onprem: 2.7.15 (#62)

Author: mikhail-klimko

codefresh/.ci/values/mtls-mongodb-redis.yaml

@@ -1,6 +1,8 @@
 seed:
   mongoSeedJob:
     mongodbRootURI: mongodb://root:XT9nmM8dZDZ@cf-mongodb:27017/?authSource=admin
+    mongodbRootOptions: authSource=admin
+    mongodbRootPassword: XT9nmM8dZDZ
 
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}
@@ -86,9 +88,9 @@ mongodb:
         mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB('${MONGODB_DATABASE}').createCollection('test')"
       done
 
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
 
   extraVolumeMounts:
     - name: extras

codefresh/README.md

@@ -2589,6 +2589,8 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster
 | seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI |
 | seed.enabled | bool | `true` | Enable all seed jobs |
 | seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. |
+| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. |
+| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). |
 | seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). |
 | seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret |
 | seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). |

codefresh/files/mongoSeedJobScript.sh

@@ -12,9 +12,12 @@ export MONGODB_ROOT_PASSWORD=...
 
 COMMENT
 
-# set -eou pipefail
+if [[ -n $DEBUG ]]; then
+    set -o xtrace
+fi
 
 ASSETS_PATH=${ASSETS_PATH:-/usr/share/extras/}
+MTLS_CERT_PATH=${MTLS_CERT_PATH:-/etc/ssl/mongodb/ca.pem}
 
 MONGODB_DATABASES=(
     "archive"
@@ -34,12 +37,12 @@ MONGODB_DATABASES=(
 )
 
 disableMongoTelemetry() {
-    mongosh --nodb --eval "disableTelemetry()"
+    mongosh --nodb --eval "disableTelemetry()" || true
 }
 
 waitForMongoDB() {
     while true; do
-        status=$(mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand('ping')" 2>&1)
+        status=$(mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.adminCommand('ping')" 2>&1)
 
         echo -e "MongoDB status:\n$status"
         if $(echo $status | grep 'ok: 1' -q); then
@@ -56,12 +59,23 @@ parseMongoURI() {
     local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi
     local url="$(echo ${1/$proto/})"
     local userpass="$(echo $url | grep @ | cut -d@ -f1)"
-    local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+    if [[ -z $userpass ]]; then
+        local hostport="$(echo $url | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGO_URI="$proto$hostport/${MONGODB_DATABASE}$parameters"
+    else
+        local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
+        MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
+        MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
+    fi
+
+
+    if [[ -z $MONGODB_ROOT_OPTIONS ]]; then
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
+    else
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin?${MONGODB_ROOT_OPTIONS}"
+    fi
 
-    MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
-    MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
-    MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
-    MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
 }
 
 getMongoVersion() {
@@ -82,6 +96,14 @@ setPacks() {
 
 parseMongoURI $MONGO_URI
 
+if [[ -s ${MTLS_CERT_PATH} ]]; then
+    MONGO_URI_EXTRA_PARAMS="--tls --tlsCertificateKeyFile ${MTLS_CERT_PATH} --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates"
+    MONGOIMPORT_EXTRA_PARAMS="--ssl --sslPEMKeyFile ${MTLS_CERT_PATH} --sslAllowInvalidHostnames --sslAllowInvalidCertificates"
+else
+    MONGO_URI_EXTRA_PARAMS=""
+    MONGOIMPORT_EXTRA_PARAMS=""
+fi
+
 disableMongoTelemetry
 
 waitForMongoDB
@@ -90,20 +112,20 @@ getMongoVersion
 
 for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 done
 
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 
 if [[ $DEVELOPMENT_CHART == "true" ]]; then
     setSystemAdmin
     setPacks
 fi
 
-mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
-mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
-mongoimport --uri ${MONGO_URI} --collection users --type json --legacy --file ${ASSETS_PATH}users.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection users --type json --legacy --file ${ASSETS_PATH}users.json

codefresh/templates/secrets/secret.yaml

@@ -17,8 +17,8 @@ data:
   MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" | b64enc }}
 
  # legacy MONGODB_* secrets
-  MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser | b64enc }}
-  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) | b64enc }}
+  MONGODB_ROOT_USER: {{ coalesce .Values.seed.mongoSeedJob.mongodbRootUser .Values.global.mongodbRootUser | b64enc }}
+  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.seed.mongoSeedJob.mongodbRootPassword .Values.global.mongodbRootPassword) | b64enc }}
   MONGO_URI: {{ .Values.global.mongoURI | default "empty" | b64enc}}
   MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" | b64enc }}
   MONGODB_RE_DATABASE: {{ printf "%s" "runtime-environment-manager" | b64enc }}

codefresh/templates/seed/mongo-seed-job.yaml

@@ -52,8 +52,19 @@ spec:
           {{- include "codefresh.mongodb-root-user-env-var-value" . | indent 12 }}
           - name: MONGODB_ROOT_PASSWORD
           {{- include "codefresh.mongodb-root-password-env-var-value" . | indent 12 }}
+          - name: MONGODB_ROOT_OPTIONS
+            value: {{ .Values.seed.mongoSeedJob.mongodbRootOptions | quote }}
           - name: DEVELOPMENT_CHART
             value: {{ .Values.developmentChart | quote }}
+          {{- range $env, $val := .Values.seed.mongoSeedJob.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+          {{- range $env, $val := .Values.global.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+
         command:
           - "/bin/bash"
           - "-exc"

codefresh/values.yaml

@@ -55,6 +55,11 @@ seed:
     #   name: my-secret
     #   key: mongodb-root-password
 
+    # -- Extra options for connection string (e.g. `authSource=admin`).
+    mongodbRootOptions: ""
+    # -- Extra env variables for seed job.
+    env: {}
+
   # -- Postgres Seed Job. Required at first install. Creates required user and databases.
   # @default -- See below
   postgresSeedJob: