Merge pull request #2095 from muawiakh/automate-mdb-user-creation

Automate MongoDB user creation for prod/test deployments
2024-10-13 13:34:05 +00:00 · 2018-02-26 14:58:50 +01:00 · 2018-02-26 14:58:50 +01:00 · 6d27cbe868
commit 6d27cbe868
parent 0ddfc62e3b 3c09de97b0
9 changed files with 201 additions and 63 deletions
--- a/docs/server/source/production-deployment-template/template-kubernetes-azure.rst
+++ b/docs/server/source/production-deployment-template/template-kubernetes-azure.rst
@ -102,7 +102,7 @@ Finally, you can deploy an ACS using something like:
   $ az acs create --name <a made-up cluster name> \
   --resource-group <name of resource group created earlier> \
   --master-count 3 \
-   --agent-count 2 \
+   --agent-count 3 \
   --admin-username ubuntu \
   --agent-vm-size Standard_L4s \
   --dns-prefix <make up a name> \
--- a/k8s/configuration/config-map.yaml
+++ b/k8s/configuration/config-map.yaml
@ -169,3 +169,16 @@ data:
  # tm-pub-key-access is the port number used to host/publish the
  # public key of the tendemrint node in this cluster.
  tm-pub-key-access: "9986"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: mdb-config
  namespace: default
 data:
  # User name for MongoDB adminuser
  mdb-admin-username: "<mongodb admin username>"
  # MongoDB monitoring agent authentication user name
  mdb-mon-user: "<mongodb monitoring agent username>"
--- a/k8s/configuration/secret.yaml
+++ b/k8s/configuration/secret.yaml
@ -100,3 +100,14 @@ data:
  # Base64-encoded CA certificate (ca.crt)
  ca.pem: "<b64 encoded CA certificate>"
  crl.pem: "<b64 encoded CRL>"
 ---
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: mdb-config
  namespace: default
 type: Opaque
 data:
  # Password for for MongoDB adminuser
  mdb-admin-password: "<b64 encoded mdb admin password>"
--- a/k8s/mongodb/container/Dockerfile
+++ b/k8s/mongodb/container/Dockerfile
@ -6,6 +6,7 @@ RUN apt-get update \
    && apt-get autoremove \
    && apt-get clean
 COPY mongod.conf.template /etc/mongod.conf
 COPY configure_mdb_users.template.js /configure_mdb_users.js
 COPY mongod_entrypoint.bash /
 VOLUME /data/db /data/configdb /etc/mongod/ssl /etc/mongod/ca
 EXPOSE 27017
--- a/k8s/mongodb/container/configure_mdb_users.template.js
+++ b/k8s/mongodb/container/configure_mdb_users.template.js
@ -0,0 +1,43 @@
 db = db.getSiblingDB("admin");
 db.createUser({
    user: "MONGODB_ADMIN_USERNAME",
    pwd: "MONGODB_ADMIN_PASSWORD",
    roles: [{
            role: "userAdminAnyDatabase",
            db: "admin"
        },
        {
            role: "clusterManager",
            db: "admin"
        }
    ]
 });
 db = db.getSiblingDB("admin");
 db.auth("MONGODB_ADMIN_USERNAME", "MONGODB_ADMIN_PASSWORD");
 db.getSiblingDB("$external").runCommand({
    createUser: 'BDB_USERNAME',
    writeConcern: {
        w: 'majority',
        wtimeout: 5000
    },
    roles: [{
            role: 'clusterAdmin',
            db: 'admin'
        },
        {
            role: 'readWriteAnyDatabase',
            db: 'admin'
        }
    ]
 });
 db.getSiblingDB("$external").runCommand({
    createUser: 'MDB_MON_USERNAME',
    writeConcern: {
        w: 'majority',
        wtimeout: 5000
    },
    roles: [{
        role: 'clusterMonitor',
        db: 'admin'
    }]
 });
--- a/k8s/mongodb/container/mongod_entrypoint.bash
+++ b/k8s/mongodb/container/mongod_entrypoint.bash
@ -8,6 +8,14 @@ MONGODB_CRL_FILE_PATH=""
 MONGODB_FQDN=""
 MONGODB_IP=""
 # vars for MongoDB configuration
 configure_mongo=true
 MONGODB_CREDENTIALS_DIR=/tmp/mongodb
 mongodb_admin_password=""
 mongodb_admin_username=`printenv MONGODB_ADMIN_USERNAME || true`
 bdb_username=`printenv BDB_USERNAME || true`
 mdb_mon_username=`printenv MDB_MON_USERNAME || true`
 while [[ $# -gt 1 ]]; do
    arg="$1"
    case $arg in
@ -53,8 +61,10 @@ if [[ -z "${MONGODB_PORT:?MONGODB_PORT not specified. Exiting!}" || \
        -z "${MONGODB_IP:?MONGODB_IP not specified. Exiting!}" || \
        -z "${MONGODB_KEY_FILE_PATH:?MONGODB_KEY_FILE_PATH not specified. Exiting!}" || \
        -z "${MONGODB_CA_FILE_PATH:?MONGODB_CA_FILE_PATH not specified. Exiting!}" || \
-    -z "${MONGODB_CRL_FILE_PATH:?MONGODB_CRL_FILE_PATH not specified. Exiting!}" || \
+    -z "${MONGODB_CRL_FILE_PATH:?MONGODB_CRL_FILE_PATH not specified. Exiting!}" ]] ; then
-    -z "${STORAGE_ENGINE_CACHE_SIZE:=''}" ]] ; then
+    # Not handling the STORAGE_ENGINE_CACHE_SIZE because
    # it is optional. If not specified the default cache
    # size is: max((50% RAM - 1GB), 256MB)
    exit 1
 else
    echo MONGODB_PORT="$MONGODB_PORT"
@ -68,6 +78,7 @@ fi
 MONGODB_CONF_FILE_PATH=/etc/mongod.conf
 HOSTS_FILE_PATH=/etc/hosts
 MONGODB_CONFIGURE_USERS_PATH=/configure_mdb_users.js
