LOGINMASTER/LOGINMASTER-DeploymentScript
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
468d4562c74c797408da3b06e729d446b2902924
LOGINMASTER-DeploymentScript/templates/01-mongodb-tls.yaml
T
Luca 468d4562c7 Initial commit — LoginMaster tenant deployment toolkit 
Toolkit per deployare/aggiornare un tenant LoginMaster su qualsiasi Kubernetes
(EKS/AKS/DOKS/Scaleway/vSphere/...). Contiene:

- deploy.sh: bootstrap di un nuovo tenant (idempotente, re-run protection,
  storage class auto-rilevata, prompt separati api/admin tag, generazione
  segreti crittografici via openssl rand).
- update.sh: rolling update zero-downtime con tag api/admin separati, rollback
  hint via 'kubectl rollout undo', riapplicazione opzionale del ConfigMap.
- templates/: 8 manifest parametrici (envsubst): namespace, cert-manager TLS
  Mongo, NetworkPolicy intra-namespace, ConfigMap, MongoDB StatefulSet 3 repliche
  con TLS interno + initContainer per keyfile/PEM, tenant-api Deployment 2 repliche
  con CA validation, tenant-admin, ingress nginx + Let's Encrypt.

Sicurezza: TLS interno Mongo (cert-manager CA self-signed 10y), keyFile per
auth replica set, password client mai in argv, NetworkPolicy che isola il
tenant, pod Mongo non-root (uid 999) con initContainer come root per i file
runtime in tmpfs.
2026-05-06 11:44:04 +02:00

77 lines
2.3 KiB
YAML
Raw Blame History

# TLS interno MongoDB (cert-manager).
# Catena: Issuer self-signed → CA cert → Issuer CA → cert membri replica set.
# Il Secret 'mongodb-tenant-tls' (creato da cert-manager) contiene tls.crt, tls.key, ca.crt.
#
# Note operative:
# - mongod usa keyFile per cluster auth e TLS solo per il transport (non x.509).
# - Il rinnovo del cert membri (renewBefore: 30d, duration: 1y) NON riavvia
# automaticamente i pod mongo. Quando cert-manager riemette il Secret va
# fatto manualmente: kubectl rollout restart statefulset/mongodb-tenant.
# - SAN coprono: nome service headless, FQDN brevi e completi dei 3 pod.
# Per connessioni da deploy.sh via 127.0.0.1 si usa --tlsAllowInvalidHostnames
# (la CA è validata, solo l'hostname check è skippato).
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: mongodb-tenant-selfsigned
namespace: ${NAMESPACE}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongodb-tenant-ca
namespace: ${NAMESPACE}
spec:
isCA: true
commonName: mongodb-tenant-ca
duration: 87600h # 10 anni (CA interna)
renewBefore: 720h # 30 giorni
secretName: mongodb-tenant-ca
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: mongodb-tenant-selfsigned
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: mongodb-tenant-ca
namespace: ${NAMESPACE}
spec:
ca:
secretName: mongodb-tenant-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongodb-tenant-tls
namespace: ${NAMESPACE}
spec:
secretName: mongodb-tenant-tls
duration: 8760h # 1 anno
renewBefore: 720h # 30 giorni
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: mongodb-tenant-ca
kind: Issuer
dnsNames:
- mongodb-tenant-headless
- mongodb-tenant-headless.${NAMESPACE}.svc
- mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
- mongodb-tenant-0
- mongodb-tenant-1
- mongodb-tenant-2
- mongodb-tenant-0.mongodb-tenant-headless
- mongodb-tenant-1.mongodb-tenant-headless
- mongodb-tenant-2.mongodb-tenant-headless
- mongodb-tenant-0.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
- mongodb-tenant-1.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
- mongodb-tenant-2.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
Reference in New Issue View Git Blame Copy Permalink