConfigTLS             `json:"tls"`
+	TLS            *ConfigWireprotoTLS   `json:"tls,omitempty"`
+}
+
+type ConfigGrpc struct {
+	Address string         `json:"address"`
+	TLS     *ConfigGrpcTLS `json:"tls,omitempty"`
 }
 
 type ConfigAuthentication struct {
@@ -59,14 +66,21 @@ type ConfigTLSMode string
 
 const (
 	ConfigTLSModeTLS      ConfigTLSMode = "TLS"
+	ConfigTLSModeMTLS     ConfigTLSMode = "mTLS"
 	ConfigTLSModeDisabled ConfigTLSMode = "Disabled"
 )
 
-type ConfigTLS struct {
+type ConfigWireprotoTLS struct {
 	Mode               ConfigTLSMode `json:"mode"`
 	CertificateKeyFile *string       `json:"certificateKeyFile,omitempty"`
 }
 
+type ConfigGrpcTLS struct {
+	Mode                     ConfigTLSMode `json:"mode"`
+	CertificateKeyFile       *string       `json:"certificateKeyFile,omitempty"`
+	CertificateAuthorityFile *string       `json:"caFile,omitempty"`
+}
+
 type ConfigMetrics struct {
 	Enabled bool   `json:"enabled"`
 	Address string `json:"address"`
diff --git a/pkg/util/stringutil/stringutil.go b/pkg/util/stringutil/stringutil.go
index b5375c285..652801df4 100644
--- a/pkg/util/stringutil/stringutil.go
+++ b/pkg/util/stringutil/stringutil.go
@@ -81,7 +81,7 @@ func Remove(slice []string, s string) (result []string) {
 		}
 		result = append(result, item)
 	}
-	return
+	return result
 }
 
 // UpperCaseFirstChar ensures the message first char is uppercased.

From b791c366098a78c7b4634e95d5493fc7143fb763 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 12:21:36 +0200
Subject: [PATCH 2/9] fix external tests and snippets

---
 .../tests/search/search_community_external_mongod_basic.py   | 2 +-
 .../tests/search/search_community_external_mongod_tls.py     | 2 +-
 .../04_0310_create_mongodb_community_resource.sh             | 5 +++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
index d3c0ea339..1fe7b4bcb 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_basic.py
@@ -36,7 +36,7 @@ def mdbc(namespace: str) -> MongoDBCommunity:
     if try_load(resource):
         return resource
 
-    mongot_host = f"{MDBS_RESOURCE_NAME}-search-svc.{namespace}.svc.cluster.local:27027"
+    mongot_host = f"{MDBS_RESOURCE_NAME}-search-svc.{namespace}.svc.cluster.local:27028"
     if "additionalMongodConfig" not in resource["spec"]:
         resource["spec"]["additionalMongodConfig"] = {}
     if "setParameter" not in resource["spec"]["additionalMongodConfig"]:
diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
index 538727556..105bec899 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_community_external_mongod_tls.py
@@ -40,7 +40,7 @@ def mdbc(namespace: str) -> MongoDBCommunity:
     if try_load(resource):
         return resource
 
-    mongot_host = f"{MDBS_RESOURCE_NAME}-search-svc.{namespace}.svc.cluster.local:27027"
+    mongot_host = f"{MDBS_RESOURCE_NAME}-search-svc.{namespace}.svc.cluster.local:27028"
     if "additionalMongodConfig" not in resource["spec"]:
         resource["spec"]["additionalMongodConfig"] = {}
     if "setParameter" not in resource["spec"]["additionalMongodConfig"]:
diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
index a3dddcd2a..7e67f0f3b 100644
--- a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
+++ b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
@@ -57,10 +57,11 @@ spec:
               - "bypassDefaultMaxTimeMS"
   additionalMongodConfig:
     setParameter:
-      mongotHost: ${MDB_SEARCH_HOSTNAME}:27027
-      searchIndexManagementHostAndPort: ${MDB_SEARCH_HOSTNAME}:27027
+      mongotHost: ${MDB_SEARCH_HOSTNAME}:27029
+      searchIndexManagementHostAndPort: ${MDB_SEARCH_HOSTNAME}:27028
       skipAuthenticationToSearchIndexManagementServer: false
       searchTLSMode: disabled
+      useGrpcForSearch: true
   agent:
     logLevel: DEBUG
   statefulSet:

