diff --git a/bitnami/mongodb/Chart.yaml b/bitnami/mongodb/Chart.yaml index 9881db472903f6..d68512aaa125c4 100644 --- a/bitnami/mongodb/Chart.yaml +++ b/bitnami/mongodb/Chart.yaml @@ -25,4 +25,4 @@ maintainers: name: mongodb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mongodb -version: 13.13.1 +version: 13.14.0 diff --git a/bitnami/mongodb/README.md b/bitnami/mongodb/README.md index acbd981cc001ad..5f28522d9e481b 100644 --- a/bitnami/mongodb/README.md +++ b/bitnami/mongodb/README.md @@ -118,10 +118,11 @@ Refer to the [chart documentation for more information on each of these architec | `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | | `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | | `tls.caKey` | CA certificate private key (base64 encoded) | `""` | -| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). | `""` | -| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). | `[]` | -| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). | `[]` | -| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | | `tls.image.registry` | Init container TLS certs setup image registry | `docker.io` | | `tls.image.repository` | Init container TLS certs setup image repository | `bitnami/nginx` | | `tls.image.tag` | Init container TLS certs setup image tag (immutable tags are recommended) | `1.23.4-debian-11-r19` | diff --git a/bitnami/mongodb/templates/common-scripts-cm.yaml b/bitnami/mongodb/templates/common-scripts-cm.yaml index 5c151567c76768..0b99156181873a 100644 --- a/bitnami/mongodb/templates/common-scripts-cm.yaml +++ b/bitnami/mongodb/templates/common-scripts-cm.yaml @@ -119,8 +119,23 @@ data: ID="${MY_POD_NAME#"{{ $fullname }}-"}" fi {{- end }} + + {{- if .Values.tls.pemChainIncluded }} + #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. + cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + + #Use first certificate as leaf node and combine with key to store in pem file + cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + + #Use remaining intermediate certificates for ca.crt + echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" + + rm -rf /certs/xx* + {{- else }} cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" + {{- end }} + chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem {{- end }} {{- end }} diff --git a/bitnami/mongodb/values.yaml b/bitnami/mongodb/values.yaml index 441bd76707e58d..848f04cdc571d0 100644 --- a/bitnami/mongodb/values.yaml +++ b/bitnami/mongodb/values.yaml @@ -199,13 +199,17 @@ tls: ## caCert: "" caKey: "" + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false standalone: - ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). + ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. ## NOTE: When it's set it will disable certificate self-generation from existing CA. ## existingSecret: "" replicaset: - ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). + ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. ## existingSecrets: ## - "mySecret-0" ## - "mySecret-1" @@ -213,7 +217,7 @@ tls: ## existingSecrets: [] hidden: - ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). + ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. ## existingSecrets: ## - "mySecret-0" ## - "mySecret-1" @@ -221,7 +225,7 @@ tls: ## existingSecrets: [] arbiter: - ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`). + ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. ## NOTE: When it's set it will disable certificate self-generation from existing CA. ## existingSecret: ""