Support for TLS connections in MongoDB Monitoring Agent

k8s/mongodb-monitoring-agent/container/Dockerfile

@@ -18,7 +18,10 @@ ARG FILE_URL="https://cloud.mongodb.com/download/agent/monitoring/"$DEB_FILE
 WORKDIR /
 RUN apt update \
     && apt -y upgrade \
-    && apt -y install --no-install-recommends curl ca-certificates logrotate \
+    && apt -y install --no-install-recommends \
+      curl \
+      ca-certificates \
+      logrotate \
       libsasl2-2 \
     && curl -OL $FILE_URL \
     && dpkg -i $DEB_FILE \
@@ -50,5 +53,6 @@ RUN apt update \
 
 COPY mongodb_mon_agent_entrypoint.bash /
 RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
+VOLUME /etc/mongod/ssl
 #USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
 ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]

k8s/mongodb-monitoring-agent/container/mongodb_mon_agent_entrypoint.bash

@@ -8,11 +8,11 @@ set -euo pipefail
 
 MONGODB_MON_CONF_FILE=/etc/mongodb-mms/monitoring-agent.config
 
-mms_api_key=`printenv MMS_API_KEY`
+mms_api_keyfile_path=`printenv MMS_API_KEYFILE_PATH`
 ca_crt_path=`printenv CA_CRT_PATH`
 monitoring_crt_path=`printenv MONITORING_PEM_PATH`
 
-if [[ -z "${mms_api_key}" || \
+if [[ -z "${mms_api_keyfile_path}" || \
     -z "${ca_crt_path}" || \
     -z "${monitoring_crt_path}" ]]; then
   echo "Invalid environment settings detected. Exiting!"
@@ -23,6 +23,9 @@ fi
 # config file /etc/mongodb-mms/monitoring-agent.config
 sed -i '/mmsApiKey/d'  $MONGODB_MON_CONF_FILE
 
+# Get the api key from file
+mms_api_key=`cat ${MMS_API_KEYFILE_PATH}`
+
 # Append a new line of the form
 # mmsApiKey=value_of_MMS_API_KEY
 echo "mmsApiKey="${mms_api_key} >> ${MONGODB_MON_CONF_FILE}

k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml

@@ -1,6 +1,6 @@
 ############################################################
 # This config file defines a k8s Deployment for the        #
-# bigchaindb/mongodb-monitoring-agent:latest Docker image  #
+# bigchaindb/mongodb-monitoring-agent Docker image         #
 #                                                          #
 # It connects to a MongoDB instance in a separate pod,     #
 # all remote MongoDB instances in the cluster,             #
@@ -17,22 +17,40 @@ spec:
   replicas: 1
   template:
     metadata:
+      name: mdb-mon-instance-0-dep
       labels:
         app: mdb-mon-instance-0-dep
     spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: mdb-mon
-        image: bigchaindb/mongodb-monitoring-agent:1.0
+        image: bigchaindb/mongodb-monitoring-agent:2.0
         imagePullPolicy: Always
         env:
-        - name: MMS_API_KEY
-          valueFrom:
-            configMapKeyRef:
-              name: mdb-mon
-              key: api-key
+        - name: MMS_API_KEYFILE_PATH
+          value: /etc/mongod/cloud/api-key
+        - name: CA_CRT_PATH
+          value: /etc/mongod/ssl/ca.pem
+        - name: MONITORING_PEM_PATH
+          value: /etc/mongod/ssl/mdb-mon-instance.pem
         resources:
           limits:
             cpu: 200m
             memory: 768Mi
+        volumeMounts:
+        - name: mdb-mon-certs
+          mountPath: /etc/mongod/ssl/
+          readOnly: true
+        - name: mdb-agent-api-key
+          mountPath: /etc/mongod/cloud/
+          readOnly: true
       restartPolicy: Always
+      volumes:
+      - name: mdb-mon-certs
+        secret:
+          secretName: mdb-mon-certs
+          defaultMode: 0400
+      - name: mdb-agent-api-key
+        secret:
+          secretName: mdb-agent-api-key
+          defaultMode: 0400