Automate MongoDB user creation for prod/test deployments

- Currently, we had to manually log into the MongoDB container
  and create users, this change will configure the relevant users
  from a single script `configure_mdb.sh`
- Improvements can be done but keeping it minimal for the workshop

k8s/configuration/config-map.yaml

@@ -169,3 +169,16 @@ data:
   # tm-pub-key-access is the port number used to host/publish the
   # public key of the tendemrint node in this cluster.
   tm-pub-key-access: "9986"
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mdb-config
+  namespace: default
+data:
+  # User name for MongoDB adminuser
+  mdb-admin-username: "<mongodb admin username>"
+
+  # MongoDB monitoring agent authentication user name
+  mdb-mon-user: "<mongodb monitoring agent username>"

k8s/configuration/secret.yaml

@@ -100,3 +100,14 @@ data:
   # Base64-encoded CA certificate (ca.crt)
   ca.pem: "<b64 encoded CA certificate>"
   crl.pem: "<b64 encoded CRL>"
+---
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mdb-config
+  namespace: default
+type: Opaque
+data:
+  # Password for for MongoDB adminuser
+  mdb-admin-password: "<b64 encoded mdb admin password>"

k8s/mongodb/container/Dockerfile

@@ -6,6 +6,7 @@ RUN apt-get update \
     && apt-get autoremove \
     && apt-get clean
 COPY mongod.conf.template /etc/mongod.conf
+COPY configure_mdb_users.template.js /configure_mdb_users.js
 COPY mongod_entrypoint.bash /
 VOLUME /data/db /data/configdb /etc/mongod/ssl /etc/mongod/ca
 EXPOSE 27017

k8s/mongodb/container/configure_mdb_users.template.js

@@ -0,0 +1,43 @@
+use admin;
+db.createUser({
+    user: "MONGODB_ADMIN_USERNAME",
+    pwd: "MONGODB_ADMIN_PASSWORD",
+    roles: [{
+            role: "userAdminAnyDatabase",
+            db: "admin"
+        },
+        {
+            role: "clusterManager",
+            db: "admin"
+        }
+    ]
+});
+use admin;
+db.auth("MONGODB_ADMIN_USERNAME", "MONGODB_ADMIN_PASSWORD");
+db.getSiblingDB("$external").runCommand({
+    createUser: 'BDB_USERNAME',
+    writeConcern: {
+        w: 'majority',
+        wtimeout: 5000
+    },
+    roles: [{
+            role: 'clusterAdmin',
+            db: 'admin'
+        },
+        {
+            role: 'readWriteAnyDatabase',
+            db: 'admin'
+        }
+    ]
+});
+db.getSiblingDB("$external").runCommand({
+    createUser: 'MDB_MON_USERNAME',
+    writeConcern: {
+        w: 'majority',
+        wtimeout: 5000
+    },
+    roles: [{
+        role: 'clusterMonitor',
+        db: 'admin'
+    }]
+});

k8s/mongodb/container/mongod_entrypoint.bash

@@ -8,66 +8,78 @@ MONGODB_CRL_FILE_PATH=""
 MONGODB_FQDN=""
 MONGODB_IP=""
 
+# vars for MongoDB configuration
+configure_mongo=true
+MONGODB_CREDENTIALS_DIR=/tmp/mongodb
+mongodb_admin_password=""
+mongodb_admin_username=`printenv MONGODB_ADMIN_USERNAME || true`
+mongodb_admin_password=`printenv MONGODB_ADMIN_PASSWORD || true`
+bdb_username=`printenv BDB_USERNAME || true`
+mdb_mon_username=`printenv MDB_MON_USERNAME || true`
+
 while [[ $# -gt 1 ]]; do
-  arg="$1"
-  case $arg in
-      --mongodb-port)
-          MONGODB_PORT="$2"
-          shift
-          ;;
-      --mongodb-key-file-path)
-          MONGODB_KEY_FILE_PATH="$2"
-          shift
-          ;;
-      --mongodb-ca-file-path)
-          MONGODB_CA_FILE_PATH="$2"
-          shift
-          ;;
-      --mongodb-crl-file-path)
-          MONGODB_CRL_FILE_PATH="$2"
-          shift
-          ;;
-      --mongodb-fqdn)
-          MONGODB_FQDN="$2"
-          shift
-          ;;
-      --mongodb-ip)
-          MONGODB_IP="$2"
-          shift
-          ;;
-      --storage-engine-cache-size)
-          STORAGE_ENGINE_CACHE_SIZE="$2"
-          shift
-          ;;
-      *)
-          echo "Unknown option: $1"
-          exit 1
-          ;;
-  esac
-  shift
+    arg="$1"
+    case $arg in
+        --mongodb-port)
+            MONGODB_PORT="$2"
+            shift
+        ;;
+        --mongodb-key-file-path)
+            MONGODB_KEY_FILE_PATH="$2"
+            shift
+        ;;
+        --mongodb-ca-file-path)
+            MONGODB_CA_FILE_PATH="$2"
+            shift
+        ;;
+        --mongodb-crl-file-path)
+            MONGODB_CRL_FILE_PATH="$2"
+            shift
+        ;;
+        --mongodb-fqdn)
+            MONGODB_FQDN="$2"
+            shift
+        ;;
+        --mongodb-ip)
+            MONGODB_IP="$2"
+            shift
+        ;;
+        --storage-engine-cache-size)
+            STORAGE_ENGINE_CACHE_SIZE="$2"
+            shift
+        ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+        ;;
+    esac
+    shift
 done
 
 # sanity checks
 if [[ -z "${MONGODB_PORT:?MONGODB_PORT not specified. Exiting!}" || \
-    -z "${MONGODB_FQDN:?MONGODB_FQDN not specified. Exiting!}" || \
-    -z "${MONGODB_IP:?MONGODB_IP not specified. Exiting!}" || \
-    -z "${MONGODB_KEY_FILE_PATH:?MONGODB_KEY_FILE_PATH not specified. Exiting!}" || \
-    -z "${MONGODB_CA_FILE_PATH:?MONGODB_CA_FILE_PATH not specified. Exiting!}" || \
-    -z "${MONGODB_CRL_FILE_PATH:?MONGODB_CRL_FILE_PATH not specified. Exiting!}" || \
-    -z "${STORAGE_ENGINE_CACHE_SIZE:=''}" ]] ; then
-  exit 1
+        -z "${MONGODB_FQDN:?MONGODB_FQDN not specified. Exiting!}" || \
+        -z "${MONGODB_IP:?MONGODB_IP not specified. Exiting!}" || \
+        -z "${MONGODB_KEY_FILE_PATH:?MONGODB_KEY_FILE_PATH not specified. Exiting!}" || \
+        -z "${MONGODB_CA_FILE_PATH:?MONGODB_CA_FILE_PATH not specified. Exiting!}" || \
+    -z "${MONGODB_CRL_FILE_PATH:?MONGODB_CRL_FILE_PATH not specified. Exiting!}" ]] ; then
+    # Not handling the STORAGE_ENGINE_CACHE_SIZE because
+    # it is optional. If not specified the default cache
+    # size is: max((50% RAM - 1GB), 256MB)
+    exit 1
 else
-  echo MONGODB_PORT="$MONGODB_PORT"
-  echo MONGODB_FQDN="$MONGODB_FQDN"
-  echo MONGODB_IP="$MONGODB_IP"
-  echo MONGODB_KEY_FILE_PATH="$MONGODB_KEY_FILE_PATH"
-  echo MONGODB_CA_FILE_PATH="$MONGODB_CA_FILE_PATH"
-  echo MONGODB_CRL_FILE_PATH="$MONGODB_CRL_FILE_PATH"
-  echo STORAGE_ENGINE_CACHE_SIZE="$STORAGE_ENGINE_CACHE_SIZE"
+    echo MONGODB_PORT="$MONGODB_PORT"
+    echo MONGODB_FQDN="$MONGODB_FQDN"
+    echo MONGODB_IP="$MONGODB_IP"
+    echo MONGODB_KEY_FILE_PATH="$MONGODB_KEY_FILE_PATH"
+    echo MONGODB_CA_FILE_PATH="$MONGODB_CA_FILE_PATH"
+    echo MONGODB_CRL_FILE_PATH="$MONGODB_CRL_FILE_PATH"
+    echo STORAGE_ENGINE_CACHE_SIZE="$STORAGE_ENGINE_CACHE_SIZE"
 fi
 
