diff --git a/helm/templates/mongodb/database_roles.yaml b/helm/templates/mongodb/database_roles.yaml new file mode 100644 index 0000000..f0290e9 --- /dev/null +++ b/helm/templates/mongodb/database_roles.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.mongodb.database.name }} + namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.mongodb.database.name }} + namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - pods + verbs: + - patch + - delete + - get + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.mongodb.database.name }} + namespace: {{ if .Values.mongodb.database.namespace }} {{ .Values.mongodb.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} +subjects: + - kind: ServiceAccount + name: {{ .Values.mongodb.database.name }} +roleRef: + kind: Role + name: {{ .Values.mongodb.database.name }} + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml b/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml new file mode 100644 index 0000000..c5fe9a5 --- /dev/null +++ b/helm/templates/mongodb/mongodbcommunity_cr_with_tls.yaml @@ -0,0 +1,153 @@ +{{- if and .Values.mongodb.resource.tls.enabled .Values.mongodb.resource.tls.useCertManager }} +# cert-manager resources +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: tls-selfsigned-issuer + namespace: {{ .Values.namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: tls-selfsigned-ca + namespace: {{ .Values.namespace }} +spec: + isCA: true + commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" + dnsNames: + - "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" + secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: tls-selfsigned-issuer + kind: Issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: tls-ca-issuer + namespace: {{ .Values.namespace }} +spec: + ca: + secretName: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: cert-manager-tls-certificate + namespace: {{ .Values.namespace }} +spec: + secretName: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }} + issuerRef: + name: tls-ca-issuer + kind: Issuer + duration: {{ .Values.mongodb.resource.tls.certManager.certDuration | default "8760h" }} # default to 365 days + renewBefore: {{ .Values.mongodb.resource.tls.certManager.renewCertBefore | default "720h" }} # default to 30 days + commonName: "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" + dnsNames: + - "*.{{ .Values.mongodb.resource.name }}-svc.{{ .Values.namespace }}.svc.cluster.local" +{{- if .Values.mongodb.resource.tls.useX509 }} +# Agent X509 certs +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: agent-certs + namespace: {{ .Values.namespace }} +spec: + commonName: mms-automation-agent + dnsNames: + - automation + duration: 240h0m0s + issuerRef: + name: tls-ca-issuer + renewBefore: 120h0m0s + secretName: agent-certs + subject: + countries: + - US + localities: + - NY + organizationalUnits: + - a-1635241837-m5yb81lfnrz + organizations: + - cluster.local-agent + provinces: + - NY + usages: + - digital signature + - key encipherment + - client auth +{{- end }} +{{- if .Values.mongodb.resource.tls.sampleX509User }} +# Client certs +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: x509-user-cert + namespace: {{ .Values.namespace }} +spec: + commonName: my-x509-user + duration: 240h0m0s + issuerRef: + name: tls-ca-issuer + renewBefore: 120h0m0s + secretName: my-x509-user-cert + subject: + organizationalUnits: + - organizationalunit + organizations: + - organization + usages: + - digital signature + - client auth +{{- end }} +{{- end }} +{{- if .Values.mongodb.createResource }} +# mongodb resources +--- +apiVersion: mongodbcommunity.mongodb.com/v1 +kind: MongoDBCommunity +metadata: + name: {{ .Values.mongodb.resource.name }} + namespace: {{ .Values.namespace }} +spec: + members: {{ .Values.mongodb.resource.members }} + type: ReplicaSet + version: {{ .Values.mongodb.resource.version }} + security: + tls: + enabled: {{ .Values.mongodb.resource.tls.enabled }} + {{- if .Values.mongodb.resource.tls.enabled }} + certificateKeySecretRef: + name: {{ .Values.mongodb.resource.tls.certificateKeySecretRef }} + caCertificateSecretRef: + name: {{ .Values.mongodb.resource.tls.caCertificateSecretRef }} + {{- end }} + authentication: + {{- if .Values.mongodb.resource.tls.useX509 }} + modes: ["X509"] + {{- else }} + modes: ["SCRAM"] + {{- end }} + {{- if .Values.mongodb.resource.tls.sampleX509User }} + users: + - name: CN=my-x509-user,OU=organizationalunit,O=organization + db: $external + roles: + - name: clusterAdmin + db: admin + - name: userAdminAnyDatabase + db: admin + - name: readWriteAnyDatabase + db: admin + {{- else }} + users: + {{- toYaml .Values.mongodb.resource.users | nindent 4 }} + {{- end}} +{{- end }} \ No newline at end of file diff --git a/helm/templates/mongodb/operator.yaml b/helm/templates/mongodb/operator.yaml new file mode 100644 index 0000000..7b1fbfc --- /dev/null +++ b/helm/templates/mongodb/operator.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + email: support@mongodb.com + labels: + owner: mongodb + name: {{ .Values.mongodb.operator.name }} + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ .Values.mongodb.operator.replicas }} + selector: + matchLabels: + name: {{ .Values.mongodb.operator.name }} + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + name: {{ .Values.mongodb.operator.name }} + spec: + {{- with .Values.mongodb.