[bitnami/mongodb] Adding tls.pemChainIncluded value to support wider range of TLS certificates (#16731)

* Adding the option tls.pemChainIncluded to values. When enabled this will allow secrets which contain certificates to only need the tls.key and tls.crt attributes. The assumption is that the tls.crt attribute contains a certificate chain. The generate-tls-certs initilization container will then split the certificate chain, using the first certificate as the leafnode and use in combination with tls.key for the /certs/mongodb.pem file. The remaining certificates in the chain will be placed in the /certs/mongodb-ca-cert file as the intermediary nodes.

This supports the usage of cert-manager.io as there are cases where the secret returned by this controller do not include the ca.crt file.

Signed-off-by: Douglas Thomson <djt210@gmail.com>

* Removing a duplicate line in the generate-certs.sh script.
Returning original indentation and removing changes out of scope.

Signed-off-by: Douglas Thomson <djt210@gmail.com>

---------

Signed-off-by: Douglas Thomson <djt210@gmail.com>
Signed-off-by: David Gomez <dgomezleon@vmware.com>
Co-authored-by: David Gomez <dgomezleon@vmware.com>

bitnami/mongodb/Chart.yaml

@@ -25,4 +25,4 @@ maintainers:
 name: mongodb
 sources:
   - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 13.13.1
+version: 13.14.0

bitnami/mongodb/README.md

@@ -118,10 +118,11 @@ Refer to the [chart documentation for more information on each of these architec
 | `tls.existingSecret`             | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`)                                                                           | `""`                   |
 | `tls.caCert`                     | Custom CA certificated (base64 encoded)                                                                                                                     | `""`                   |
 | `tls.caKey`                      | CA certificate private key (base64 encoded)                                                                                                                 | `""`                   |
-| `tls.standalone.existingSecret`  | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                                     | `""`                   |
-| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                           | `[]`                   |
-| `tls.hidden.existingSecrets`     | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                           | `[]`                   |
-| `tls.arbiter.existingSecret`     | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                                     | `""`                   |
+| `tls.pemChainIncluded`           | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.                                                         | `false`                |
+| `tls.standalone.existingSecret`  | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.                  | `""`                   |
+| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.        | `[]`                   |
+| `tls.hidden.existingSecrets`     | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.        | `[]`                   |
+| `tls.arbiter.existingSecret`     | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.                  | `""`                   |
 | `tls.image.registry`             | Init container TLS certs setup image registry                                                                                                               | `docker.io`            |
 | `tls.image.repository`           | Init container TLS certs setup image repository                                                                                                             | `bitnami/nginx`        |
 | `tls.image.tag`                  | Init container TLS certs setup image tag (immutable tags are recommended)                                                                                   | `1.23.4-debian-11-r19` |

bitnami/mongodb/templates/common-scripts-cm.yaml

@@ -119,8 +119,23 @@ data:
       ID="${MY_POD_NAME#"{{ $fullname }}-"}"
     fi
     {{- end }}
+
+    {{- if .Values.tls.pemChainIncluded }}
+    #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc.
+    cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx
+
+    #Use first certificate as leaf node and combine with key to store in pem file
+    cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
+
+    #Use remaining intermediate certificates for ca.crt
+    echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert"
+
+    rm -rf /certs/xx*
+    {{- else }}
     cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
     cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert"
+    {{- end }}
+
     chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem
     {{- end }}
   {{- end }}

bitnami/mongodb/values.yaml

@@ -199,13 +199,17 @@ tls:
   ##
   caCert: ""
   caKey: ""
+  ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.
+  ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA.
+  ##
+  pemChainIncluded: false
   standalone:
-    ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecret: ""
   replicaset:
-    ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## existingSecrets:
     ##  - "mySecret-0"
     ##  - "mySecret-1"
@@ -213,7 +217,7 @@ tls:
     ##
     existingSecrets: []
   hidden:
-    ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## existingSecrets:
     ##  - "mySecret-0"
     ##  - "mySecret-1"
@@ -221,7 +225,7 @@ tls:
     ##
     existingSecrets: []
   arbiter:
-    ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecret: ""