Skip to content

Commit

Permalink
Add a mongodb database
Browse files Browse the repository at this point in the history
  • Loading branch information
@ThomasHerve
ThomasHerve committed Apr 2, 2024
1 parent 424e1de commit fdfd8df
Show file tree
Hide file tree
Showing 5 changed files with 458 additions and 1 deletion.
42 changes: 42 additions & 0 deletions helm/templates/mongodb/database_roles.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.mongodb.database.name }}
namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Values.mongodb.database.name }}
namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- pods
verbs:
- patch
- delete
- get

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.mongodb.database.name }}
namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }}
subjects:
- kind: ServiceAccount
name: {{ .Values.mongodb.database.name }}
roleRef:
kind: Role
name: {{ .Values.mongodb.database.name }}
apiGroup: rbac.authorization.k8s.io
153 changes: 153 additions & 0 deletions helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
{{- if and .Values.mongodb.resource.tls.enabled .Values.mongodb.resource.tls.useCertManager }}
# cert-manager resources
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: tls-selfsigned-issuer
namespace: {{ .Values.namespace }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-selfsigned-ca
namespace: {{ .Values.namespace }}
spec:
isCA: true
commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local"
dnsNames:
- "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local"
secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }}
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: tls-selfsigned-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: tls-ca-issuer
namespace: {{ .Values.namespace }}
spec:
ca:
secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-manager-tls-certificate
namespace: {{ .Values.namespace }}
spec:
secretName: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }}
issuerRef:
name: tls-ca-issuer
kind: Issuer
duration: {{ .Values.mongodb.resource.tls.certManager.certDuration | default "8760h" }} # default to 365 days
renewBefore: {{ .Values.mongodb.resource.tls.certManager.renewCertBefore | default "720h" }} # default to 30 days
commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local"
dnsNames:
- "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local"
{{- if .Values.mongodb.resource.tls.useX509 }}
# Agent X509 certs
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: agent-certs
namespace: {{ .Values.namespace }}
spec:
commonName: mms-automation-agent
dnsNames:
- automation
duration: 240h0m0s
issuerRef:
name: tls-ca-issuer
renewBefore: 120h0m0s
secretName: agent-certs
subject:
countries:
- US
localities:
- NY
organizationalUnits:
- a-1635241837-m5yb81lfnrz
organizations:
- cluster.local-agent
provinces:
- NY
usages:
- digital signature
- key encipherment
- client auth
{{- end }}
{{- if .Values.mongodb.resource.tls.sampleX509User }}
# Client certs
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: x509-user-cert
namespace: {{ .Values.namespace }}
spec:
commonName: my-x509-user
duration: 240h0m0s
issuerRef:
name: tls-ca-issuer
renewBefore: 120h0m0s
secretName: my-x509-user-cert
subject:
organizationalUnits:
- organizationalunit
organizations:
- organization
usages:
- digital signature
- client auth
{{- end }}
{{- end }}
{{- if .Values.mongodb.createResource }}
# mongodb resources
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: {{ .Values.mongodb.resource.name }}
namespace: {{ .Values.namespace }}
spec:
members: {{ .Values.mongodb.resource.members }}
type: ReplicaSet
version: {{ .Values.mongodb.resource.version }}
security:
tls:
enabled: {{ .Values.mongodb.resource.tls.enabled }}
{{- if .Values.mongodb.resource.tls.enabled }}
certificateKeySecretRef:
name: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }}
caCertificateSecretRef:
name: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }}
{{- end }}
