diff --git a/docs/server/source/production-deployment-template/workflow.rst b/docs/server/source/production-deployment-template/workflow.rst index 4fa00d45..8d25d15f 100644 --- a/docs/server/source/production-deployment-template/workflow.rst +++ b/docs/server/source/production-deployment-template/workflow.rst @@ -103,9 +103,13 @@ you must ask the managing organization for all relevant 3scale credentials. ☐ If the cluster uses MongoDB Cloud Manager for monitoring and backup, -you must ask the managing organization for the ``Agent API Key``. -(Each Cloud Manager "group" has its own ``Agent API Key``. -It can be found under **Settings - Group Settings**.) +you must ask the managing organization for the ``Group ID`` and the +``Agent API Key``. +(Each Cloud Manager "group" has its own ``Group ID``. A ``Group ID`` can +contain a number of ``Agent API Key`` s. It can be found under +**Settings - Group Settings**. It was recently added to the Cloud Manager to +allow easier periodic rotation of the ``Agent API Key`` with a constant +``Group ID``) ☐ Generate four keys and corresponding certificate signing requests (CSRs): diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml index 7ea83cb1..75bdbd21 100644 --- a/k8s/configuration/secret.yaml +++ b/k8s/configuration/secret.yaml @@ -10,12 +10,14 @@ apiVersion: v1 kind: Secret metadata: - name: mdb-agent-api-key + name: cloud-manager-credentials namespace: default type: Opaque data: - # Base64-encoded Agent API Key (obtained from MongoDB Cloud Manager) - api-key: "" + # Base64-encoded Group ID + group-id: "" + # Base64-encoded Agent API Key + agent-api-key: "" --- apiVersion: v1 kind: Secret diff --git a/k8s/mongodb-backup-agent/container/docker_build_and_push.bash b/k8s/mongodb-backup-agent/container/docker_build_and_push.bash index 5d1780ea..770dc2b7 100755 --- a/k8s/mongodb-backup-agent/container/docker_build_and_push.bash +++ b/k8s/mongodb-backup-agent/container/docker_build_and_push.bash @@ -1,5 +1,5 @@ #!/bin/bash -docker build -t bigchaindb/mongodb-backup-agent:2.0 . +docker build -t bigchaindb/mongodb-backup-agent:3.0 . -docker push bigchaindb/mongodb-backup-agent:2.0 +docker push bigchaindb/mongodb-backup-agent:3.0 diff --git a/k8s/mongodb-backup-agent/container/mongodb_backup_agent_entrypoint.bash b/k8s/mongodb-backup-agent/container/mongodb_backup_agent_entrypoint.bash index fa485738..13a40bb5 100755 --- a/k8s/mongodb-backup-agent/container/mongodb_backup_agent_entrypoint.bash +++ b/k8s/mongodb-backup-agent/container/mongodb_backup_agent_entrypoint.bash @@ -5,23 +5,28 @@ set -euo pipefail MONGODB_BACKUP_CONF_FILE=/etc/mongodb-mms/backup-agent.config mms_api_keyfile_path=`printenv MMS_API_KEYFILE_PATH` +mms_groupid_keyfile_path=`printenv MMS_GROUPID_KEYFILE_PATH` ca_crt_path=`printenv CA_CRT_PATH` -backup_crt_path=`printenv MONITORING_PEM_PATH` +backup_crt_path=`printenv BACKUP_PEM_PATH` if [[ -z "${mms_api_keyfile_path}" || \ -z "${ca_crt_path}" || \ - -z "${backup_crt_path}" ]]; then + -z "${backup_crt_path}" || \ + -z "${mms_groupid_keyfile_path}" ]]; then echo "Invalid environment settings detected. Exiting!" exit 1 fi sed -i '/mmsApiKey/d' ${MONGODB_BACKUP_CONF_FILE} +sed -i '/mmsGroupId/d' ${MONGODB_BACKUP_CONF_FILE} sed -i '/mothership/d' ${MONGODB_BACKUP_CONF_FILE} # Get the api key from file -mms_api_key=`cat ${MMS_API_KEYFILE_PATH}` +mms_api_key=`cat ${mms_api_keyfile_path}` +mms_groupid_key=`cat ${mms_groupid_keyfile_path}` echo "mmsApiKey="${mms_api_key} >> ${MONGODB_BACKUP_CONF_FILE} +echo "mmsGroupId="${mms_groupid_key} >> ${MONGODB_BACKUP_CONF_FILE} echo "mothership=api-backup.eu-west-1.mongodb.com" >> ${MONGODB_BACKUP_CONF_FILE} # Append SSL settings to the config file diff --git a/k8s/mongodb-backup-agent/mongo-backup-dep.yaml b/k8s/mongodb-backup-agent/mongo-backup-dep.yaml index ed17ea5e..0c49607f 100644 --- a/k8s/mongodb-backup-agent/mongo-backup-dep.yaml +++ b/k8s/mongodb-backup-agent/mongo-backup-dep.yaml @@ -28,10 +28,12 @@ spec: imagePullPolicy: Always env: - name: MMS_API_KEYFILE_PATH - value: /etc/mongod/cloud/api-key + value: /etc/mongod/cloud/agent-api-key + - name: MMS_GROUPID_KEYFILE_PATH + value: /etc/mongod/cloud/group-id - name: CA_CRT_PATH value: /etc/mongod/ssl/ca.pem - - name: MONITORING_PEM_PATH + - name: BACKUP_PEM_PATH value: /etc/mongod/ssl/mdb-bak-instance.pem resources: limits: @@ -41,7 +43,7 @@ spec: - name: mdb-bak-certs mountPath: /etc/mongod/ssl/ readOnly: true - - name: mdb-agent-api-key + - name: cloud-manager-credentials mountPath: /etc/mongod/cloud/ readOnly: true restartPolicy: Always @@ -50,7 +52,7 @@ spec: secret: secretName: mdb-bak-certs defaultMode: 0400 - - name: mdb-agent-api-key + - name: cloud-manager-credentials secret: - secretName: mdb-agent-api-key + secretName: cloud-manager-credentials defaultMode: 0400 diff --git a/k8s/mongodb-monitoring-agent/container/docker_build_and_push.bash b/k8s/mongodb-monitoring-agent/container/docker_build_and_push.bash index caefb6d7..2bd5aeb5 100755 --- a/k8s/mongodb-monitoring-agent/container/docker_build_and_push.bash +++ b/k8s/mongodb-monitoring-agent/container/docker_build_and_push.bash @@ -1,5 +1,5 @@ #!/bin/bash -docker build -t bigchaindb/mongodb-monitoring-agent:2.0 . +docker build -t bigchaindb/mongodb-monitoring-agent:3.0 . -docker push bigchaindb/mongodb-monitoring-agent:2.0 +docker push bigchaindb/mongodb-monitoring-agent:3.0 diff --git a/k8s/mongodb-monitoring-agent/container/mongodb_mon_agent_entrypoint.bash b/k8s/mongodb-monitoring-agent/container/mongodb_mon_agent_entrypoint.bash index 7d5e9564..7ae161e3 100755 --- a/k8s/mongodb-monitoring-agent/container/mongodb_mon_agent_entrypoint.bash +++ b/k8s/mongodb-monitoring-agent/container/mongodb_mon_agent_entrypoint.bash @@ -9,26 +9,32 @@ set -euo pipefail MONGODB_MON_CONF_FILE=/etc/mongodb-mms/monitoring-agent.config mms_api_keyfile_path=`printenv MMS_API_KEYFILE_PATH` +mms_groupid_keyfile_path=`printenv MMS_GROUPID_KEYFILE_PATH` ca_crt_path=`printenv CA_CRT_PATH` monitoring_crt_path=`printenv MONITORING_PEM_PATH` if [[ -z "${mms_api_keyfile_path}" || \ -z "${ca_crt_path}" || \ - -z "${monitoring_crt_path}" ]]; then + -z "${monitoring_crt_path}" || \ + -z "${mms_groupid_keyfile_path}" ]]; then echo "Invalid environment settings detected. Exiting!" exit 1 fi -# Delete all lines containing "mmsApiKey" in the MongoDB Monitoring Agent -# config file /etc/mongodb-mms/monitoring-agent.config +# Delete the line containing "mmsApiKey" and the line containing "mmsGroupId" +# in the MongoDB Monitoring Agent config file +# /etc/mongodb-mms/monitoring-agent.config sed -i '/mmsApiKey/d' $MONGODB_MON_CONF_FILE +sed -i '/mmsGroupId/d' $MONGODB_MON_CONF_FILE # Get the api key from file -mms_api_key=`cat ${MMS_API_KEYFILE_PATH}` +mms_api_key=`cat ${mms_api_keyfile_path}` +mms_groupid_key=`cat ${mms_groupid_keyfile_path}` # Append a new line of the form # mmsApiKey=value_of_MMS_API_KEY echo "mmsApiKey="${mms_api_key} >> ${MONGODB_MON_CONF_FILE} +echo "mmsGroupId="${mms_groupid_key} >> ${MONGODB_MON_CONF_FILE} # Append SSL settings to the config file echo "useSslForAllConnections=true" >> ${MONGODB_MON_CONF_FILE} diff --git a/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml b/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml index a0249f98..b03d0098 100644 --- a/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml +++ b/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml @@ -28,7 +28,9 @@ spec: imagePullPolicy: Always env: - name: MMS_API_KEYFILE_PATH - value: /etc/mongod/cloud/api-key + value: /etc/mongod/cloud/agent-api-key + - name: MMS_GROUPID_KEYFILE_PATH + value: /etc/mongod/cloud/group-id - name: CA_CRT_PATH value: /etc/mongod/ssl/ca.pem - name: MONITORING_PEM_PATH @@ -41,7 +43,7 @@ spec: - name: mdb-mon-certs mountPath: /etc/mongod/ssl/ readOnly: true - - name: mdb-agent-api-key + - name: cloud-manager-credentials mountPath: /etc/mongod/cloud/ readOnly: true restartPolicy: Always @@ -50,7 +52,7 @@ spec: secret: secretName: mdb-mon-certs defaultMode: 0400 - - name: mdb-agent-api-key + - name: cloud-manager-credentials secret: - secretName: mdb-agent-api-key + secretName: cloud-manager-credentials defaultMode: 0400