Support for TLS connections in MongoDB Backup Agent

k8s/mongodb-backup-agent/container/Dockerfile

@@ -6,7 +6,10 @@ ARG FILE_URL="https://cloud.mongodb.com/download/agent/backup/"$DEB_FILE
 WORKDIR /
 RUN apt update \
     && apt -y upgrade \
-    && apt -y install --no-install-recommends curl ca-certificates logrotate \
+    && apt -y install --no-install-recommends \
+      curl \
+      ca-certificates \
+      logrotate \
       libsasl2-2 \
     && curl -OL $FILE_URL \
     && dpkg -i $DEB_FILE \
@@ -16,4 +19,6 @@ RUN apt update \
     && apt clean
 COPY mongodb_backup_agent_entrypoint.bash /
 RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
+VOLUME /etc/mongod/ssl
+#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
 ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"]

k8s/mongodb-backup-agent/container/mongodb_backup_agent_entrypoint.bash

@@ -4,11 +4,11 @@ set -euo pipefail
 
 MONGODB_BACKUP_CONF_FILE=/etc/mongodb-mms/backup-agent.config
 
-mms_api_key=`printenv MMS_API_KEY`
+mms_api_keyfile_path=`printenv MMS_API_KEYFILE_PATH`
 ca_crt_path=`printenv CA_CRT_PATH`
-backup_crt_path=`printenv BACKUP_PEM_PATH`
+backup_crt_path=`printenv MONITORING_PEM_PATH`
 
-if [[ -z "${mms_api_key}" || \
+if [[ -z "${mms_api_keyfile_path}" || \
     -z "${ca_crt_path}" || \
     -z "${backup_crt_path}" ]]; then
   echo "Invalid environment settings detected. Exiting!"
@@ -18,6 +18,9 @@ fi
 sed -i '/mmsApiKey/d'  ${MONGODB_BACKUP_CONF_FILE}
 sed -i '/mothership/d'  ${MONGODB_BACKUP_CONF_FILE}
 
+# Get the api key from file
+mms_api_key=`cat ${MMS_API_KEYFILE_PATH}`
+
 echo "mmsApiKey="${mms_api_key} >> ${MONGODB_BACKUP_CONF_FILE}
 echo "mothership=api-backup.eu-west-1.mongodb.com" >> ${MONGODB_BACKUP_CONF_FILE}
 

k8s/mongodb-backup-agent/mongo-backup-dep.yaml

@@ -1,27 +1,56 @@
+############################################################
+# This config file defines a k8s Deployment for the        #
+# bigchaindb/mongodb-backup-agent Docker image             #
+#                                                          #
+# It connects to a MongoDB instance in a separate pod,     #
+# all remote MongoDB instances in the cluster,             #
+# and also to MongoDB Cloud Manager (an external service). #
+# Notes:                                                   #
+# MongoDB agents connect to Cloud Manager on port 443.     #
+############################################################
+
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: mdb-backup-instance-0-dep
+  name: mdb-bak-instance-0-dep
 spec:
   replicas: 1
   template:
     metadata:
+      name: mdb-bak-instance-0-dep
       labels:
-        app: mdb-backup-instance-0-dep
+        app: mdb-bak-instance-0-dep
     spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: mdb-backup
-        image: bigchaindb/mongodb-backup-agent:1.0
+        image: bigchaindb/mongodb-backup-agent:2.0
         imagePullPolicy: Always
         env:
-        - name: MMS_API_KEY
-          valueFrom:
-            configMapKeyRef:
-              name: mdb-backup
-              key: api-key
+        - name: MMS_API_KEYFILE_PATH
+          value: /etc/mongod/cloud/api-key
+        - name: CA_CRT_PATH
+          value: /etc/mongod/ssl/ca.pem
+        - name: MONITORING_PEM_PATH
+          value: /etc/mongod/ssl/mdb-bak-instance.pem
         resources:
           limits:
             cpu: 200m
             memory: 768Mi
+        volumeMounts:
+        - name: mdb-bak-certs
+          mountPath: /etc/mongod/ssl/
+          readOnly: true
+        - name: mdb-agent-api-key
+          mountPath: /etc/mongod/cloud/
+          readOnly: true
       restartPolicy: Always
+      volumes:
+      - name: mdb-bak-certs
+        secret:
+          secretName: mdb-bak-certs
+          defaultMode: 0400
+      - name: mdb-agent-api-key
+        secret:
+          secretName: mdb-agent-api-key
+          defaultMode: 0400