[bitnami/mongodb] Adding tls.pemChainIncluded value to support wider range of TLS certificates

bitnami/mongodb/Chart.yaml

@@ -25,4 +25,4 @@ maintainers:
 name: mongodb
 sources:
   - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 13.13.1
+version: 13.14.0

bitnami/mongodb/README.md

@@ -118,10 +118,11 @@ Refer to the [chart documentation for more information on each of these architec
 | `tls.existingSecret`             | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`)                                                                           | `""`                   |
 | `tls.caCert`                     | Custom CA certificated (base64 encoded)                                                                                                                     | `""`                   |
 | `tls.caKey`                      | CA certificate private key (base64 encoded)                                                                                                                 | `""`                   |
-| `tls.standalone.existingSecret`  | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                                     | `""`                   |
-| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                           | `[]`                   |
-| `tls.hidden.existingSecrets`     | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                           | `[]`                   |
-| `tls.arbiter.existingSecret`     | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).                                                                                     | `""`                   |
+| `tls.pemChainIncluded`           | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.                                                         | `false`                |
+| `tls.standalone.existingSecret`  | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.                  | `""`                   |
+| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.        | `[]`                   |
+| `tls.hidden.existingSecrets`     | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.        | `[]`                   |
+| `tls.arbiter.existingSecret`     | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.                  | `""`                   |
 | `tls.image.registry`             | Init container TLS certs setup image registry                                                                                                               | `docker.io`            |
 | `tls.image.repository`           | Init container TLS certs setup image repository                                                                                                             | `bitnami/nginx`        |
 | `tls.image.tag`                  | Init container TLS certs setup image tag (immutable tags are recommended)                                                                                   | `1.23.4-debian-11-r19` |

bitnami/mongodb/templates/common-scripts-cm.yaml

@@ -119,8 +119,23 @@ data:
       ID="${MY_POD_NAME#"{{ $fullname }}-"}"
     fi
     {{- end }}
+
+    {{- if .Values.tls.pemChainIncluded }}
+    #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc.
+    cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx
+
+    #Use first certificate as leaf node and combine with key to store in pem file
+    cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
+
+    #Use remaining intermediate certificates for ca.crt
+    echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert"
+
+    rm -rf /certs/xx*
+    {{- else }}
     cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem"
     cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert"
+    {{- end }}
+
     chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem
     {{- end }}
   {{- end }}

bitnami/mongodb/values.yaml

@@ -199,29 +199,33 @@ tls:
   ##
   caCert: ""
   caKey: ""
+  ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.
+  ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA.
+  ##
+  pemChainIncluded: false
   standalone:
-    ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecret: ""
   replicaset:
-    ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## existingSecrets:
     ##  - "mySecret-0"
     ##  - "mySecret-1"
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecrets: []
   hidden:
-    ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## existingSecrets:
     ##  - "mySecret-0"
     ##  - "mySecret-1"
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecrets: []
   arbiter:
-    ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`).
+    ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled.
     ## NOTE: When it's set it will disable certificate self-generation from existing CA.
     ##
     existingSecret: ""