From 53e9334bd3f0fda5063b5bf7822be66d1697bc67 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 12:28:23 +0200
Subject: [PATCH 3/9] try fix enterprise tests

---
 .../tests/search/search_enterprise_tls.py           | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
index 9fd0156bc..d628fe098 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
@@ -45,7 +45,6 @@ def mdb(namespace: str, issuer_ca_configmap: str) -> MongoDB:
     )
     resource.configure(om=get_ops_manager(namespace), project_name=MDB_RESOURCE_NAME)
     resource.set_version(MDB_VERSION_WITHOUT_BUILT_IN_ROLE)
-    resource["metadata"]["annotations"] = {MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION: "true"}
 
     if try_load(resource):
         return resource
@@ -62,6 +61,9 @@ def mdbs(namespace: str) -> MongoDBSearch:
     if try_load(resource):
         return resource
 
+    # force the wireproto transport initially because we're starting out with mongod 8.0.10
+    resource["metadata"]["annotations"] = {MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION: "true"}
+
     # Add TLS configuration to MongoDBSearch
     if "spec" not in resource:
         resource["spec"] = {}
@@ -209,7 +211,7 @@ def check_mongod_parameters():
 
         return parameters_are_set, f'Not all pods have mongot parameters set:\n{"\n".join(pod_parameters)}'
 
-    run_periodically(check_mongod_parameters, timeout=200)
+    run_periodically(check_mongod_parameters, timeout=600)
 
 
 # After picking up MongoDBSearch CR, MongoDB reconciler will add mongod parameters to each process.
@@ -257,12 +259,15 @@ def test_check_polyfilled_role_in_ac(self, mdb: MongoDB):
         assert len(custom_roles) > 0
         assert "searchCoordinator" in [role["role"] for role in custom_roles]
 
-    def test_upgrade_to_mongo_8_2(self, mdb: MongoDB):
+    def test_upgrade_to_mongo_8_2(self, mdb: MongoDB, mdbs: MongoDBSearch):
         mdb.set_version(MDB_VERSION_WITH_BUILT_IN_ROLE)
-        del mdb["metadata"]["annotations"][MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION]
         mdb.update()
         mdb.assert_reaches_phase(Phase.Running, timeout=600)
 
+        del mdbs["metadata"]["annotations"][MDB_SEARCH_FORCE_WIREPROTO_ANNOTATION]
+        mdbs.update()
+        mdbs.assert_reaches_phase(Phase.Running, timeout=300)
+
     def test_check_polyfilled_role_not_in_ac(self, mdb: MongoDB):
         custom_roles = mdb.get_automation_config_tester().automation_config.get("roles", [])
         assert len(custom_roles) >= 0

From cdc55d433087a0037cffbc31d56e359395ce68d9 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 13:32:22 +0200
Subject: [PATCH 4/9] update unit tests for wireproto annotation

---
 .../operator/mongodbsearch_controller_test.go | 100 +++++++++++++-----
 .../mongodbsearch_reconcile_helper.go         |  14 +--
 .../mongodbsearch_reconcile_helper_test.go    |  57 ++++++++++
 3 files changed, 139 insertions(+), 32 deletions(-)

diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go
index 49d99888d..3a3cfa0de 100644
--- a/controllers/operator/mongodbsearch_controller_test.go
+++ b/controllers/operator/mongodbsearch_controller_test.go
@@ -100,6 +100,19 @@ func buildExpectedMongotConfig(search *searchv1.MongoDBSearch, mdbc *mdbcv1.Mong
 	if search.Spec.LogLevel != "" {
 		logLevel = string(search.Spec.LogLevel)
 	}
+
+	var wireprotoServer *mongot.ConfigWireproto
+	if search.IsWireprotoForced() {
+		wireprotoServer = &mongot.ConfigWireproto{
+			Address: fmt.Sprintf("0.0.0.0:%d", search.GetMongotWireprotoPort()),
+			Authentication: &mongot.ConfigAuthentication{
+				Mode:    "keyfile",
+				KeyFile: searchcontroller.TempKeyfilePath,
+			},
+			TLS: &mongot.ConfigWireprotoTLS{Mode: mongot.ConfigTLSModeDisabled},
+		}
+	}
+
 	return mongot.Config{
 		SyncSource: mongot.ConfigSyncSource{
 			ReplicaSet: mongot.ConfigReplicaSet{
@@ -119,6 +132,7 @@ func buildExpectedMongotConfig(search *searchv1.MongoDBSearch, mdbc *mdbcv1.Mong
 				Address: fmt.Sprintf("0.0.0.0:%d", search.GetMongotGrpcPort()),
 				TLS:     &mongot.ConfigGrpcTLS{Mode: mongot.ConfigTLSModeDisabled},
 			},
+			Wireproto: wireprotoServer,
 		},
 		Metrics: mongot.ConfigMetrics{
 			Enabled: true,
@@ -164,35 +178,69 @@ func TestMongoDBSearchReconcile_MissingSource(t *testing.T) {
 
 func TestMongoDBSearchReconcile_Success(t *testing.T) {
 	ctx := context.Background()
-	search := newMongoDBSearch("search", mock.TestNamespace, "mdb")
-	search.Spec.LogLevel = "WARN"
-
-	mdbc := newMongoDBCommunity("mdb", mock.TestNamespace)
-	reconciler, c := newSearchReconciler(mdbc, search)
 
-	res, err := reconciler.Reconcile(
-		ctx,
-		reconcile.Request{NamespacedName: types.NamespacedName{Name: search.Name, Namespace: search.Namespace}},
-	)
-	expected, _ := workflow.OK().ReconcileResult()
-	assert.NoError(t, err)
-	assert.Equal(t, expected, res)
-
-	svc := &corev1.Service{}
-	err = c.Get(ctx, search.SearchServiceNamespacedName(), svc)
-	assert.NoError(t, err)
+	tests := []struct {
+		name          string
+		withWireproto bool
+	}{
+		{
+			name:          "grpc only (default)",
+			withWireproto: false,
+		},
+		{
+			name:          "grpc + wireproto via annotation",
+			withWireproto: true,
+		},
+	}
 
-	cm := &corev1.ConfigMap{}
-	err = c.Get(ctx, search.MongotConfigConfigMapNamespacedName(), cm)
-	assert.NoError(t, err)
-	expectedConfig := buildExpectedMongotConfig(search, mdbc)
-	configYaml, err := yaml.Marshal(expectedConfig)
-	assert.NoError(t, err)
-	assert.Equal(t, string(configYaml), cm.Data[searchcontroller.MongotConfigFilename])
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			search := newMongoDBSearch("search", mock.TestNamespace, "mdb")
+			search.Spec.LogLevel = "WARN"
+			if tc.withWireproto {
+				if search.Annotations == nil {
+					search.Annotations = map[string]string{}
+				}
+				search.Annotations[searchv1.ForceWireprotoTransportAnnotation] = "true"
+			}
 
-	sts := &appsv1.StatefulSet{}
-	err = c.Get(ctx, search.StatefulSetNamespacedName(), sts)
-	assert.NoError(t, err)
+			mdbc := newMongoDBCommunity("mdb", mock.TestNamespace)
+			reconciler, c := newSearchReconciler(mdbc, search)
+
+			res, err := reconciler.Reconcile(
+				ctx,
+				reconcile.Request{NamespacedName: types.NamespacedName{Name: search.Name, Namespace: search.Namespace}},
+			)
+			expected, _ := workflow.OK().ReconcileResult()
+			assert.NoError(t, err)
+			assert.Equal(t, expected, res)
+
+			svc := &corev1.Service{}
+			err = c.Get(ctx, search.SearchServiceNamespacedName(), svc)
+			assert.NoError(t, err)
+			servicePortNames := []string{}
+			for _, port := range svc.Spec.Ports {
+				servicePortNames = append(servicePortNames, port.Name)
+			}
+			expectedPortNames := []string{"mongot-grpc", "metrics", "healthcheck"}
+			if tc.withWireproto {
+				expectedPortNames = append(expectedPortNames, "mongot-wireproto")
+			}
+			assert.ElementsMatch(t, expectedPortNames, servicePortNames)
+
+			cm := &corev1.ConfigMap{}
+			err = c.Get(ctx, search.MongotConfigConfigMapNamespacedName(), cm)
+			assert.NoError(t, err)
+			expectedConfig := buildExpectedMongotConfig(search, mdbc)
+			configYaml, err := yaml.Marshal(expectedConfig)
+			assert.NoError(t, err)
+			assert.Equal(t, string(configYaml), cm.Data[searchcontroller.MongotConfigFilename])
+
+			sts := &appsv1.StatefulSet{}
+			err = c.Get(ctx, search.StatefulSetNamespacedName(), sts)
+			assert.NoError(t, err)
+		})
+	}
 }
 
