Support for TLS connections in MongoDB StatefulSet

2024-10-13 13:34:05 +00:00 · 2017-05-24 15:01:44 +02:00 · 2017-05-24 15:01:44 +02:00 · cf10d3199e
commit cf10d3199e
parent 06f0f8d95e
2 changed files with 31 additions and 11 deletions
--- a/k8s/mongodb/container/Dockerfile
+++ b/k8s/mongodb/container/Dockerfile
@ -4,10 +4,9 @@ WORKDIR /
 RUN apt-get update \
    && apt-get -y upgrade \
    && apt-get autoremove \
-    && apt-get clean \
-    && mkdir /mongo-ssl
+    && apt-get clean
 COPY mongod.conf.template /etc/mongod.conf
 COPY mongod_entrypoint.bash /
-VOLUME /data/db /data/configdb /mongo-ssl
+VOLUME /data/db /data/configdb /etc/mongod/ssl
 EXPOSE 27017
 ENTRYPOINT ["/mongod_entrypoint.bash"]
--- a/k8s/mongodb/mongo-ss.yaml
+++ b/k8s/mongodb/mongo-ss.yaml
@ -21,23 +21,37 @@ spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: mongodb
-        image: bigchaindb/mongodb:3.4.3
-        imagePullPolicy: IfNotPresent
+        image: bigchaindb/mongodb:3.4.4
+        imagePullPolicy: Always
        env:
        - name: MONGODB_FQDN
          valueFrom:
            configMapKeyRef:
-             name: mdb-fqdn
-             key: fqdn
+             name: vars
+             key: mdb-instance-name
        - name: MONGODB_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
+        - name: MONGODB_REPLICA_SET_NAME
+          value: bigchain-rs
+        - name: MONGODB_PORT
+          value: "27017"
        args:
-        - --replica-set-name=bigchain-rs
-        - --fqdn=$(MONGODB_FQDN)
-        - --port=27017
-        - --ip=$(MONGODB_POD_IP)
+        - --mongodb-port
+        - $(MONGODB_PORT)
+        - --mongodb-key-file-path
+        - /etc/mongod/ssl/mdb-instance.pem
+        - --mongodb-ca-file-path
+        - /etc/mongod/ssl/ca.pem
+        - --mongodb-crl-file-path
+        - /etc/mongod/ssl/mdb-crl.pem
+        - --replica-set-name
+        - $(MONGODB_REPLICA_SET_NAME)
+        - --mongodb-fqdn
+        - $(MONGODB_FQDN)
+        - --mongodb-ip
+        - $(MONGODB_POD_IP)
        securityContext:
          capabilities:
            add:
@ -52,6 +66,9 @@ spec:
          mountPath: /data/db
        - name: mdb-configdb
          mountPath: /data/configdb
+        - name: mdb-certs
+          mountPath: /etc/mongod/ssl/
+          readOnly: true
        resources:
          limits:
            cpu: 200m
@ -71,3 +88,7 @@ spec:
      - name: mdb-configdb
        persistentVolumeClaim:
          claimName: mongo-configdb-claim
+      - name: mdb-certs
+        secret:
+          secretName: mdb-certs
+          defaultMode: 0400