 # configure the mongod.conf file
 sed -i "s|MONGODB_PORT|${MONGODB_PORT}|g" ${MONGODB_CONF_FILE_PATH}
@ -85,6 +96,22 @@ else
    sed -i.bk "/cache_size=/d" ${MONGODB_CONF_FILE_PATH}
 fi
 if [ -f ${MONGODB_CREDENTIALS_DIR}/mdb-admin-password ]; then
    mongodb_admin_password=`cat ${MONGODB_CREDENTIALS_DIR}/mdb-admin-password`
 fi
 # Only configure if all variables are set
 if [[ -n "${mongodb_admin_username}" && \
        -n "${mongodb_admin_password}" && \
        -n "${bdb_username}" && \
    -n "${mdb_mon_username}" ]]; then
    sed -i "s|MONGODB_ADMIN_USERNAME|${mongodb_admin_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
    sed -i "s|MONGODB_ADMIN_PASSWORD|${mongodb_admin_password}|g" ${MONGODB_CONFIGURE_USERS_PATH}
    sed -i "s|BDB_USERNAME|${bdb_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
    sed -i "s|MDB_MON_USERNAME|${mdb_mon_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
    echo "True" > /tmp/configure_mongo
 fi
 # add the hostname and ip to hosts file
 echo "${MONGODB_IP} ${MONGODB_FQDN}" >> $HOSTS_FILE_PATH
--- a/k8s/mongodb/mongo-ss.yaml
+++ b/k8s/mongodb/mongo-ss.yaml
@ -43,6 +43,21 @@ spec:
            configMapKeyRef:
             name: vars
             key: storage-engine-cache-size
        - name: MONGODB_ADMIN_USERNAME
          valueFrom:
            configMapKeyRef:
             name: mdb-config
             key: mdb-admin-username
        - name: BDB_USERNAME
          valueFrom:
            configMapKeyRef:
             name: bdb-config
             key: bdb-user
        - name: MDB_MON_USERNAME
          valueFrom:
            configMapKeyRef:
             name: mdb-config
             key: mdb-mon-user
        args:
        - --mongodb-port
        - $(MONGODB_PORT)
@ -77,6 +92,9 @@ spec:
        - name: ca-auth
          mountPath: /etc/mongod/ca/
          readOnly: true
        - name: mdb-config
          mountPath: /tmp/mongodb
          readOnly: true
        resources:
          limits:
            cpu: 200m
@ -105,3 +123,7 @@ spec:
        secret:
          secretName: ca-auth
          defaultMode: 0400
      - name: mdb-config
        secret:
          secretName: mdb-config
          defaultMode: 0400
--- a/k8s/scripts/cert_gen.sh
+++ b/k8s/scripts/cert_gen.sh
@ -1,5 +1,6 @@
 #!/usr/bin/env bash
-set -euo pipefail
+set -e
 set -o xtrace
 # base directories for operations
@ -132,12 +133,20 @@ function convert_b64(){
    cat $2/pki/crl.pem | base64 -w 0 > $1/crl.pem.b64
 }
 function get_users(){
    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_CN"-"$INDEX".crt -inform PEM -subject \
      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_CN"-"$INDEX".user
    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$BDB_CN"-"$INDEX".crt -inform PEM -subject \
      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$BDB_CN"-"$INDEX".user
    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_MON_CN"-"$INDEX".crt -inform PEM -subject \
      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_MON_CN"-"$INDEX".user
 }
 function configure_common(){
    sudo apt-get update -y
    sudo apt-get install openssl -y
    wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
    wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
    wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
    tar xzvf $1/3.0.1.tar.gz -C $1/
    rm $1/3.0.1.tar.gz
    cp $1/$BASE_EASY_RSA_PATH/vars.example $1/$BASE_EASY_RSA_PATH/vars
@ -183,6 +192,7 @@ BASE_MEMBER_CERT_DIR="${BASE_DIR}"/member-cert
 BASE_CLIENT_CERT_DIR="${BASE_DIR}"/client-cert
 BASE_EASY_RSA_PATH='easy-rsa-3.0.1/easyrsa3'
 BASE_K8S_DIR="${BASE_DIR}"/k8s
 BASE_USERS_DIR="{$BASE_DIR}"/users
 # sanity checks
 if [[ -z "${INDEX}" ]] ; then
@ -210,3 +220,4 @@ import_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 sign_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 make_pem_files $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_K8S_DIR
 convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
 get_users $BASE_USERS_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH
--- a/k8s/scripts/configure_mdb.sh
+++ b/k8s/scripts/configure_mdb.sh
@ -0,0 +1,10 @@
 #!/bin/bash
 [ -z $1 ] && echo "Please specify MongoDB instance name!!"
 MONGODB_INSTANCE_NAME=$1
 if [[ -n "$MONGODB_INSTANCE_NAME" ]]; then
    /usr/local/bin/kubectl exec -it "${MONGODB_INSTANCE_NAME}"\-ss\-0 -- bash -c "if [[ -f /tmp/configure_mongo && -n \$(cat /tmp/configure_mongo) ]]; then  /usr/bin/mongo --host localhost --port \$(printenv MONGODB_PORT) --ssl --sslCAFile /etc/mongod/ca/ca.pem --sslPEMKeyFile  /etc/mongod/ssl/mdb-instance.pem < /configure_mdb_users.js; fi"
 else
    echo "Skipping configuration!!!"
 fi