 func checkSearchReconcileFailed(
diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
index e3881eec2..6e311bc9b 100644
--- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
+++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
@@ -317,12 +317,14 @@ func buildSearchHeadlessService(search *searchv1.MongoDBSearch) corev1.Service {
 		SetPublishNotReadyAddresses(true).
 		SetOwnerReferences(search.GetOwnerReferences())
 
-	serviceBuilder.AddPort(&corev1.ServicePort{
-		Name:       "mongot-wireproto",
-		Protocol:   corev1.ProtocolTCP,
-		Port:       search.GetMongotWireprotoPort(),
-		TargetPort: intstr.FromInt32(search.GetMongotWireprotoPort()),
-	})
+	if search.IsWireprotoForced() {
+		serviceBuilder.AddPort(&corev1.ServicePort{
+			Name:       "mongot-wireproto",
+			Protocol:   corev1.ProtocolTCP,
+			Port:       search.GetMongotWireprotoPort(),
+			TargetPort: intstr.FromInt32(search.GetMongotWireprotoPort()),
+		})
+	}
 
 	serviceBuilder.AddPort(&corev1.ServicePort{
 		Name:       "mongot-grpc",
diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go
index dec84f2ad..c54675fa3 100644
--- a/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go
+++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go
@@ -1,6 +1,8 @@
 package searchcontroller
 
 import (
+	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -146,3 +148,58 @@ func TestNeedsSearchCoordinatorRolePolyfill(t *testing.T) {
 		})
 	}
 }
+
+func TestGetMongodConfigParameters_TransportAndPorts(t *testing.T) {
+	cases := []struct {
+		name            string
+		withWireproto   bool
+		expectedUseGrpc bool
+	}{
+		{
+			name:            "grpc only (default)",
+			withWireproto:   false,
+			expectedUseGrpc: true,
+		},
+		{
+			name:            "grpc + wireproto via annotation",
+			withWireproto:   true,
+			expectedUseGrpc: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			search := &searchv1.MongoDBSearch{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-mongodb-search",
+					Namespace: "test",
+				},
+			}
+			if tc.withWireproto {
+				search.Annotations = map[string]string{searchv1.ForceWireprotoTransportAnnotation: "true"}
+			}
+
+			clusterDomain := "cluster.local"
+			params := GetMongodConfigParameters(search, clusterDomain)
+
+			setParams := params["setParameter"].(map[string]any)
+
+			useGrpc := setParams["useGrpcForSearch"].(bool)
+			assert.Equal(t, tc.expectedUseGrpc, useGrpc)
+
+			expectedPort := search.GetMongotGrpcPort()
+			if tc.withWireproto {
+				expectedPort = search.GetMongotWireprotoPort()
+			}
+			expectedPrefix := fmt.Sprintf("%s.%s.svc.%s", search.Name+"-search-svc", search.Namespace, clusterDomain)
+			expectedSuffix := fmt.Sprintf(":%d", expectedPort)
+
+			for _, key := range []string{"mongotHost", "searchIndexManagementHostAndPort"} {
+				value := setParams[key].(string)
+				if !strings.HasPrefix(value, expectedPrefix) || !strings.HasSuffix(value, expectedSuffix) {
+					t.Fatalf("%s mismatch: expected prefix %q and suffix %q, got %q", key, expectedPrefix, expectedSuffix, value)
+				}
+			}
+		})
+	}
+}

