codefresh-io · mikhail-klimko · May 26, 2025 · May 26, 2025 · May 26, 2025 · May 26, 2025
diff --git a/codefresh/.ci/values/mtls-mongodb-redis.yaml b/codefresh/.ci/values/mtls-mongodb-redis.yaml
@@ -1,6 +1,8 @@
 seed:
   mongoSeedJob:
     mongodbRootURI: mongodb://root:XT9nmM8dZDZ@cf-mongodb:27017/?authSource=admin
+    mongodbRootOptions: authSource=admin
+    mongodbRootPassword: XT9nmM8dZDZ
 
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}
@@ -86,9 +88,9 @@ mongodb:
         mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB('${MONGODB_DATABASE}').createCollection('test')"
       done
 
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
 
   extraVolumeMounts:
     - name: extras

diff --git a/codefresh/Chart.lock b/codefresh/Chart.lock
@@ -151,7 +151,7 @@ dependencies:
   version: 1.3344.2-onprem-3feba0e
 - name: argo-hub-platform
   repository: oci://quay.io/codefresh/charts
-  version: 0.1.23
+  version: 0.1.24
 - name: cf-oidc-provider
   repository: oci://quay.io/codefresh/charts
   version: 0.0.16
@@ -170,5 +170,5 @@ dependencies:
 - name: onboarding-status
   repository: oci://quay.io/codefresh/charts
   version: 1.8.8
-digest: sha256:f94b0d09660d4ca0bf68f1b4bcc02102357f069044ade19695be974411644cf2
-generated: "2025-05-15T16:37:04.178584+03:00"
+digest: sha256:5479d9ac8d0b75cda6c8d373ce9b2a7b5b3a46196214337268dc03e05fcb48d2
+generated: "2025-05-26T19:11:02.424512+03:00"
diff --git a/codefresh/Chart.yaml b/codefresh/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Helm Chart for Codefresh On-Prem
 name: codefresh
-version: 2.7.14
+version: 2.7.15
 keywords:
   - codefresh
 home: https://codefresh.io/
@@ -19,7 +19,7 @@ annotations:
   # supported kinds are added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
     - kind: fixed
-      description: "Fix delete-consul-svc hook job not to fail when consul service is not found"
+      description: "Fix mongo-seed job with Mongo MTLS enabled"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts

diff --git a/codefresh/README.md b/codefresh/README.md
@@ -1,6 +1,6 @@
 ## Codefresh On-Premises
 
-![Version: 2.7.14](https://img.shields.io/badge/Version-2.7.14-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
+![Version: 2.7.15](https://img.shields.io/badge/Version-2.7.15-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes.
 
@@ -2331,6 +2331,8 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster
 | seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI |
 | seed.enabled | bool | `true` | Enable all seed jobs |
 | seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. |
+| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. |
+| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). |
 | seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). |
 | seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret |
 | seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). |

diff --git a/codefresh/files/mongoSeedJobScript.sh b/codefresh/files/mongoSeedJobScript.sh
@@ -12,9 +12,12 @@ export MONGODB_ROOT_PASSWORD=...
 
 COMMENT
 
-# set -eou pipefail
+if [[ -n $DEBUG ]]; then
+    set -o xtrace
+fi
 
 ASSETS_PATH=${ASSETS_PATH:-/usr/share/extras/}
+MTLS_CERT_PATH=${MTLS_CERT_PATH:-/etc/ssl/mongodb/ca.pem}
 
 MONGODB_DATABASES=(
     "archive"
@@ -34,12 +37,12 @@ MONGODB_DATABASES=(
 )
 
 disableMongoTelemetry() {
-    mongosh --nodb --eval "disableTelemetry()"
+    mongosh --nodb --eval "disableTelemetry()" || true
 }
 
 waitForMongoDB() {
     while true; do
-        status=$(mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand('ping')" 2>&1)
+        status=$(mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.adminCommand('ping')" 2>&1)
 
         echo -e "MongoDB status:\n$status"
         if $(echo $status | grep 'ok: 1' -q); then
@@ -56,12 +59,23 @@ parseMongoURI() {
     local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi
     local url="$(echo ${1/$proto/})"
     local userpass="$(echo $url | grep @ | cut -d@ -f1)"
-    local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+    if [[ -z $userpass ]]; then
+        local hostport="$(echo $url | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGO_URI="$proto$hostport/${MONGODB_DATABASE}$parameters"
+    else
+        local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
+        MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
+        MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
+    fi
+
+
+    if [[ -z $MONGODB_ROOT_OPTIONS ]]; then
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
+    else
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin?${MONGODB_ROOT_OPTIONS}"
+    fi
 
