diff --git a/helm/templates/mongodb/database_roles.yaml b/helm/templates/mongodb/database_roles.yaml deleted file mode 100644 index f0290e9..0000000 --- a/helm/templates/mongodb/database_roles.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.mongodb.database.name }} - namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .Values.mongodb.database.name }} - namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - apiGroups: - - "" - resources: - - pods - verbs: - - patch - - delete - - get - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Values.mongodb.database.name }} - namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} -subjects: - - kind: ServiceAccount - name: {{ .Values.mongodb.database.name }} -roleRef: - kind: Role - name: {{ .Values.mongodb.database.name }} - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml b/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml deleted file mode 100644 index c5fe9a5..0000000 --- a/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{- if and .Values.mongodb.resource.tls.enabled .Values.mongodb.resource.tls.useCertManager }} -# cert-manager resources -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: tls-selfsigned-issuer - namespace: {{ .Values.namespace }} -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: tls-selfsigned-ca - namespace: {{ .Values.namespace }} -spec: - isCA: true - commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" - dnsNames: - - "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" - secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} - privateKey: - algorithm: ECDSA - size: 256 - issuerRef: - name: tls-selfsigned-issuer - kind: Issuer ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: tls-ca-issuer - namespace: {{ .Values.namespace }} -spec: - ca: - secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: cert-manager-tls-certificate - namespace: {{ .Values.namespace }} -spec: - secretName: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }} - issuerRef: - name: tls-ca-issuer - kind: Issuer - duration: {{ .Values.mongodb.resource.tls.certManager.certDuration | default "8760h" }} # default to 365 days - renewBefore: {{ .Values.mongodb.resource.tls.certManager.renewCertBefore | default "720h" }} # default to 30 days - commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" - dnsNames: - - "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" -{{- if .Values.mongodb.resource.tls.useX509 }} -# Agent X509 certs ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: agent-certs - namespace: {{ .Values.namespace }} -spec: - commonName: mms-automation-agent - dnsNames: - - automation - duration: 240h0m0s - issuerRef: - name: tls-ca-issuer - renewBefore: 120h0m0s - secretName: agent-certs - subject: - countries: - - US - localities: - - NY - organizationalUnits: - - a-1635241837-m5yb81lfnrz - organizations: - - cluster.local-agent - provinces: - - NY - usages: - - digital signature - - key encipherment - - client auth -{{- end }} -{{- if .Values.mongodb.resource.tls.sampleX509User }} -# Client certs ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: x509-user-cert - namespace: {{ .Values.namespace }} -spec: - commonName: my-x509-user - duration: 240h0m0s - issuerRef: - name: tls-ca-issuer - renewBefore: 120h0m0s - secretName: my-x509-user-cert - subject: - organizationalUnits: - - organizationalunit - organizations: - - organization - usages: - - digital signature - - client auth -{{- end }} -{{- end }} -{{- if .Values.mongodb.createResource }} -# mongodb resources ---- -apiVersion: mongodbcommunity.mongodb.com/v1 -kind: MongoDBCommunity -metadata: - name: {{ .Values.mongodb.resource.name }} - namespace: {{ .Values.namespace }} -spec: - members: {{ .Values.mongodb.resource.members }} - type: ReplicaSet - version: {{ .Values.mongodb.resource.version }} - security: - tls: - enabled: {{ .Values.mongodb.resource.tls.enabled }} - {{- if .Values.mongodb.resource.tls.enabled }} - certificateKeySecretRef: - name: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }} - caCertificateSecretRef: - name: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} - {{- end }} - authentication: - {{- if .Values.mongodb.resource.tls.useX509 }} - modes: ["X509"] - {{- else }} - modes: ["SCRAM"] - {{- end }} - {{- if .Values.mongodb.resource.tls.sampleX509User }} - users: - - name: CN=my-x509-user,OU=organizationalunit,O=organization - db: $external - roles: - - name: clusterAdmin - db: admin - - name: userAdminAnyDatabase - db: admin - - name: readWriteAnyDatabase - db: admin - {{- else }} - users: - {{- toYaml .Values.mongodb.resource.users | nindent 4 }} - {{- end}} -{{- end }} \ No newline at end of file diff --git a/helm/templates/mongodb/operator.yaml b/helm/templates/mongodb/operator.yaml deleted file mode 100644 index 7b1fbfc..0000000 --- a/helm/templates/mongodb/operator.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - email: support@mongodb.com - labels: - owner: mongodb - name: {{ .Values.mongodb.operator.name }} - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.mongodb.operator.replicas }} - selector: - matchLabels: - name: {{ .Values.mongodb.operator.name }} - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - labels: - name: {{ .Values.mongodb.operator.name }} - spec: - {{- with .Values.mongodb.