 MONGODB_CONF_FILE_PATH=/etc/mongod.conf
 HOSTS_FILE_PATH=/etc/hosts
+MONGODB_CONFIGURE_USERS_PATH=/configure_mdb_users.js
 
 # configure the mongod.conf file
 sed -i "s|MONGODB_PORT|${MONGODB_PORT}|g" ${MONGODB_CONF_FILE_PATH}
@@ -75,14 +87,30 @@ sed -i "s|MONGODB_KEY_FILE_PATH|${MONGODB_KEY_FILE_PATH}|g" ${MONGODB_CONF_FILE_
 sed -i "s|MONGODB_CA_FILE_PATH|${MONGODB_CA_FILE_PATH}|g" ${MONGODB_CONF_FILE_PATH}
 sed -i "s|MONGODB_CRL_FILE_PATH|${MONGODB_CRL_FILE_PATH}|g" ${MONGODB_CONF_FILE_PATH}
 if [ ! -z "$STORAGE_ENGINE_CACHE_SIZE" ]; then
-  if [[ "$STORAGE_ENGINE_CACHE_SIZE" =~ ^[0-9]+(G|M|T)B$ ]]; then
-    sed -i.bk "s|STORAGE_ENGINE_CACHE_SIZE|${STORAGE_ENGINE_CACHE_SIZE}|g" ${MONGODB_CONF_FILE_PATH}
-  else
-    echo "Invalid Value for storage engine cache size $STORAGE_ENGINE_CACHE_SIZE"
-    exit 1
-  fi
+    if [[ "$STORAGE_ENGINE_CACHE_SIZE" =~ ^[0-9]+(G|M|T)B$ ]]; then
+        sed -i.bk "s|STORAGE_ENGINE_CACHE_SIZE|${STORAGE_ENGINE_CACHE_SIZE}|g" ${MONGODB_CONF_FILE_PATH}
+    else
+        echo "Invalid Value for storage engine cache size $STORAGE_ENGINE_CACHE_SIZE"
+        exit 1
+    fi
 else
-  sed -i.bk "/cache_size=/d" ${MONGODB_CONF_FILE_PATH}
+    sed -i.bk "/cache_size=/d" ${MONGODB_CONF_FILE_PATH}
+fi
+
+if [ -f ${MONGODB_CREDENTIALS_DIR}/mdb-admin-password ]; then
+    mongodb_admin_password=`cat ${MONGODB_CREDENTIALS_DIR}/mdb-admin-password`
+fi
+
+# Only configure if all variables are set
+if [[ -z "${mongodb_admin_username}" && \
+        -z "${mongodb_admin_password}" && \
+        -z "${bdb_username}" && \
+    -z "${mdb_mon_username}" ]]; then
+    sed -i "s|MONGODB_ADMIN_USERNAME|${mongodb_admin_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
+    sed -i "s|MONGODB_ADMIN_PASSWORD|${mongodb_admin_password}|g" ${MONGODB_CONFIGURE_USERS_PATH}
+    sed -i "s|BDB_USERNAME|${bdb_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
+    sed -i "s|MDB_MON_USERNAME|${mdb_mon_username}|g" ${MONGODB_CONFIGURE_USERS_PATH}
+    echo "True" > /tmp/configure_mongo
 fi
 
