Mongo auth fix (#190)

* backend: makes mongo auth configurable!
use mongo_auth secret in k8s and set env vars in docker
fixes #177 
* docker: update config.sample.env: use ws screencast by default, add NO_DELETE_ON_FAIL option, extend default login lifetime

backend/db.py

@@ -9,10 +9,11 @@ import motor.motor_asyncio
 
 from pydantic import BaseModel, UUID4
 
+MONGO_USER = os.environ["MONGO_INITDB_ROOT_USERNAME"]
+MONGO_PASS = os.environ["MONGO_INITDB_ROOT_PASSWORD"]
+MONGO_HOST = os.environ["MONGO_HOST"]
 
-DATABASE_URL = (
+DATABASE_URL = f"mongodb://{MONGO_USER}:{MONGO_PASS}@{MONGO_HOST}:27017"
-    f"mongodb://root:example@{os.environ.get('MONGO_HOST', 'localhost')}:27017"
-)
 
 
 # ============================================================================

build-backend.sh

@@ -1,2 +1,2 @@
-docker buildx build --platform linux/amd64 --push -t webrecorder/browsertrix-backend ./backend/
+docker buildx build --platform linux/amd64 --push -t ${REGISTRY}webrecorder/browsertrix-backend ./backend/
 

build-frontend.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-docker buildx build --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" --build-arg GIT_BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)" --build-arg RWP_BASE_URL="https://replayweb.page/" --platform linux/amd64 --push -t webrecorder/browsertrix-frontend ./frontend/
+docker buildx build --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" --build-arg GIT_BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)" --build-arg RWP_BASE_URL="https://replayweb.page/" --platform linux/amd64 --push -t ${REGISTRY}webrecorder/browsertrix-frontend ./frontend/

chart/templates/backend.yaml

@@ -50,6 +50,8 @@ spec:
                 name: {{ .Values.name }}-env-config
             - secretRef:
                 name: auth-secrets
+            - secretRef:
+                name: mongo-auth
 
           resources:
             limits:

chart/templates/configmap.yaml

@@ -6,8 +6,6 @@ metadata:
   namespace: {{ .Release.Namespace }}
 
 data:
-  MONGO_HOST: {{ .Values.mongo_host }}
-
   APP_ORIGIN: {{.Values.ingress.scheme }}://{{ .Values.ingress.host | default "localhost:9870" }}
 
   CRAWLER_NAMESPACE: {{ .Values.crawler_namespace }}

chart/templates/mongo.yaml

@@ -1,4 +1,5 @@
-{{- if .Values.mongo_local }}
+
+# mongo secrets used with backend and with local mongo, if any
 
 ---
 apiVersion: v1
@@ -11,8 +12,11 @@ type: Opaque
 stringData:
   MONGO_INITDB_ROOT_USERNAME: {{ .Values.mongo_auth.username | quote }}
   MONGO_INITDB_ROOT_PASSWORD: {{ .Values.mongo_auth.password | quote }}
+  MONGO_HOST: {{ .Values.mongo_host }}
 
 
+{{- if .Values.mongo_local }}
+
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1

configs/config.sample.env

@@ -32,14 +32,17 @@ REDIS_URL=redis://redis/0
 # Browsertrix Crawler image to use
 CRAWLER_IMAGE=webrecorder/browsertrix-crawler
 
-CRAWL_ARGS="--timeout 90 --logging stats,behaviors,debug --generateWACZ --screencastRedis"
+CRAWL_ARGS="--timeout 90 --logging stats,behaviors,debug --generateWACZ --screencastPort 9037"
 
 REGISTRATION_ENABLED=1
 
 # number of workers to run for backend
-WEB_CONCURRENCY=4
+WEB_CONCURRENCY=1
 
-JWT_TOKEN_LIFETIME_MINUTES=60
+JWT_TOKEN_LIFETIME_MINUTES=240
+
+# for debugging, keep failed containers around
+NO_DELETE_ON_FAIL=0
 
 # auth sign -- uncomment to enable signing
 # WACZ_SIGN_URL="http://authsign:8080/sign"