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - {{ .Values.mongodb.operator.name }} + topologyKey: kubernetes.io/hostname + containers: + - command: + - /usr/local/bin/entrypoint + env: +{{- if .Values.mongodb.operator.extraEnvs }} + {{ toYaml .Values.mongodb.operator.extraEnvs | nindent 12 }} +{{- end }} + - name: WATCH_NAMESPACE +{{- if .Values.mongodb.operator.watchNamespace}} + value: "{{ .Values.mongodb.operator.watchNamespace }}" +{{- else }} + valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{ .Values.mongodb.operator.name }} + - name: AGENT_IMAGE + value: "{{ .Values.mongodb.registry.agent }}/{{ .Values.mongodb.agent.name }}:{{ .Values.mongodb.agent.version }}" + - name: VERSION_UPGRADE_HOOK_IMAGE + value: "{{ .Values.mongodb.registry.versionUpgradeHook }}/{{ .Values.mongodb.versionUpgradeHook.name }}:{{ .Values.mongodb.versionUpgradeHook.version }}" + - name: READINESS_PROBE_IMAGE + value: "{{ .Values.mongodb.registry.readinessProbe }}/{{ .Values.mongodb.readinessProbe.name }}:{{ .Values.mongodb.readinessProbe.version }}" + - name: MONGODB_IMAGE + value: {{ .Values.mongodb.mongodb.name }} + - name: MONGODB_REPO_URL + value: {{ .Values.mongodb.mongodb.repo }} + image: {{ .Values.mongodb.registry.operator }}/{{ .Values.mongodb.operator.operatorImageName }}:{{ .Values.mongodb.operator.version }} + imagePullPolicy: {{ .Values.mongodb.registry.pullPolicy}} + name: {{ .Values.mongodb.operator.deploymentName }} + resources: + {{- toYaml .Values.mongodb.operator.resources | nindent 12 }} + {{- if .Values.mongodb.operator.securityContext }} + securityContext: + {{- toYaml .Values.mongodb.operator.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.mongodb.operator.podSecurityContext }} + securityContext: + {{- toYaml .Values.mongodb.operator.podSecurityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.mongodb.operator.name }} \ No newline at end of file diff --git a/helm/templates/mongodb/operator_roles.yaml b/helm/templates/mongodb/operator_roles.yaml new file mode 100644 index 0000000..553623c --- /dev/null +++ b/helm/templates/mongodb/operator_roles.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.mongodb.operator.name }} + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} +metadata: + name: {{ .Values.mongodb.operator.name }} + {{- if not (eq (.Values.mongodb.operator.watchNamespace | default "*") "*") }} + namespace: {{ .Values.mongodb.operator.watchNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - pods + - services + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mongodbcommunity.mongodb.com + resources: + - mongodbcommunity + - mongodbcommunity/status + - mongodbcommunity/spec + - mongodbcommunity/finalizers + verbs: + - get + - patch + - list + - update + - watch + +--- +kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.mongodb.operator.name }} + {{- if ne (.Values.mongodb.operator.watchNamespace | default "*") "*" }} + namespace: {{ .Values.mongodb.operator.watchNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ .Values.mongodb.operator.name }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: {{ if eq (.Values.mongodb.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} + name: {{ .Values.mongodb.operator.name }} + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml index 5efe838..d1082cd 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -107,4 +107,106 @@ secrets: certificateauthoritydata: clientcertificatedata: clientkeydata: - kubeaddress: 149.202.55.61 \ No newline at end of file + kubeaddress: 149.202.55.61 + +# MongoDB +mongodb: + operator: + # Name that will be assigned to most of internal Kubernetes objects like + # Deployment, ServiceAccount, Role etc. + name: mongodb-kubernetes-operator + + # Name of the operator image + operatorImageName: mongodb-kubernetes-operator + + # Name of the deployment of the operator pod + deploymentName: mongodb-kubernetes-operator + + # Version of mongodb-kubernetes-operator + version: 0.9.0 + + # Uncomment this line to watch all namespaces + # watchNamespace: "*" + + # Resources allocated to Operator Pod + resources: + limits: + cpu: 1100m + memory: 1Gi + requests: + cpu: 500m + memory: 200Mi + + # replicas deployed for the operator pod. Running 1 is optimal and suggested. + replicas: 1 + + # Additional environment variables + extraEnvs: [] + # environment: + # - name: CLUSTER_DOMAIN + # value: my-cluster.domain + + podSecurityContext: + runAsNonRoot: true + runAsUser: 2000 + + securityContext: {} + + ## Operator's database + database: + name: mongodb-database + # set this to the namespace where you would like + # to deploy the MongoDB database, + # Note if the database namespace is not same + # as the operator namespace, + # make sure to set "watchNamespace" to "*" + # to ensure that the operator has the + # permission to reconcile resources in other namespaces + # namespace: mongodb-database + + agent: + name: mongodb-agent + version: 107.0.0.8465-1 + versionUpgradeHook: + name: mongodb-kubernetes-operator-version-upgrade-post-start-hook + version: 1.0.8 + readinessProbe: + name: mongodb-kubernetes-readinessprobe + version: 1.0.17 + mongodb: + name: mongo + repo: docker.io + + registry: + agent: quay.io/mongodb + versionUpgradeHook: quay.io/mongodb + readinessProbe: quay.io/mongodb + operator: quay.io/mongodb + pullPolicy: Always + + # Set to false if CRDs have been installed already. The CRDs can be installed + # manually from the code repo: github.com/mongodb/mongodb-kubernetes-operator or + # using the `community-operator-crds` Helm chart. + community-operator-crds: + enabled: true + + # Deploys MongoDB with `resource` attributes. + createResource: false + resource: + name: mongodb-replica-set + version: 4.4.0 + members: 3 + tls: + enabled: false + + # Installs Cert-Manager in this cluster. + useX509: false + sampleX509User: false + useCertManager: true + certificateKeySecretRef: tls-certificate + caCertificateSecretRef: tls-ca-key-pair + certManager: + certDuration: 8760h # 365 days + renewCertBefore: 720h # 30 days + + users: []