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: name - operator: In - values: - - {{ .Values.mongodb.operator.name }} - topologyKey: kubernetes.io/hostname - containers: - - command: - - /usr/local/bin/entrypoint - env: -{{- if .Values.mongodb.operator.extraEnvs }} - {{ toYaml .Values.mongodb.operator.extraEnvs | nindent 12 }} -{{- end }} - - name: WATCH_NAMESPACE -{{- if .Values.mongodb.operator.watchNamespace}} - value: "{{ .Values.mongodb.operator.watchNamespace }}" -{{- else }} - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{ .Values.mongodb.operator.name }} - - name: AGENT_IMAGE - value: "{{ .Values.mongodb.registry.agent }}/{{ .Values.mongodb.agent.name }}:{{ .Values.mongodb.agent.version }}" - - name: VERSION_UPGRADE_HOOK_IMAGE - value: "{{ .Values.mongodb.registry.versionUpgradeHook }}/{{ .Values.mongodb.versionUpgradeHook.name }}:{{ .Values.mongodb.versionUpgradeHook.version }}" - - name: READINESS_PROBE_IMAGE - value: "{{ .Values.mongodb.registry.readinessProbe }}/{{ .Values.mongodb.readinessProbe.name }}:{{ .Values.mongodb.readinessProbe.version }}" - - name: MONGODB_IMAGE - value: {{ .Values.mongodb.mongodb.name }} - - name: MONGODB_REPO_URL - value: {{ .Values.mongodb.mongodb.repo }} - image: {{ .Values.mongodb.registry.operator }}/{{ .Values.mongodb.operator.operatorImageName }}:{{ .Values.mongodb.operator.version }} - imagePullPolicy: {{ .Values.mongodb.registry.pullPolicy}} - name: {{ .Values.mongodb.operator.deploymentName }} - resources: - {{- toYaml .Values.mongodb.operator.resources | nindent 12 }} - {{- if .Values.mongodb.operator.securityContext }} - securityContext: - {{- toYaml .Values.mongodb.operator.securityContext | nindent 12 }} - {{- end }} - {{- if .Values.mongodb.operator.podSecurityContext }} - securityContext: - {{- toYaml .Values.mongodb.operator.podSecurityContext | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.mongodb.operator.name }} \ No newline at end of file diff --git a/helm/templates/mongodb/operator_roles.yaml b/helm/templates/mongodb/operator_roles.yaml deleted file mode 100644 index 553623c..0000000 --- a/helm/templates/mongodb/operator_roles.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.mongodb.operator.name }} - namespace: {{ .Release.Namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} -metadata: - name: {{ .Values.mongodb.operator.name }} - {{- if not (eq (.Values.mongodb.operator.watchNamespace | default "*") "*") }} - namespace: {{ .Values.mongodb.operator.watchNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} -rules: -- apiGroups: - - "" - resources: - - pods - - services - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mongodbcommunity.mongodb.com - resources: - - mongodbcommunity - - mongodbcommunity/status - - mongodbcommunity/spec - - mongodbcommunity/finalizers - verbs: - - get - - patch - - list - - update - - watch - ---- -kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Values.mongodb.operator.name }} - {{- if ne (.Values.mongodb.operator.watchNamespace | default "*") "*" }} - namespace: {{ .Values.mongodb.operator.watchNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} -subjects: -- kind: ServiceAccount - name: {{ .Values.mongodb.operator.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} - name: {{ .Values.mongodb.operator.name }} - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index d1082cd..8ac9447 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -108,105 +108,3 @@ secrets: clientcertificatedata: clientkeydata: kubeaddress: 149.202.55.61 - -# MongoDB -mongodb: - operator: - # Name that will be assigned to most of internal Kubernetes objects like - # Deployment, ServiceAccount, Role etc. - name: mongodb-kubernetes-operator - - # Name of the operator image - operatorImageName: mongodb-kubernetes-operator - - # Name of the deployment of the operator pod - deploymentName: mongodb-kubernetes-operator - - # Version of mongodb-kubernetes-operator - version: 0.9.0 - - # Uncomment this line to watch all namespaces - # watchNamespace: "*" - - # Resources allocated to Operator Pod - resources: - limits: - cpu: 1100m - memory: 1Gi - requests: - cpu: 500m - memory: 200Mi - - # replicas deployed for the operator pod. Running 1 is optimal and suggested. - replicas: 1 - - # Additional environment variables - extraEnvs: [] - # environment: - # - name: CLUSTER_DOMAIN - # value: my-cluster.domain - - podSecurityContext: - runAsNonRoot: true - runAsUser: 2000 - - securityContext: {} - - ## Operator's database - database: - name: mongodb-database - # set this to the namespace where you would like - # to deploy the MongoDB database, - # Note if the database namespace is not same - # as the operator namespace, - # make sure to set "watchNamespace" to "*" - # to ensure that the operator has the - # permission to reconcile resources in other namespaces - # namespace: mongodb-database - - agent: - name: mongodb-agent - version: 107.0.0.8465-1 - versionUpgradeHook: - name: mongodb-kubernetes-operator-version-upgrade-post-start-hook - version: 1.0.8 - readinessProbe: - name: mongodb-kubernetes-readinessprobe - version: 1.0.17 - mongodb: - name: mongo - repo: docker.io - - registry: - agent: quay.io/mongodb - versionUpgradeHook: quay.io/mongodb - readinessProbe: quay.io/mongodb - operator: quay.io/mongodb - pullPolicy: Always - - # Set to false if CRDs have been installed already. The CRDs can be installed - # manually from the code repo: github.com/mongodb/mongodb-kubernetes-operator or - # using the `community-operator-crds` Helm chart. - community-operator-crds: - enabled: true - - # Deploys MongoDB with `resource` attributes. - createResource: false - resource: - name: mongodb-replica-set - version: 4.4.0 - members: 3 - tls: - enabled: false - - # Installs Cert-Manager in this cluster. - useX509: false - sampleX509User: false - useCertManager: true - certificateKeySecretRef: tls-certificate - caCertificateSecretRef: tls-ca-key-pair - certManager: - certDuration: 8760h # 365 days - renewCertBefore: 720h # 30 days - - users: []