 # add the hostname and ip to hosts file

k8s/mongodb/mongo-ss.yaml

@@ -43,6 +43,21 @@ spec:
             configMapKeyRef:
              name: vars
              key: storage-engine-cache-size
+        - name: MONGODB_ADMIN_USERNAME
+          valueFrom:
+            configMapKeyRef:
+             name: mdb-config
+             key: mdb-admin-username
+        - name: BDB_USERNAME
+          valueFrom:
+            configMapKeyRef:
+             name: bdb-config
+             key: bdb-user
+        - name: MDB_MON_USERNAME
+          valueFrom:
+            configMapKeyRef:
+             name: mdb-config
+             key: mdb-mon-user
         args:
         - --mongodb-port
         - $(MONGODB_PORT)
@@ -77,6 +92,9 @@ spec:
         - name: ca-auth
           mountPath: /etc/mongod/ca/
           readOnly: true
+        - name: mdb-config
+          mountPath: /tmp/mongodb
+          readOnly: true
         resources:
           limits:
             cpu: 200m
@@ -105,3 +123,7 @@ spec:
         secret:
           secretName: ca-auth
           defaultMode: 0400
+      - name: mdb-config
+        secret:
+          secretName: mdb-config
+          defaultMode: 0400

k8s/scripts/cert_gen.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
-set -euo pipefail
+set -e
+set -o xtrace
 
 
 # base directories for operations
@@ -132,12 +133,20 @@ function convert_b64(){
     cat $2/pki/crl.pem | base64 -w 0 > $1/crl.pem.b64
 }
 
+function get_users(){
+    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_CN"-"$INDEX".crt -inform PEM -subject \
+      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_CN"-"$INDEX".user
+    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$BDB_CN"-"$INDEX".crt -inform PEM -subject \
+      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$BDB_CN"-"$INDEX".user
+    openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_MON_CN"-"$INDEX".crt -inform PEM -subject \
+      -nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_MON_CN"-"$INDEX".user
+
+}
+
 function configure_common(){
     sudo apt-get update -y
     sudo apt-get install openssl -y
     wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
-    wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
-    wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
     tar xzvf $1/3.0.1.tar.gz -C $1/
     rm $1/3.0.1.tar.gz
     cp $1/$BASE_EASY_RSA_PATH/vars.example $1/$BASE_EASY_RSA_PATH/vars
@@ -183,6 +192,7 @@ BASE_MEMBER_CERT_DIR="${BASE_DIR}"/member-cert
 BASE_CLIENT_CERT_DIR="${BASE_DIR}"/client-cert
 BASE_EASY_RSA_PATH='easy-rsa-3.0.1/easyrsa3'
 BASE_K8S_DIR="${BASE_DIR}"/k8s
+BASE_USERS_DIR="{$BASE_DIR}"/users
 
 # sanity checks
 if [[ -z "${INDEX}" ]] ; then
@@ -209,4 +219,5 @@ configure_client_cert_gen $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
 import_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 sign_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 make_pem_files $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_K8S_DIR
-convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
+convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
+get_users $BASE_USERS_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH

k8s/scripts/configure_mdb.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+[ -z $1 ] && echo "Please specify MongoDB instance name!!"
+MONGODB_INSTANCE_NAME=$1
+
+if [[ -n "$MONGODB_INSTANCE_NAME" ]]; then
+    /usr/local/bin/kubectl exec -it "${MONGODB_INSTANCE_NAME}"\-ss\-0 -- bash -c "if [[ -f /tmp/configure_mongo && -n \$(cat /tmp/configure_mongo) ]]; then  /usr/bin/mongo --host localhost --port \$(printenv MONGODB_PORT) --ssl --sslCAFile /etc/mongod/ca/ca.pem --sslPEMKeyFile  /etc/mongod/ssl/mdb-instance.pem < /configure_mdb_users.js; fi"
+else
+    echo "Skipping configuration!!!"
+fi