Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-12 06:47:32 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5c2b7b9a6fbeba6859d08fb7ea7bd368e799a0b4
charts/bitnami/mongodb/templates/common-scripts-cm.yaml
Douglas Thomson 5c2b7b9a6f [bitnami/mongodb] Adding tls.pemChainIncluded value to support wider range of TLS certificates (#16731) 
* Adding the option tls.pemChainIncluded to values. When enabled this will allow secrets which contain certificates to only need the tls.key and tls.crt attributes. The assumption is that the tls.crt attribute contains a certificate chain. The generate-tls-certs initilization container will then split the certificate chain, using the first certificate as the leafnode and use in combination with tls.key for the /certs/mongodb.pem file. The remaining certificates in the chain will be placed in the /certs/mongodb-ca-cert file as the intermediary nodes.

This supports the usage of cert-manager.io as there are cases where the secret returned by this controller do not include the ca.crt file.

Signed-off-by: Douglas Thomson <djt210@gmail.com>

* Removing a duplicate line in the generate-certs.sh script.
Returning original indentation and removing changes out of scope.

Signed-off-by: Douglas Thomson <djt210@gmail.com>

---------

Signed-off-by: Douglas Thomson <djt210@gmail.com>
Signed-off-by: David Gomez <dgomezleon@vmware.com>
Co-authored-by: David Gomez <dgomezleon@vmware.com>
2023-05-22 08:56:43 +00:00

142 lines
5.6 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
namespace: {{ include "mongodb.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: mongodb
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- $fullname := include "mongodb.fullname" . }}
startup-probe.sh: |
#!/bin/bash
{{- if .Values.tls.enabled }}
TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert'
{{- end }}
mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep 'true'
readiness-probe.sh: |
#!/bin/bash
{{- if .Values.tls.enabled }}
TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert'
{{- end }}
# Run the proper check depending on the version
[[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]}
. /opt/bitnami/scripts/libversion.sh
VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)"
VERSION_MINOR="$(get_sematic_version "$VERSION" 2)"
VERSION_PATCH="$(get_sematic_version "$VERSION" 3)"
if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then
mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep 'true'
else
mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep 'true'
fi
ping-mongodb.sh: |
#!/bin/bash
{{- if .Values.tls.enabled }}
TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert'
{{- end }}
mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')"
{{- if .Values.tls.enabled }}
generate-certs.sh: |
#!/bin/bash
{{- if (include "mongodb.autoGenerateCerts" .) }}
additional_ips=()
additional_names=()
while getopts "i:n:s:" flag
do
case "${flag}" in
i) read -a additional_ips <<< ${OPTARG//,/ } ;;
n) read -a additional_names <<< ${OPTARG//,/ } ;;
s) svc=${OPTARG// /} ;;
\?) exit 1 ;;
esac
done
my_hostname=$(hostname)
cp /certs/CAs/* /certs/
cat >/certs/openssl.cnf <<EOL
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $svc
DNS.2 = $my_hostname
{{- if eq .Values.architecture "replicaset" }}
DNS.3 = $my_hostname.$svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }}
{{- else }}
DNS.3 = $svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }}
{{- end }}
DNS.4 = localhost
IP.0 = ${MY_POD_HOST_IP}
IP.1 = 127.0.0.1
EOL
index=2
for ip in "${additional_ips[@]}"; do
cat >>/certs/openssl.cnf <<EOL
IP.$index = $ip
EOL
((index++))
done;
index=5
for name in "${additional_names[@]}"; do
cat >>/certs/openssl.cnf <<EOL
DNS.$index = $(eval echo "${name}")
EOL
((index++))
done;
export RANDFILE=/certs/.rnd && openssl genrsa -out /certs/mongo.key 2048
#Create the client/server cert
openssl req -new -key /certs/mongo.key -out /certs/mongo.csr -subj "/C=US/O=My Organisations/OU=IT/CN=$my_hostname" -config /certs/openssl.cnf
#Signing the server cert with the CA cert and key
openssl x509 -req -in /certs/mongo.csr -CA /certs/mongodb-ca-cert -CAkey /certs/mongodb-ca-key -CAcreateserial -out /certs/mongo.crt -days 3650 -extensions v3_req -extfile /certs/openssl.cnf
rm /certs/mongo.csr
#Concatenate to a pem file for use as the client PEM file which can be used for both member and client authentication.
cat /certs/mongo.crt /certs/mongo.key > /certs/mongodb.pem
cd /certs/
shopt -s extglob
rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf)
chmod 0600 mongodb-ca-cert mongodb.pem
{{- else }}
{{- if eq .Values.architecture "standalone" }}
ID="0"
{{- else }}
if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then
ID="0"
elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then
ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}"
else
ID="${MY_POD_NAME#"{{ $fullname }}-"}"
fi
{{- end }}
{{- if .Values.tls.pemChainIncluded }}
#Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc.
cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx
#Use first certificate as leaf node and combine with key to store in pem file
cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
#Use remaining intermediate certificates for ca.crt
echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert"
rm -rf /certs/xx*
{{- else }}
cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert"
{{- end }}
chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink