feat: deploy a sharded MongoDB (#168)

armonik/partitions-in-database-cron.tf

@@ -174,9 +174,9 @@ resource "kubernetes_cron_job_v1" "partitions_in_database" {
 locals {
   script_cron = <<EOF
 #!/bin/bash
-export nbElements=$(mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?directConnection=false --eval 'db.PartitionData.countDocuments()' --quiet)
+export nbElements=$(mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?authSource=$MongoDB__AuthSource&directConnection=true --eval 'db.PartitionData.countDocuments()' --quiet)
 if [[ $nbElements != ${length(local.partition_names)} ]]; then
-  mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?directConnection=false --eval 'db.PartitionData.insertMany(${jsonencode(local.partitions_data)})'
+  mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?authSource=$MongoDB__AuthSource&directConnection=true --eval 'db.PartitionData.insertMany(${jsonencode(local.partitions_data)})'
 fi
 EOF
 }

armonik/partitions-in-database.tf

@@ -165,9 +165,9 @@ locals {
   script = <<EOF
 #!/bin/bash
 # Drop
-mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database --eval 'db.PartitionData.drop()'
+mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?authSource=$MongoDB__AuthSource --eval 'db.PartitionData.drop()'
 
 # Insert
-mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database --eval 'db.PartitionData.insertMany(${jsonencode(local.partitions_data)})'
+mongosh --tlsCAFile $MongoDB__CAFile --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tls --username $MongoDB__User --password $MongoDB__Password mongodb://$MongoDB__Host:$MongoDB__Port/database?authSource=$MongoDB__AuthSource --eval 'db.PartitionData.insertMany(${jsonencode(local.partitions_data)})'
 EOF
 }

storage/onpremise/mongodb-sharded/certificates.tf

@@ -0,0 +1,77 @@
+#------------------------------------------------------------------------------
+# Certificate Authority
+#------------------------------------------------------------------------------
+resource "tls_private_key" "root_mongodb" {
+  algorithm   = "RSA"
+  ecdsa_curve = "P384"
+  rsa_bits    = "4096"
+}
+
+resource "tls_self_signed_cert" "root_mongodb" {
+  private_key_pem       = tls_private_key.root_mongodb.private_key_pem
+  is_ca_certificate     = true
+  validity_period_hours = var.validity_period_hours
+  allowed_uses = [
+    "cert_signing",
+    "key_encipherment",
+    "digital_signature"
+  ]
+  subject {
+    organization = "ArmoniK mongodb Root (NonTrusted)"
+    common_name  = "ArmoniK mongodb Root (NonTrusted) Private Certificate Authority"
+    country      = "France"
+  }
+}
+
+#------------------------------------------------------------------------------
+# Certificate
+#------------------------------------------------------------------------------
+resource "tls_private_key" "mongodb_private_key" {
+  algorithm   = "RSA"
+  ecdsa_curve = "P384"
+  rsa_bits    = "4096"
+}
+
+resource "tls_cert_request" "mongodb_cert_request" {
+  private_key_pem = tls_private_key.mongodb_private_key.private_key_pem
+  subject {
+    country     = "France"
+    common_name = "127.0.0.1"
+    # organization = "127.0.0.1"
+  }
+}
+
+resource "tls_locally_signed_cert" "mongodb_certificate" {
+  cert_request_pem      = tls_cert_request.mongodb_cert_request.cert_request_pem
+  ca_private_key_pem    = tls_private_key.root_mongodb.private_key_pem
+  ca_cert_pem           = tls_self_signed_cert.root_mongodb.cert_pem
+  validity_period_hours = var.validity_period_hours
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+    "any_extended",
+  ]
+}
+
+#------------------------------------------------------------------------------
+# Kubernetes Secrets with certificates
+#------------------------------------------------------------------------------
+
+resource "kubernetes_secret" "mongodb_certificate" {
+  metadata {
+    name      = "${var.name}-server-certificates"
+    namespace = var.namespace
+  }
+  data = {
+    "mongodb.pem" = format("%s\n%s", tls_locally_signed_cert.mongodb_certificate.cert_pem, tls_private_key.mongodb_private_key.private_key_pem)
+    "chain.pem"   = format("%s\n%s", tls_locally_signed_cert.mongodb_certificate.cert_pem, tls_self_signed_cert.root_mongodb.cert_pem)
+  }
+}
+
+resource "local_sensitive_file" "mongodb_client_certificate" {
+  content         = format("%s\n%s", tls_locally_signed_cert.mongodb_certificate.cert_pem, tls_self_signed_cert.root_mongodb.cert_pem)
+  filename        = "${path.root}/generated/certificates/${var.name}/chain.pem"
+  file_permission = "0600"
+}

storage/onpremise/mongodb-sharded/configmap.tf

@@ -0,0 +1,38 @@
+locals {
+  database_init_script = <<EOF
+    db = db.getSiblingDB("${var.mongodb.database_name}");
+    db.createCollection("sample")
+    db.sample.insertOne({test:1})
+    db.createUser(
+    {
+        user: "${random_string.mongodb_application_user.result}",
+        pwd: "${random_password.mongodb_application_password.result}",
+        roles: [ 
+          {role: "readWrite", db: "${var.mongodb.database_name}" }, 
+          { role: "dbAdmin", db: "${var.mongodb.database_name}" }
+        ]
+    }
+    );
+    db.sample.drop()
+    db.adminCommand(
+    {
+      enableSharding: "${var.mongodb.database_name}"
+    }
+    );
+    EOF
+}
+
+resource "kubernetes_secret" "database_init_script" {
+  metadata {
+    name      = "${var.name}-database-init-script"
+    namespace = var.namespace
+  }
+  data = {
+    "initDatabase.js" = local.database_init_script
+  }
+}
+
+resource "local_sensitive_file" "init_script_file" {
+  content  = local.database_init_script
+  filename = "${path.root}/generated/${var.name}/configmaps/database_init_script.js"
+}

storage/onpremise/mongodb-sharded/credentials.tf

@@ -0,0 +1,10 @@
+resource "random_string" "mongodb_application_user" {
+  length  = 8
+  special = false
+  numeric = false
+}
+
+resource "random_password" "mongodb_application_password" {
+  length  = 16
+  special = false
+}

storage/onpremise/mongodb-sharded/examples/complete/main.tf

@@ -0,0 +1,106 @@
+module "sharded_mongodb" {
+  source    = "../../"
+  namespace = var.namespace
+  name      = "mongodb-sharded"
+  timeout   = 300
+
+  labels = {
+    shards = {
+      "role" = "dataHolder"
+    }
+
+    router = {
+      "role" = "distributer"
+    }
+
+    configsvr = {
+      "role" = "metadataHolder"
+    }
+  }
+
+  mongodb = {
+    helm_chart_repository = "oci://registry-1.docker.io/bitnamicharts"
+    helm_chart_version    = "8.3.8"
+    image_pull_secrets    = [""]
+    node_selector         = {}
+    registry              = "docker.io"
+    tag                   = "7.0.14-debian-12-r0"
+  }
+
+  sharding = {
+    shards = {
+      quantity = 2
+      replicas = 2
+    }
+
+    configsvr = {
+      replicas = 2
+    }
+
+    router = {
+      replicas = 2
+    }
+  }
+
+  persistence = {
+    shards = {
+      access_mode         = ["ReadWriteOnce"]
+      reclaim_policy      = "Retain"
+      storage_provisioner = "rancher.io/local-path"
+      resources = {
+        requests = {
+          storage = "8Gi"
+        }
+      }
+    }
+
+    configsvr = {
+      access_mode         = ["ReadWriteOnce"]
+      reclaim_policy      = "Delete"
+      storage_provisioner = "rancher.io/local-path"
+      resources = {
+        requests = {
+          storage = "1Gi"
+        }
+      }
+    }
+  }
+
+  resources = {
+    shards = {
+      limits = {
+        "cpu"    = "1"
+        "memory" = "2Gi"
+      }
+      requests = {
+        "cpu"    = "500m"
+        "memory" = "1Gi"
+      }
+    }
+
+    arbiter = {
+      limits = {
+        "cpu"    = "500m"
+        "memory" = "500Mi"
+      }
+    }
+
+    configsvr = {
+      limits = {
+        "cpu"    = "1"
+        "memory" = "1Gi"
+      }
+      requests = {
+        "cpu"    = "200m"
+        "memory" = "400Mi"
+      }
+    }
+
+    router = {
+      requests = {
+        "cpu"    = "400m"
+        "memory" = "700Mi"
+      }
+    }
+  }
+}

storage/onpremise/mongodb-sharded/examples/complete/outputs.tf

@@ -0,0 +1,52 @@
+output "host" {
+  description = "Hostname or IP address of MongoDB server"
+  value       = module.sharded_mongodb.host
+}
+
+output "port" {
+  description = "Port of MongoDB server"
+  value       = module.sharded_mongodb.port
+}
+
+output "url" {
+  description = "URL of MongoDB server"
+  value       = module.sharded_mongodb.url
+}
+
+output "number_of_shards" {
+  description = "Number of MongoDB shards"
+  value       = module.sharded_mongodb.number_of_shards
+}
+
+output "number_of_replicas" {
+  description = "Number of replicas for each shard"
+  value       = module.sharded_mongodb.number_of_replicas
+}
+
+# SENSITIVE OUTPUTS
+output "user_credentials" {
+  description = "User credentials of MongoDB"
+  value       = module.sharded_mongodb.user_credentials
+  sensitive   = true
+}
+
+output "endpoints" {
+  description = "Endpoints of MongoDB"
+  value       = module.sharded_mongodb.endpoints
+  sensitive   = true
+}
+
+output "env" {
+  description = "Environment variables passed down to ArmoniK Core"
+  value       = module.sharded_mongodb.env
+}
+
+output "mount_secrets" {
+  description = "Secrets to be mounted as volumes"
+  value       = module.sharded_mongodb.mount_secret
+}
+
+output "env_from_secret" {
+  description = "Environment variables from secrets"
+  value       = module.sharded_mongodb.env_from_secret
+}

storage/onpremise/mongodb-sharded/examples/complete/providers.tf

@@ -0,0 +1,9 @@
+provider "helm" {
+  kubernetes {
+    config_path = var.kube_config_path
+  }
+}
+
+provider "kubernetes" {
+  config_path = var.kube_config_path
+}

storage/onpremise/mongodb-sharded/examples/complete/variables.tf

@@ -0,0 +1,11 @@
+variable "namespace" {
+  description = "Namespace of ArmoniK resources"
+  type        = string
+  default     = "default"
+}
+
+variable "kube_config_path" {
+  description = "The kubernetes configuration file path you want to specify"
+  type        = string
+  default     = "~/.kube/config"
+}

storage/onpremise/mongodb-sharded/examples/complete/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.2"
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.10.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.21.1"
+    }
+  }
+}

storage/onpremise/mongodb-sharded/examples/simple/main.tf

@@ -0,0 +1,11 @@
+module "sharded_mongodb" {
+  source    = "../../"
+  namespace = var.namespace
+  name      = "mongodb-sharded"
+  timeout   = 300
+
+  mongodb = {
+    helm_chart_version = "8.3.8"
+    tag                = "7.0.14-debian-12-r0"
+  }
+}