Mongo auth fix (#190)

* backend: makes mongo auth configurable! use mongo_auth secret in k8s and set env vars in docker fixes #177 * docker: update config.sample.env: use ws screencast by default, add NO_DELETE_ON_FAIL option, extend default login lifetime
2022-03-04 15:04:33 -08:00 · 2022-03-04 15:04:33 -08:00 · fb51f8e33e
commit fb51f8e33e
parent cdd0ab34a3
7 changed files with 19 additions and 11 deletions
--- a/backend/db.py
+++ b/backend/db.py
@ -9,10 +9,11 @@ import motor.motor_asyncio

 from pydantic import BaseModel, UUID4

+MONGO_USER = os.environ["MONGO_INITDB_ROOT_USERNAME"]
+MONGO_PASS = os.environ["MONGO_INITDB_ROOT_PASSWORD"]
+MONGO_HOST = os.environ["MONGO_HOST"]

-DATABASE_URL = (
-    f"mongodb://root:example@{os.environ.get('MONGO_HOST', 'localhost')}:27017"
-)
+DATABASE_URL = f"mongodb://{MONGO_USER}:{MONGO_PASS}@{MONGO_HOST}:27017"


 # ============================================================================
--- a/build-backend.sh
+++ b/build-backend.sh
@ -1,2 +1,2 @@
-docker buildx build --platform linux/amd64 --push -t webrecorder/browsertrix-backend ./backend/
+docker buildx build --platform linux/amd64 --push -t ${REGISTRY}webrecorder/browsertrix-backend ./backend/

--- a/build-frontend.sh
+++ b/build-frontend.sh
@ -1,2 +1,2 @@
 #!/bin/bash
-docker buildx build --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" --build-arg GIT_BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)" --build-arg RWP_BASE_URL="https://replayweb.page/" --platform linux/amd64 --push -t webrecorder/browsertrix-frontend ./frontend/
+docker buildx build --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" --build-arg GIT_BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)" --build-arg RWP_BASE_URL="https://replayweb.page/" --platform linux/amd64 --push -t ${REGISTRY}webrecorder/browsertrix-frontend ./frontend/
--- a/chart/templates/backend.yaml
+++ b/chart/templates/backend.yaml
@ -50,6 +50,8 @@ spec:
                name: {{ .Values.name }}-env-config
            - secretRef:
                name: auth-secrets
+            - secretRef:
+                name: mongo-auth

          resources:
            limits:
--- a/chart/templates/configmap.yaml
+++ b/chart/templates/configmap.yaml
@ -6,8 +6,6 @@ metadata:
  namespace: {{ .Release.Namespace }}

 data:
-  MONGO_HOST: {{ .Values.mongo_host }}
-
  APP_ORIGIN: {{.Values.ingress.scheme }}://{{ .Values.ingress.host | default "localhost:9870" }}

  CRAWLER_NAMESPACE: {{ .Values.crawler_namespace }}
--- a/chart/templates/mongo.yaml
+++ b/chart/templates/mongo.yaml
@ -1,4 +1,5 @@
-{{- if .Values.mongo_local }}
+
+# mongo secrets used with backend and with local mongo, if any

 ---
 apiVersion: v1
@ -11,8 +12,11 @@ type: Opaque
 stringData:
  MONGO_INITDB_ROOT_USERNAME: {{ .Values.mongo_auth.username | quote }}
  MONGO_INITDB_ROOT_PASSWORD: {{ .Values.mongo_auth.password | quote }}
+  MONGO_HOST: {{ .Values.mongo_host }}


+{{- if .Values.mongo_local }}
+
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
--- a/configs/config.sample.env
+++ b/configs/config.sample.env
@ -32,14 +32,17 @@ REDIS_URL=redis://redis/0
 # Browsertrix Crawler image to use
 CRAWLER_IMAGE=webrecorder/browsertrix-crawler

-CRAWL_ARGS="--timeout 90 --logging stats,behaviors,debug --generateWACZ --screencastRedis"
+CRAWL_ARGS="--timeout 90 --logging stats,behaviors,debug --generateWACZ --screencastPort 9037"

 REGISTRATION_ENABLED=1

 # number of workers to run for backend
-WEB_CONCURRENCY=4
+WEB_CONCURRENCY=1

-JWT_TOKEN_LIFETIME_MINUTES=60
+JWT_TOKEN_LIFETIME_MINUTES=240
+
+# for debugging, keep failed containers around
+NO_DELETE_ON_FAIL=0

 # auth sign -- uncomment to enable signing
 # WACZ_SIGN_URL="http://authsign:8080/sign"