diff --git a/k8s/bigchaindb/bigchaindb-dep.yaml b/k8s/bigchaindb/bigchaindb-dep.yaml index 8f11b143..26a47ca2 100644 --- a/k8s/bigchaindb/bigchaindb-dep.yaml +++ b/k8s/bigchaindb/bigchaindb-dep.yaml @@ -99,9 +99,9 @@ spec: - name: BIGCHAINDB_DATABASE_SSL value: "true" - name: BIGCHAINDB_DATABASE_CA_CERT - value: /etc/bigchaindb/ssl/ca.pem + value: /etc/bigchaindb/ca/ca.pem - name: BIGCHAINDB_DATABASE_CRLFILE - value: /etc/bigchaindb/ssl/crlfile + value: /etc/bigchaindb/ca/crl.pem - name: BIGCHAINDB_DATABASE_CERTFILE value: /etc/bigchaindb/ssl/bdb-instance.pem - name: BIGCHAINDB_DATABASE_KEYFILE @@ -128,6 +128,9 @@ spec: - name: bdb-certs mountPath: /etc/bigchaindb/ssl/ readOnly: true + - name: ca-auth + mountPath: /etc/bigchaindb/ca/ + readOnly: true resources: limits: cpu: 200m @@ -152,3 +155,7 @@ spec: secret: secretName: bdb-certs defaultMode: 0400 + - name: ca-auth + secret: + secretName: ca-auth + defaultMode: 0400 \ No newline at end of file diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml index 2a6992cf..d7a83135 100644 --- a/k8s/configuration/secret.yaml +++ b/k8s/configuration/secret.yaml @@ -40,10 +40,6 @@ type: Opaque data: # Base64-encoded, concatenated certificate and private key mdb-instance.pem: "" - # Base64-encoded CA certificate (ca.crt) - ca.pem: "" - # Base64-encoded MongoDB CRL - mdb-crl.pem: "" --- apiVersion: v1 kind: Secret @@ -54,8 +50,6 @@ type: Opaque data: # Base64-encoded, concatenated certificate and private key mdb-mon-instance.pem: "" - # Base64-encoded CA certificate (ca.crt) - ca.pem: "" --- apiVersion: v1 kind: Secret @@ -66,8 +60,6 @@ type: Opaque data: # Base64-encoded, concatenated certificate and private key mdb-bak-instance.pem: "" - # Base64-encoded CA certificate (ca.crt) - ca.pem: "" --- apiVersion: v1 kind: Secret @@ -76,10 +68,6 @@ metadata: namespace: default type: Opaque data: - # Base64-encoded CA certificate (ca.crt) - ca.pem: "" - # Base64-encoded CRL file - crlfile: "" # Base64-encoded BigchainDB instance certificate bdb-instance.pem: "" # Base64-encoded private key (.key) @@ -111,3 +99,15 @@ data: service-id: "" version-header: "" service-token: "" +--- +apiVersion: v1 +kind: Secret +metadata: + name: ca-auth + namespace: default +type: Opaque +data: + # CA used to issue members/client certificates + # Base64-encoded CA certificate (ca.crt) + ca.pem: "" + crl.pem: "" diff --git a/k8s/mongodb-backup-agent/container/Dockerfile b/k8s/mongodb-backup-agent/container/Dockerfile index e70ee3d3..a2590a14 100644 --- a/k8s/mongodb-backup-agent/container/Dockerfile +++ b/k8s/mongodb-backup-agent/container/Dockerfile @@ -19,6 +19,6 @@ RUN apt update \ && apt clean COPY mongodb_backup_agent_entrypoint.bash / RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/ -VOLUME /etc/mongod/ssl +VOLUME /etc/mongod/ssl /etc/mongod/ca #USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"] diff --git a/k8s/mongodb-backup-agent/mongo-backup-dep.yaml b/k8s/mongodb-backup-agent/mongo-backup-dep.yaml index cadd4fac..3205bb8a 100644 --- a/k8s/mongodb-backup-agent/mongo-backup-dep.yaml +++ b/k8s/mongodb-backup-agent/mongo-backup-dep.yaml @@ -32,7 +32,7 @@ spec: - name: MMS_GROUPID_KEYFILE_PATH value: /etc/mongod/cloud/group-id - name: CA_CRT_PATH - value: /etc/mongod/ssl/ca.pem + value: /etc/mongod/ca/ca.pem - name: BACKUP_PEM_PATH value: /etc/mongod/ssl/mdb-bak-instance.pem resources: @@ -43,6 +43,9 @@ spec: - name: mdb-bak-certs mountPath: /etc/mongod/ssl/ readOnly: true + - name: ca-auth + mountPath: /etc/mongod/ca/ + readOnly: true - name: cloud-manager-credentials mountPath: /etc/mongod/cloud/ readOnly: true @@ -52,6 +55,10 @@ spec: secret: secretName: mdb-bak-certs defaultMode: 0400 + - name: ca-auth + secret: + secretName: ca-auth + defaultMode: 0400 - name: cloud-manager-credentials secret: secretName: cloud-manager-credentials diff --git a/k8s/mongodb-monitoring-agent/container/Dockerfile b/k8s/mongodb-monitoring-agent/container/Dockerfile index d6a16ed0..262e40aa 100644 --- a/k8s/mongodb-monitoring-agent/container/Dockerfile +++ b/k8s/mongodb-monitoring-agent/container/Dockerfile @@ -53,6 +53,6 @@ RUN apt update \ COPY mongodb_mon_agent_entrypoint.bash / RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/ -VOLUME /etc/mongod/ssl +VOLUME /etc/mongod/ssl /etc/mongod/ca #USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"] diff --git a/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml b/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml index cf377cd1..2a3b5ada 100644 --- a/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml +++ b/k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml @@ -32,7 +32,7 @@ spec: - name: MMS_GROUPID_KEYFILE_PATH value: /etc/mongod/cloud/group-id - name: CA_CRT_PATH - value: /etc/mongod/ssl/ca.pem + value: /etc/mongod/ca/ca.pem - name: MONITORING_PEM_PATH value: /etc/mongod/ssl/mdb-mon-instance.pem resources: @@ -43,6 +43,9 @@ spec: - name: mdb-mon-certs mountPath: /etc/mongod/ssl/ readOnly: true + - name: ca-auth + mountPath: /etc/mongod/ca/ + readOnly: true - name: cloud-manager-credentials mountPath: /etc/mongod/cloud/ readOnly: true @@ -52,7 +55,11 @@ spec: secret: secretName: mdb-mon-certs defaultMode: 0400 + - name: ca-auth + secret: + secretName: ca-auth + defaultMode: 0400 - name: cloud-manager-credentials secret: secretName: cloud-manager-credentials - defaultMode: 0400 + defaultMode: 0400 \ No newline at end of file diff --git a/k8s/mongodb/container/Dockerfile b/k8s/mongodb/container/Dockerfile index 58a7f88f..9d9d35f5 100644 --- a/k8s/mongodb/container/Dockerfile +++ b/k8s/mongodb/container/Dockerfile @@ -7,6 +7,6 @@ RUN apt-get update \ && apt-get clean COPY mongod.conf.template /etc/mongod.conf COPY mongod_entrypoint.bash / -VOLUME /data/db /data/configdb /etc/mongod/ssl +VOLUME /data/db /data/configdb /etc/mongod/ssl /etc/mongod/ca EXPOSE 27017 ENTRYPOINT ["/mongod_entrypoint.bash"] diff --git a/k8s/mongodb/mongo-ss.yaml b/k8s/mongodb/mongo-ss.yaml index 8bbc564c..f872c288 100644 --- a/k8s/mongodb/mongo-ss.yaml +++ b/k8s/mongodb/mongo-ss.yaml @@ -5,7 +5,7 @@ ######################################################################## apiVersion: apps/v1beta1 -kind: StatefulSet +kind: StatefulSet metadata: name: mdb-instance-0-ss namespace: default @@ -49,9 +49,9 @@ spec: - --mongodb-key-file-path - /etc/mongod/ssl/mdb-instance.pem - --mongodb-ca-file-path - - /etc/mongod/ssl/ca.pem + - /etc/mongod/ca/ca.pem - --mongodb-crl-file-path - - /etc/mongod/ssl/mdb-crl.pem + - /etc/mongod/ca/crl.pem - --replica-set-name - $(MONGODB_REPLICA_SET_NAME) - --mongodb-fqdn @@ -74,6 +74,9 @@ spec: - name: mdb-certs mountPath: /etc/mongod/ssl/ readOnly: true + - name: ca-auth + mountPath: /etc/mongod/ca/ + readOnly: true resources: limits: cpu: 200m @@ -98,3 +101,7 @@ spec: secret: secretName: mdb-certs defaultMode: 0400 + - name: ca-auth + secret: + secretName: ca-auth + defaultMode: 0400 \ No newline at end of file