From 83e9b336a29e5c70b976466b303b8fd17ff5e686 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 13:38:14 +0200
Subject: [PATCH 5/9] bump version of mongod in external snippets

---
 .../code_snippets/04_0310_create_mongodb_community_resource.sh  | 2 +-
 docs/search/04-search-external-mongod/env_variables.sh          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
index 7e67f0f3b..17ecf53d3 100644
--- a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
+++ b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
@@ -57,7 +57,7 @@ spec:
               - "bypassDefaultMaxTimeMS"
   additionalMongodConfig:
     setParameter:
-      mongotHost: ${MDB_SEARCH_HOSTNAME}:27029
+      mongotHost: ${MDB_SEARCH_HOSTNAME}:27028
       searchIndexManagementHostAndPort: ${MDB_SEARCH_HOSTNAME}:27028
       skipAuthenticationToSearchIndexManagementServer: false
       searchTLSMode: disabled
diff --git a/docs/search/04-search-external-mongod/env_variables.sh b/docs/search/04-search-external-mongod/env_variables.sh
index 83cf2e257..9dfb8ecfa 100644
--- a/docs/search/04-search-external-mongod/env_variables.sh
+++ b/docs/search/04-search-external-mongod/env_variables.sh
@@ -2,7 +2,7 @@ export K8S_CTX="<your kubernetes context here>"
 
 export MDB_NS="mongodb"
 
-export MDB_VERSION="8.0.10"
+export MDB_VERSION="8.2.0"
 
 export MDB_ADMIN_USER_PASSWORD="admin-user-password-CHANGE-ME"
 export MDB_USER_PASSWORD="mdb-user-password-CHANGE-ME"

From 14bedcf6fc318d5923b0b5b840381fe8f453ab9e Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 13:41:49 +0200
Subject: [PATCH 6/9] try fix external tests take 2

---
 .../tests/search/search_enterprise_tls.py      | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
index d628fe098..33ffedc36 100644
--- a/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
+++ b/docker/mongodb-kubernetes-tests/tests/search/search_enterprise_tls.py
@@ -189,6 +189,15 @@ def test_create_search_resource(mdbs: MongoDBSearch):
     mdbs.assert_reaches_phase(Phase.Running, timeout=300)
 
 
+# After picking up MongoDBSearch CR, MongoDB reconciler will add mongod parameters to each process.
+# Due to how MongoDB reconciler works (blocking on waiting for agents and not changing the status to pending)
+# the phase won't be updated to Pending and we need to wait by checking agents' status directly in OM.
+@mark.e2e_search_enterprise_tls
+def test_wait_for_agents_ready(mdb: MongoDB):
+    mdb.get_om_tester().wait_agents_ready()
+    mdb.assert_reaches_phase(Phase.Running, timeout=300)
+
+
 @mark.e2e_search_enterprise_tls
 def test_wait_for_mongod_parameters(mdb: MongoDB):
     # After search CR is deployed, MongoDB controller will pick it up
@@ -214,15 +223,6 @@ def check_mongod_parameters():
     run_periodically(check_mongod_parameters, timeout=600)
 
 
-# After picking up MongoDBSearch CR, MongoDB reconciler will add mongod parameters to each process.
-# Due to how MongoDB reconciler works (blocking on waiting for agents and not changing the status to pending)
-# the phase won't be updated to Pending and we need to wait by checking agents' status directly in OM.
-@mark.e2e_search_enterprise_tls
-def test_wait_for_agents_ready(mdb: MongoDB):
-    mdb.get_om_tester().wait_agents_ready()
-    mdb.assert_reaches_phase(Phase.Running, timeout=300)
-
-
 @mark.e2e_search_enterprise_tls
 def test_search_restore_sample_database(mdb: MongoDB):
     get_admin_sample_movies_helper(mdb).restore_sample_database()

From 8dc3d81a66d7c2fa68f45995c6bc3da346e842d3 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 14:22:47 +0200
Subject: [PATCH 7/9] cheat linter