-    MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
-    MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
-    MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
-    MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
 }
 
 getMongoVersion() {
@@ -82,6 +96,14 @@ setPacks() {
 
 parseMongoURI $MONGO_URI
 
+if [[ -s ${MTLS_CERT_PATH} ]]; then
+    MONGO_URI_EXTRA_PARAMS="--tls --tlsCertificateKeyFile ${MTLS_CERT_PATH} --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates"
+    MONGOIMPORT_EXTRA_PARAMS="--ssl --sslPEMKeyFile ${MTLS_CERT_PATH} --sslAllowInvalidHostnames --sslAllowInvalidCertificates"
+else
+    MONGO_URI_EXTRA_PARAMS=""
+    MONGOIMPORT_EXTRA_PARAMS=""
+fi
+
 disableMongoTelemetry
 
 waitForMongoDB
@@ -90,20 +112,20 @@ getMongoVersion
 
 for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 done
 
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 
 if [[ $DEVELOPMENT_CHART == "true" ]]; then
     setSystemAdmin
     setPacks
 fi
 
-mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
-mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
-mongoimport --uri ${MONGO_URI} --collection users --type json --legacy --file ${ASSETS_PATH}users.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection users --type json --legacy --file ${ASSETS_PATH}users.json
diff --git a/codefresh/templates/secrets/secret.yaml b/codefresh/templates/secrets/secret.yaml
@@ -17,8 +17,8 @@ data:
   MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" | b64enc }}
 
  # legacy MONGODB_* secrets
-  MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser | b64enc }}
-  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) | b64enc }}
+  MONGODB_ROOT_USER: {{ coalesce .Values.seed.mongoSeedJob.mongodbRootUser .Values.global.mongodbRootUser | b64enc }}
+  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.seed.mongoSeedJob.mongodbRootPassword .Values.global.mongodbRootPassword) | b64enc }}
   MONGO_URI: {{ .Values.global.mongoURI | default "empty" | b64enc}}
   MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" | b64enc }}
   MONGODB_RE_DATABASE: {{ printf "%s" "runtime-environment-manager" | b64enc }}

diff --git a/codefresh/templates/seed/mongo-seed-job.yaml b/codefresh/templates/seed/mongo-seed-job.yaml
@@ -52,8 +52,19 @@ spec:
           {{- include "codefresh.mongodb-root-user-env-var-value" . | indent 12 }}
           - name: MONGODB_ROOT_PASSWORD
           {{- include "codefresh.mongodb-root-password-env-var-value" . | indent 12 }}
+          - name: MONGODB_ROOT_OPTIONS
+            value: {{ .Values.seed.mongoSeedJob.mongodbRootOptions | quote }}
           - name: DEVELOPMENT_CHART
             value: {{ .Values.developmentChart | quote }}
+          {{- range $env, $val := .Values.seed.mongoSeedJob.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+          {{- range $env, $val := .Values.global.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+
         command:
           - "/bin/bash"
           - "-exc"

diff --git a/codefresh/values.yaml b/codefresh/values.yaml
@@ -55,6 +55,11 @@ seed:
     #   name: my-secret
     #   key: mongodb-root-password
 
+    # -- Extra options for connection string (e.g. `authSource=admin`).
+    mongodbRootOptions: ""
+    # -- Extra env variables for seed job.
+    env: {}
+
   # -- Postgres Seed Job. Required at first install. Creates required user and databases.
   # @default -- See below
   postgresSeedJob: