| Andreas Geissler | cde4a78 | 2024-02-28 16:08:06 +0100 | [diff] [blame] | 1 | {{- /* |
| 2 | Copyright VMware, Inc. |
| 3 | SPDX-License-Identifier: APACHE-2.0 |
| 4 | */}} |
| 5 | |
| 6 | apiVersion: v1 |
| 7 | kind: ConfigMap |
| 8 | metadata: |
| 9 | name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} |
| 10 | namespace: {{ include "mongodb.namespace" . | quote }} |
| 11 | labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} |
| 12 | app.kubernetes.io/component: mongodb |
| 13 | {{- if .Values.commonAnnotations }} |
| 14 | annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} |
| 15 | {{- end }} |
| 16 | data: |
| 17 | {{- $fullname := include "mongodb.fullname" . }} |
| 18 | startup-probe.sh: | |
| 19 | #!/bin/bash |
| 20 | {{- if .Values.tls.enabled }} |
| 21 | # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. |
| 22 | TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert--tlsAllowInvalidHostnames' |
| 23 | {{- end }} |
| 24 | exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' |
| 25 | readiness-probe.sh: | |
| 26 | #!/bin/bash |
| 27 | {{- if .Values.tls.enabled }} |
| 28 | # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. |
| 29 | TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' |
| 30 | {{- end }} |
| 31 | # Run the proper check depending on the version |
| 32 | [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} |
| 33 | . /opt/bitnami/scripts/libversion.sh |
| 34 | VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" |
| 35 | VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" |
| 36 | VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" |
| 37 | readiness_test='db.isMaster().ismaster || db.isMaster().secondary' |
| 38 | if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then |
| 39 | readiness_test='db.hello().isWritablePrimary || db.hello().secondary' |
| 40 | fi |
| 41 | exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" |
| 42 | ping-mongodb.sh: | |
| 43 | #!/bin/bash |
| 44 | {{- if .Values.tls.enabled }} |
| 45 | # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. |
| 46 | TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' |
| 47 | {{- end }} |
| 48 | exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" |
| 49 | {{- if .Values.tls.enabled }} |
| 50 | generate-certs.sh: | |
| 51 | #!/bin/bash |
| 52 | {{- if (include "mongodb.autoGenerateCerts" .) }} |
| 53 | additional_ips=() |
| 54 | additional_names=() |
| 55 | while getopts "i:n:s:" flag |
| 56 | do |
| 57 | case "${flag}" in |
| 58 | i) read -a additional_ips <<< ${OPTARG//,/ } ;; |
| 59 | n) read -a additional_names <<< ${OPTARG//,/ } ;; |
| 60 | s) svc=${OPTARG// /} ;; |
| 61 | \?) exit 1 ;; |
| 62 | esac |
| 63 | done |
| 64 | |
| 65 | my_hostname=$(hostname) |
| 66 | cp /certs/CAs/* /certs/ |
| 67 | cat >/certs/openssl.cnf <<EOL |
| 68 | [req] |
| 69 | req_extensions = v3_req |
| 70 | distinguished_name = req_distinguished_name |
| 71 | [req_distinguished_name] |
| 72 | [ v3_req ] |
| 73 | basicConstraints = CA:FALSE |
| 74 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| 75 | subjectAltName = @alt_names |
| 76 | [alt_names] |
| 77 | DNS.1 = $svc |
| 78 | DNS.2 = $my_hostname |
| 79 | {{- if eq .Values.architecture "replicaset" }} |
| 80 | DNS.3 = $my_hostname.$svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }} |
| 81 | {{- else }} |
| 82 | DNS.3 = $svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }} |
| 83 | {{- end }} |
| 84 | DNS.4 = localhost |
| 85 | IP.0 = ${MY_POD_HOST_IP} |
| 86 | IP.1 = 127.0.0.1 |
| 87 | EOL |
| 88 | index=2 |
| 89 | for ip in "${additional_ips[@]}"; do |
| 90 | cat >>/certs/openssl.cnf <<EOL |
| 91 | IP.$index = $ip |
| 92 | EOL |
| 93 | ((index++)) |
| 94 | done; |
| 95 | index=5 |
| 96 | for name in "${additional_names[@]}"; do |
| 97 | cat >>/certs/openssl.cnf <<EOL |
| 98 | DNS.$index = $(eval echo "${name}") |
| 99 | EOL |
| 100 | ((index++)) |
| 101 | done; |
| 102 | |
| 103 | export RANDFILE=/certs/.rnd && openssl genrsa -out /certs/mongo.key 2048 |
| 104 | #Create the client/server cert |
| 105 | openssl req -new -key /certs/mongo.key -out /certs/mongo.csr -subj "/C=US/O=My Organisations/OU=IT/CN=$my_hostname" -config /certs/openssl.cnf |
| 106 | #Signing the server cert with the CA cert and key |
| 107 | openssl x509 -req -in /certs/mongo.csr -CA /certs/mongodb-ca-cert -CAkey /certs/mongodb-ca-key -CAcreateserial -out /certs/mongo.crt -days 3650 -extensions v3_req -extfile /certs/openssl.cnf |
| 108 | rm /certs/mongo.csr |
| 109 | #Concatenate to a pem file for use as the client PEM file which can be used for both member and client authentication. |
| 110 | cat /certs/mongo.crt /certs/mongo.key > /certs/mongodb.pem |
| 111 | cd /certs/ |
| 112 | shopt -s extglob |
| 113 | rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) |
| 114 | chmod 0600 mongodb-ca-cert mongodb.pem |
| 115 | {{- else }} |
| 116 | {{- if eq .Values.architecture "standalone" }} |
| 117 | ID="0" |
| 118 | {{- else }} |
| 119 | if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then |
| 120 | ID="0" |
| 121 | elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then |
| 122 | ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}" |
| 123 | else |
| 124 | ID="${MY_POD_NAME#"{{ $fullname }}-"}" |
| 125 | fi |
| 126 | {{- end }} |
| 127 | |
| 128 | {{- if .Values.tls.pemChainIncluded }} |
| 129 | #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. |
| 130 | cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx |
| 131 | |
| 132 | #Use first certificate as leaf node and combine with key to store in pem file |
| 133 | cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" |
| 134 | |
| 135 | #Use remaining intermediate certificates for ca.crt |
| 136 | echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" |
| 137 | |
| 138 | rm -rf /certs/xx* |
| 139 | {{- else }} |
| 140 | cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" |
| 141 | cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" |
| 142 | {{- end }} |
| 143 | |
| 144 | chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem |
| 145 | {{- end }} |
| 146 | {{- end }} |