diff --git a/charts/mongodb/Chart.yaml b/charts/mongodb/Chart.yaml index 3fc47ca..49202eb 100644 --- a/charts/mongodb/Chart.yaml +++ b/charts/mongodb/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: mongodb description: A Helm chart for deploying a mongodb type: application -version: 0.0.8 +version: 0.0.9 appVersion: 6.0.0 diff --git a/charts/mongodb/openssl-test-server.cnf b/charts/mongodb/openssl-test-server.cnf new file mode 100644 index 0000000..e0fb080 --- /dev/null +++ b/charts/mongodb/openssl-test-server.cnf @@ -0,0 +1,56 @@ +[ req ] +default_bits = 4096 +default_keyfile = myTestServerCertificateKey.pem ## The default private key file name. +default_md = sha256 +distinguished_name = req_dn +req_extensions = v3_req + +[ v3_req ] +subjectKeyIdentifier = hash +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Certificate" +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = mongo-0.demo2.open-iap.com +DNS.2 = mongo-1.demo2.open-iap.com +DNS.3 = mongoarbiter-0.demo2.open-iap.com +DNS.4 = mongo-0.demo3.open-iap.com +DNS.5 = mongo-1.demo3.open-iap.com +DNS.6 = mongoarbiter-0.demo3.open-iap.com +DNS.7 = mongo-0.demo2.openiap.io +DNS.8 = mongo-1.demo2.openiap.io +DNS.9 = mongoarbiter-0.demo2.openiap.io +DNS.10 = mongo-0.demo3.openiap.io +DNS.11 = mongo-1.demo3.openiap.io +DNS.12 = mongoarbiter-0.demo3.openiap.io + + +[ req_dn ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 \ No newline at end of file diff --git a/charts/mongodb/templates/deployment.yaml b/charts/mongodb/templates/deployment.yaml index cb1de8b..091152f 100644 --- a/charts/mongodb/templates/deployment.yaml +++ b/charts/mongodb/templates/deployment.yaml @@ -59,6 +59,18 @@ spec: args: # - "-c" # - "/usr/local/bin/docker-entrypoint.sh" + {{- if .Values.tls.enabled }} + - "--tlsMode" + - "preferTLS" + - "--tlsCertificateKeyFile" + - {{ .Values.tls.certfile | quote }} + {{- if .Values.tls.certpassword }} + - "--tlsCertificateKeyFilePassword" + - {{ .Values.tls.certpassword | quote }} + {{- end }} + # - "--tlsCAFile" + # - {{ .Values.tls.cafile | quote }} + {{- end }} - "--dbpath" - "/data/db" - "--replSet" @@ -121,8 +133,33 @@ spec: - name: MONGODB_RSNAME value: {{ .Values.rsname | quote }} - name: KUBE_NAMESPACE - value: {{.Release.Namespace | quote }} - {{- if and .Values.service.domainprefix (gt (len .Values.service.external) 0) }} + value: {{ .Release.Namespace | quote }} + {{- if .Values.tls.enabled }} + - name: TLS_SELFSIGN + value: {{ .Values.tls.enabled | quote }} + - name: TLS_KEYFILE + value: {{ .Values.tls.certfile | quote }} + {{- if .Values.tls.ca_private }} + - name: TLS_CA_PRIVATE + value: {{ .Values.tls.ca_private | quote }} + {{- end }} + {{- if .Values.tls.ca_cert }} + - name: TLS_CA_CERT + value: {{ .Values.tls.ca_cert | quote }} + {{- end }} + {{- if .Values.tls.certpassword }} + - name: TLS_KEYPASSWORD + value: {{ .Values.tls.certpassword | quote }} + {{- end }} + - name: TLS_CAFILE + value: {{ .Values.tls.cafile | quote }} + - name: TLS_DNS_HOSTS + value: {{ .Values.tls.dns_hosts | quote }} + {{- end }} + {{- if (and .Values.ingress.domainprefix .Values.ingress.enabled) }} + - name: EXTERNAL_DOMAIN + value: {{.Values.ingress.domainprefix}} + {{- else if and .Values.service.domainprefix (gt (len .Values.service.external) 0) }} - name: EXTERNAL_DOMAIN value: {{.Values.service.domainprefix}} {{- end }} @@ -243,6 +280,20 @@ spec: - "--keyFile" - "/data/db/mongodb.key" {{- end }} + {{- if .Values.tls.enabled }} + - "--tlsMode" + - "preferTLS" + - "--tlsCertificateKeyFile" + - {{ .Values.tls.certfile | quote }} + {{- if .Values.tls.certpassword }} + - "--tlsCertificateKeyFilePassword" + - {{ .Values.tls.certpassword | quote }} + {{- end }} + {{- if .Values.tls.addcafilearg }} + - "--tlsCAFile" + - {{ .Values.tls.cafile | quote }} + {{- end }} + {{- end }} env: {{- if .Values.auth.enabled }} - name: MONGO_INITDB_ROOT_USERNAME diff --git a/charts/mongodb/templates/svc.yaml b/charts/mongodb/templates/svc.yaml index 729e442..efaad31 100644 --- a/charts/mongodb/templates/svc.yaml +++ b/charts/mongodb/templates/svc.yaml @@ -59,9 +59,12 @@ spec: # - match: HostSNIRegexp(`mongo-{subdomain:[[:ascii:]]+}.