aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common/mongodb/templates/common-scripts-cm.yaml
blob: bf5feadbf8c15b069f73d913cea002b22ba2a0c6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
  namespace: {{ include "mongodb.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: mongodb
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
data:
  {{- $fullname := include "mongodb.fullname" . }}
  startup-probe.sh: |
    #!/bin/bash
    {{- if .Values.tls.enabled }}
    # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname.
    TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert--tlsAllowInvalidHostnames'
    {{- end }}
    exec mongosh  $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }'
  readiness-probe.sh: |
    #!/bin/bash
    {{- if .Values.tls.enabled }}
    # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname.
    TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames'
    {{- end }}
    # Run the proper check depending on the version
    [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]}
    . /opt/bitnami/scripts/libversion.sh
    VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)"
    VERSION_MINOR="$(get_sematic_version "$VERSION" 2)"
    VERSION_PATCH="$(get_sematic_version "$VERSION" 3)"
    readiness_test='db.isMaster().ismaster || db.isMaster().secondary'
    if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then
        readiness_test='db.hello().isWritablePrimary || db.hello().secondary'
    fi
    exec mongosh  $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }"
  ping-mongodb.sh: |
    #!/bin/bash
    {{- if .Values.tls.enabled }}
    # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname.
    TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames'
    {{- end }}
    exec mongosh  $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')"
  {{- if .Values.tls.enabled }}
  generate-certs.sh: |
    #!/bin/bash
    {{- if (include "mongodb.autoGenerateCerts" .) }}
    additional_ips=()
    additional_names=()
    while getopts "i:n:s:" flag
    do
        case "${flag}" in
            i) read -a additional_ips <<< ${OPTARG//,/ } ;;
            n) read -a additional_names <<< ${OPTARG//,/ } ;;
            s) svc=${OPTARG// /} ;;
            \?) exit 1 ;;
        esac
    done

    my_hostname=$(hostname)
    cp /certs/CAs/* /certs/
    cat >/certs/openssl.cnf <<EOL
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = $svc
    DNS.2 = $my_hostname
    {{- if eq .Values.architecture "replicaset" }}
    DNS.3 = $my_hostname.$svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }}
    {{- else }}
    DNS.3 = $svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }}
    {{- end }}
    DNS.4 = localhost
    IP.0 = ${MY_POD_HOST_IP}
    IP.1 = 127.0.0.1
    EOL
    index=2
    for ip in "${additional_ips[@]}"; do
        cat >>/certs/openssl.cnf <<EOL
    IP.$index = $ip
    EOL
        ((index++))
    done;
    index=5
    for name in "${additional_names[@]}"; do
        cat >>/certs/openssl.cnf <<EOL
    DNS.$index = $(eval echo "${name}")
    EOL
        ((index++))
    done;

    export RANDFILE=/certs/.rnd && openssl genrsa -out /certs/mongo.key 2048
    #Create the client/server cert
    openssl req -new -key /certs/mongo.key -out /certs/mongo.csr -subj "/C=US/O=My Organisations/OU=IT/CN=$my_hostname" -config /certs/openssl.cnf
    #Signing the server cert with the CA cert and key
    openssl x509 -req -in /certs/mongo.csr -CA /certs/mongodb-ca-cert -CAkey /certs/mongodb-ca-key -CAcreateserial -out /certs/mongo.crt -days 3650 -extensions v3_req -extfile /certs/openssl.cnf
    rm /certs/mongo.csr
    #Concatenate to a pem file for use as the client PEM file which can be used for both member and client authentication.
    cat /certs/mongo.crt /certs/mongo.key > /certs/mongodb.pem
    cd /certs/
    shopt -s extglob
    rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf)
    chmod 0600 mongodb-ca-cert mongodb.pem
    {{- else }}
    {{- if eq .Values.architecture "standalone" }}
      ID="0"
    {{- else }}
    if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then
      ID="0"
    elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then
      ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}"
    else
      ID="${MY_POD_NAME#"{{ $fullname }}-"}"
    fi
    {{- end }}

    {{- if .Values.tls.pemChainIncluded }}
    #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc.
    cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx

    #Use first certificate as leaf node and combine with key to store in pem file
    cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"

    #Use remaining intermediate certificates for ca.crt
    echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert"

    rm -rf /certs/xx*
    {{- else }}
    cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
    cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert"
    {{- end }}

    chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem
    {{- end }}
  {{- end }}