From cf10d3199e37bb7a6067acdd37f7d4b4ee8c7005 Mon Sep 17 00:00:00 2001
From: "krish7919 (Krish)" <krishnan.k.iyer@gmail.com>
Date: Wed, 24 May 2017 15:01:44 +0200
Subject: [PATCH] Support for TLS connections in MongoDB StatefulSet

---
 k8s/mongodb/container/Dockerfile |  5 ++---
 k8s/mongodb/mongo-ss.yaml        | 37 +++++++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/k8s/mongodb/container/Dockerfile b/k8s/mongodb/container/Dockerfile
index 66b076c7..58a7f88f 100644
--- a/k8s/mongodb/container/Dockerfile
+++ b/k8s/mongodb/container/Dockerfile
@@ -4,10 +4,9 @@ WORKDIR /
 RUN apt-get update \
     && apt-get -y upgrade \
     && apt-get autoremove \
-    && apt-get clean \
-    && mkdir /mongo-ssl
+    && apt-get clean
 COPY mongod.conf.template /etc/mongod.conf
 COPY mongod_entrypoint.bash /
-VOLUME /data/db /data/configdb /mongo-ssl
+VOLUME /data/db /data/configdb /etc/mongod/ssl
 EXPOSE 27017
 ENTRYPOINT ["/mongod_entrypoint.bash"]
diff --git a/k8s/mongodb/mongo-ss.yaml b/k8s/mongodb/mongo-ss.yaml
index 2f180929..c12d5f39 100644
--- a/k8s/mongodb/mongo-ss.yaml
+++ b/k8s/mongodb/mongo-ss.yaml
@@ -21,23 +21,37 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: mongodb
-        image: bigchaindb/mongodb:3.4.3
-        imagePullPolicy: IfNotPresent
+        image: bigchaindb/mongodb:3.4.4
+        imagePullPolicy: Always
         env:
         - name: MONGODB_FQDN
           valueFrom:
             configMapKeyRef:
-             name: mdb-fqdn
-             key: fqdn
+             name: vars
+             key: mdb-instance-name
         - name: MONGODB_POD_IP
           valueFrom:
             fieldRef:
               fieldPath: status.podIP
+        - name: MONGODB_REPLICA_SET_NAME
+          value: bigchain-rs
+        - name: MONGODB_PORT
+          value: "27017"
         args:
-        - --replica-set-name=bigchain-rs
-        - --fqdn=$(MONGODB_FQDN)
-        - --port=27017
-        - --ip=$(MONGODB_POD_IP)
+        - --mongodb-port
+        - $(MONGODB_PORT)
+        - --mongodb-key-file-path
+        - /etc/mongod/ssl/mdb-instance.pem
+        - --mongodb-ca-file-path
+        - /etc/mongod/ssl/ca.pem
+        - --mongodb-crl-file-path
+        - /etc/mongod/ssl/mdb-crl.pem
+        - --replica-set-name
+        - $(MONGODB_REPLICA_SET_NAME)
+        - --mongodb-fqdn
+        - $(MONGODB_FQDN)
+        - --mongodb-ip
+        - $(MONGODB_POD_IP)
         securityContext:
           capabilities:
             add:
@@ -52,6 +66,9 @@ spec:
           mountPath: /data/db
         - name: mdb-configdb
           mountPath: /data/configdb
+        - name: mdb-certs
+          mountPath: /etc/mongod/ssl/
+          readOnly: true
         resources:
           limits:
             cpu: 200m
@@ -71,3 +88,7 @@ spec:
       - name: mdb-configdb
         persistentVolumeClaim:
           claimName: mongo-configdb-claim
+      - name: mdb-certs
+        secret:
+          secretName: mdb-certs
+          defaultMode: 0400