{{$.Values.ingress.domainprefix}}`) - match: HostSNI(`mongo-{{ $mongocount }}.{{$.Values.ingress.domainprefix}}`) services: - - name: mongo + - name: mongo-{{ $mongocount }} port: 27017 - {{- if $.Values.ingress.certResolver }} + {{- if $.Values.ingress.passthrough }} + tls: + passthrough: true + {{- else if $.Values.ingress.certResolver }} tls: certResolver: {{$.Values.ingress.certResolver}} domains: diff --git a/charts/mongodb/values.yaml b/charts/mongodb/values.yaml index 0f17b4b..b12ab21 100644 --- a/charts/mongodb/values.yaml +++ b/charts/mongodb/values.yaml @@ -37,6 +37,14 @@ auth: initdbrole: readWrite # To generate one your slef use: openssl rand -base64 756 key: D3vzi4V4znL2WrDcWX6MWOi3NvH0sSeYp9pyHTw9Tmgi3q6ljn62qMLPAz4VHHRMER/6A4rFPM3PlVQ5WSx8zD+OFMwuJOZQ8hiQSqz312pBFvm3geV/i5bc42nm9XAM2MaDUIKugRT8a0G4qgJLSYhDlwKYnD09DKeRvbEQ5USt41nzF+Ki72vKmz4qDS8hKDBq4P2TWBbUTKwkBKOLf4CCpCF/9DMZszj61L8P6Dl7rFkSW3b5cN2VOBwREMVPdCHqf4J7PueiWvOHDdMXNcOLvTLKN+R0GFr/TFwnoAlMGj1hgWj0BrfrZM967wIvyaqs/8QoaQlwLB73lZSFgE/TN38fEYYmraQ56naGP24EeEDjMl6HZQLnSxySykjuiYnd9Xk+NqdXhc1fIty2rPyAehJ4yWDsynnWQaA91nSo2k24cHO5OKYqR4eZmDwpLo/5kj48AlvOgCmZ6Uq5x47KJJrR6fxmBGbvMg5GmK5GNXnJKzzSzi3BzoB7bSHW/lE1bnpNKr9A5BQml1P6C4DkUTRJamRQHGB9yainxeynFcq22D7FgDvqnJLkKgE1gm51w8URMRI+Hh7EbffQoAJI82pvyKSCRi1NX5O55AZjKVYURkeVwe02fNveIDj05agZpfIZly0G8WLzTiiNf6dxa24YFUjPBu2Cq6PlGQRx5SE2/U8S+6IRKo1mV+fuTu5vqcYKFrkYEDamzYit62Pwh0hjpj8RX5qvRMBgCnk5mfZs8vijGa1TUm7RIiJBpLjySD7wwWiir+E9Dm6JJOdIX0YIHYRrWvi3cxRmTT6ZeONMOo7+tTitysBtkGzpl5pf0qehvi0qy6W8wCgYWbdHo9PpHFLbLz7bVsyZLNxa4cLs5C43e1Gk34QXwmOA6OzimBSq1GrKp+gM0sQhuCgAsM2nsyzOt1CESegnjRhwkkgWl/9QpDfdmlN1dFvaSybYuaQA1QZYuzJ8acHohP/q6r9l +tls: + enabled: false + selfsigned: true + certfile: /data/db/cert.pem + keypassword: + addcafilearg: false + cafile: /data/db/ca.pem + capassword: service: # by default with create a headless service named mongo # so each node can be accessed directly using mongo-0.mongo and mongo-1.mongo and so on @@ -57,6 +65,7 @@ ingress: # and either create a dedicated port, and use a port with ssl support, normally called websecure enabled: false domainprefix: # Domain prefix used for ingress rule + tlspassthrough: false certResolver: externalport: 443 # used for generating connection strings, what port is the entryPoint mapped to ? entryPoints: diff --git a/index.yaml b/index.yaml index 0d9ee5a..1544350 100644 --- a/index.yaml +++ b/index.yaml @@ -75,6 +75,16 @@ entries: - https://github.com/open-rpa/helm-charts/releases/download/calendso-0.1.1/calendso-0.1.1.tgz version: 0.1.1 mongodb: + - apiVersion: v2 + appVersion: 6.0.0 + created: "2022-12-18T22:56:07.22086273+01:00" + description: A Helm chart for deploying a mongodb + digest: b57825b6ef2f99558982def8c7bab893146581aa5e23e238df9d2039a3625fe3 + name: mongodb + type: application + urls: + - https://github.com/open-rpa/helm-charts/releases/download/mongodb-0.0.9/mongodb-0.0.9.tgz + version: 0.0.9 - apiVersion: v2 appVersion: 6.0.0 created: "2022-12-16T12:48:48.38588112+01:00" @@ -1582,4 +1592,4 @@ entries: urls: - https://github.com/open-rpa/helm-charts/releases/download/rocketchat-3.0.2/rocketchat-3.0.2.tgz version: 3.0.2 -generated: "2022-12-16T12:48:48.633424654+01:00" +generated: "2022-12-18T22:56:07.441147908+01:00"