authentication:
{{- if .Values.mongodb.resource.tls.useX509 }}
modes: ["X509"]
{{- else }}
modes: ["SCRAM"]
{{- end }}
{{- if .Values.mongodb.resource.tls.sampleX509User }}
users:
- name: CN=my-x509-user,OU=organizationalunit,O=organization
db: $external
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
- name: readWriteAnyDatabase
db: admin
{{- else }}
users:
{{- toYaml .Values.mongodb.resource.users | nindent 4 }}
{{- end}}
{{- end }}
83 changes: 83 additions & 0 deletions helm/templates/mongodb/operator.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
email: [email protected]
labels:
owner: mongodb
name: {{ .Values.mongodb.operator.name }}
namespace: {{ .Release.Namespace }}
spec:
replicas: {{ .Values.mongodb.operator.replicas }}
selector:
matchLabels:
name: {{ .Values.mongodb.operator.name }}
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
name: {{ .Values.mongodb.operator.name }}
spec:
{{- with .Values.mongodb.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: name
operator: In
values:
- {{ .Values.mongodb.operator.name }}
topologyKey: kubernetes.io/hostname
containers:
- command:
- /usr/local/bin/entrypoint
env:
{{- if .Values.mongodb.operator.extraEnvs }}
{{ toYaml .Values.mongodb.operator.extraEnvs | nindent 12 }}
{{- end }}
- name: WATCH_NAMESPACE
{{- if .Values.mongodb.operator.watchNamespace}}
value: "{{ .Values.mongodb.operator.watchNamespace }}"
{{- else }}
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: {{ .Values.mongodb.operator.name }}
- name: AGENT_IMAGE
value: "{{ .Values.mongodb.registry.agent }}/{{ .Values.mongodb.agent.name }}:{{ .Values.mongodb.agent.version }}"
- name: VERSION_UPGRADE_HOOK_IMAGE
value: "{{ .Values.mongodb.registry.versionUpgradeHook }}/{{ .Values.mongodb.versionUpgradeHook.name }}:{{ .Values.mongodb.versionUpgradeHook.version }}"
- name: READINESS_PROBE_IMAGE
value: "{{ .Values.mongodb.registry.readinessProbe }}/{{ .Values.mongodb.readinessProbe.name }}:{{ .Values.mongodb.readinessProbe.version }}"
- name: MONGODB_IMAGE
value: {{ .Values.mongodb.mongodb.name }}
- name: MONGODB_REPO_URL
value: {{ .Values.mongodb.mongodb.repo }}
image: {{ .Values.mongodb.registry.operator }}/{{ .Values.mongodb.operator.operatorImageName }}:{{ .Values.mongodb.operator.version }}
imagePullPolicy: {{ .Values.mongodb.registry.pullPolicy}}
name: {{ .Values.mongodb.operator.deploymentName }}
resources:
{{- toYaml .Values.mongodb.operator.resources | nindent 12 }}
{{- if .Values.mongodb.operator.securityContext }}
securityContext:
{{- toYaml .Values.mongodb.operator.securityContext | nindent 12 }}
{{- end }}
{{- if .Values.mongodb.operator.podSecurityContext }}
securityContext:
{{- toYaml .Values.mongodb.operator.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.mongodb.operator.name }}
77 changes: 77 additions & 0 deletions helm/templates/mongodb/operator_roles.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.mongodb.operator.name }}
namespace: {{ .Release.Namespace }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
metadata:
name: {{ .Values.mongodb.operator.name }}
{{- if not (eq (.Values.mongodb.operator.watchNamespace | default "*") "*") }}
namespace: {{ .Values.mongodb.operator.watchNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
- services
- configmaps
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mongodbcommunity.mongodb.com
resources:
- mongodbcommunity
- mongodbcommunity/status
- mongodbcommunity/spec
- mongodbcommunity/finalizers
verbs:
- get
- patch
- list
- update
- watch

---
kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Values.mongodb.operator.name }}
{{- if ne (.Values.mongodb.operator.watchNamespace | default "*") "*" }}
namespace: {{ .Values.mongodb.operator.watchNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ .Values.mongodb.operator.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
name: {{ .Values.mongodb.operator.name }}
apiGroup: rbac.authorization.k8s.io
Loading

0 comments on commit fdfd8df

Please sign in to comment.