---
 controllers/operator/mongodbsearch_controller_test.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go
index 3a3cfa0de..7c2cd81d6 100644
--- a/controllers/operator/mongodbsearch_controller_test.go
+++ b/controllers/operator/mongodbsearch_controller_test.go
@@ -3,6 +3,7 @@ package operator
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/ghodss/yaml"
@@ -197,11 +198,8 @@ func TestMongoDBSearchReconcile_Success(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			search := newMongoDBSearch("search", mock.TestNamespace, "mdb")
 			search.Spec.LogLevel = "WARN"
-			if tc.withWireproto {
-				if search.Annotations == nil {
-					search.Annotations = map[string]string{}
-				}
-				search.Annotations[searchv1.ForceWireprotoTransportAnnotation] = "true"
+			search.Annotations = map[string]string{
+				searchv1.ForceWireprotoTransportAnnotation: strconv.FormatBool(tc.withWireproto),
 			}
 
 			mdbc := newMongoDBCommunity("mdb", mock.TestNamespace)

From f4a1a34fa3c24b59953b3bc003d42c90d22f47ce Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Thu, 16 Oct 2025 14:23:23 +0200
Subject: [PATCH 8/9] remove searchCoordinator polyfill from external snippets

---
 ..._0310_create_mongodb_community_resource.sh | 43 -------------------
 1 file changed, 43 deletions(-)

diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
index 17ecf53d3..6c828b424 100644
--- a/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
+++ b/docs/search/04-search-external-mongod/code_snippets/04_0310_create_mongodb_community_resource.sh
@@ -12,49 +12,6 @@ spec:
       ignoreUnknownUsers: true
       modes:
         - SCRAM
-    roles:
-      - role: searchCoordinator
-        db: admin
-        roles:
-          - name: clusterMonitor
-            db: admin
-          - name: directShardOperations
-            db: admin
-          - name: readAnyDatabase
-            db: admin
-        privileges:
-          - resource:
-              db: "__mdb_internal_search"
-              collection: ""
-            actions:
-              - "changeStream"
-              - "collStats"
-              - "dbHash"
-              - "dbStats"
-              - "find"
-              - "killCursors"
-              - "listCollections"
-              - "listIndexes"
-              - "listSearchIndexes"
-              - "planCacheRead"
-              - "cleanupStructuredEncryptionData"
-              - "compactStructuredEncryptionData"
-              - "convertToCapped"
-              - "createCollection"
-              - "createIndex"
-              - "createSearchIndexes"
-              - "dropCollection"
-              - "dropIndex"
-              - "dropSearchIndex"
-              - "insert"
-              - "remove"
-              - "renameCollectionSameDB"
-              - "update"
-              - "updateSearchIndex"
-          - resource:
-              cluster: true
-            actions:
-              - "bypassDefaultMaxTimeMS"
   additionalMongodConfig:
     setParameter:
       mongotHost: ${MDB_SEARCH_HOSTNAME}:27028

From 75c83de2f7d0163df08fbc71f35f0df9046dc820 Mon Sep 17 00:00:00 2001
From: Yavor Georgiev <yavor.georgiev@mongodb.com>
Date: Mon, 20 Oct 2025 11:33:13 +0200
Subject: [PATCH 9/9] update the port in external snippets

---
 .../04_0322_create_search_loadbalancer_service.sh             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/search/04-search-external-mongod/code_snippets/04_0322_create_search_loadbalancer_service.sh b/docs/search/04-search-external-mongod/code_snippets/04_0322_create_search_loadbalancer_service.sh
index 26167b64e..dfdeb5ec9 100644
--- a/docs/search/04-search-external-mongod/code_snippets/04_0322_create_search_loadbalancer_service.sh
+++ b/docs/search/04-search-external-mongod/code_snippets/04_0322_create_search_loadbalancer_service.sh
@@ -9,8 +9,8 @@ spec:
     app: mdbs-search-svc
   ports:
     - name: mongot
-      port: 27027
-      targetPort: 27027
+      port: 27028
+      targetPort: 27028
 YAML
 
 echo "Waiting for external IP to be assigned to service ${MDB_SEARCH_SERVICE_NAME}..."