feat!: use the official mongodb image

Chart.lock

@@ -1,9 +1,6 @@
 dependencies:
 - name: common
-  repository: https://charts.bitnami.com/bitnami
-  version: 2.2.2
-- name: mongodb
-  repository: https://charts.bitnami.com/bitnami
-  version: 13.6.2
-digest: sha256:8f2475fdda7c417f31da168dbfb87df4177bf459a355226c81908c1e0f207ea7
-generated: "2023-01-25T13:54:49.218334+01:00"
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 2.30.0
+digest: sha256:1d4fe7ab3d8601c2772b82ca4495929226ecbf073f9fb436f5bf5f089df6c4bd
+generated: "2025-10-03T17:39:33.360927+02:00"

Chart.yaml

@@ -10,9 +10,5 @@ sources:
   - https://github.com/evertrust/stream-helm
 dependencies:
   - name: common
-    version: 2.2.2
-    repository: https://charts.bitnami.com/bitnami
-  - name: mongodb
-    version: 13.6.2
-    repository: https://charts.bitnami.com/bitnami
-    condition: mongodb.enabled
+    version: 2.30.0
+    repository: oci://registry-1.docker.io/bitnamicharts

Makefile

@@ -9,7 +9,7 @@ dependencies:
 package: dependencies
 	helm package .
 
-test: setup-unittest
+test: dependencies setup-unittest
 	helm unittest . -v tests/values.yaml
 
 setup-unittest:

templates/_helpers.tpl

@@ -9,14 +9,6 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/version: {{ .Chart.AppVersion }}
 {{- end -}}
 
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "stream.mongodb.fullname" -}}
-{{- printf "%s-%s" .Release.Name "mongodb" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*
 Prints all Stream allowed hosts.
 */}}

templates/mongodb/deployment.yml

@@ -0,0 +1,75 @@
+{{- if and (ne (.Values.mongodb).enabled false) .Values.temporaryDatabase.enabled }}
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "common.names.dependency.fullname" (dict "chartName" "mongodb" "chartValues" .Values.temporaryDatabase "context" $) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels (dict "app.kubernetes.io/name" "mongodb" "app.kubernetes.io/version" (.Values.temporaryDatabase.image.tag | toString) "app.kubernetes.io/part-of" "stream")) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+  {{- if or .Values.temporaryDatabase.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.temporaryDatabase.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" (dict "customLabels" (dict "app.kubernetes.io/name" "mongodb") "context" .) | nindent 6 }}
+  strategy: 
+    type: Recreate
+  template:
+    metadata:
+      labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 8 }}
+      {{- if or .Values.temporaryDatabase.annotations .Values.commonAnnotations }}
+      {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.temporaryDatabase.annotations .Values.commonAnnotations ) "context" . ) }}
+      annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.temporaryDatabase.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.temporaryDatabase.podSecurityContext "context" $) | nindent 8 -}}
+      {{- end }}
+      serviceAccountName: {{ template "stream.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+      containers:
+        - name: mongo
+          image: {{ include "common.images.image" (dict "imageRoot" .Values.temporaryDatabase.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.temporaryDatabase.image.pullPolicy | default "IfNotPresent" | quote }}
+          {{- if .Values.temporaryDatabase.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.temporaryDatabase.containerSecurityContext "context" $) | nindent 10 -}}
+          {{- end }}
+          livenessProbe:
+            tcpSocket:
+              port: mongo
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+            successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          startupProbe:
+            tcpSocket:
+              port: mongo
+            periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+            failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+          readinessProbe:
+            tcpSocket:
+              port: mongo
+            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+            successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          resources: {{- toYaml .Values.temporaryDatabase.resources | nindent 12 }}
+          {{- if .Values.temporaryDatabase.persistence.enabled }}
+          volumeMounts:
+            - name: data
+              mountPath: /data/db
+          {{- end }}
+          ports:
+            - name: mongo
+              containerPort: 27017
+      {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.temporaryDatabase.image) "context" $) | nindent 6 }}
+      {{- if and .Values.temporaryDatabase.persistence.enabled }}
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ include "common.names.dependency.fullname" (dict "chartName" "mongodb" "chartValues" .Values.temporaryDatabase "context" $) }}
+      {{- end }}
+{{- end }}

templates/mongodb/pvc.yml

@@ -0,0 +1,21 @@
+{{- if and (ne (.Values.mongodb).enabled false) .Values.temporaryDatabase.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "common.names.dependency.fullname" (dict "chartName" "mongodb" "chartValues" .Values.temporaryDatabase "context" $) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels (dict "app.kubernetes.io/name" "mongodb" "app.kubernetes.io/part-of" "stream")) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+  {{- if or .Values.temporaryDatabase.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.temporaryDatabase.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- include "common.storage.class" (dict "persistence" .Values.temporaryDatabase.persistence "global" .Values.global) | nindent 2 }}
+  accessModes:
+    {{- range .Values.temporaryDatabase.persistence.accessModes }}
+    - {{ . | quote }}
+    {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.temporaryDatabase.persistence.size | quote }}
+{{- end }}

templates/mongodb/service.yml

@@ -0,0 +1,20 @@
+{{- if and (ne (.Values.mongodb).enabled false) .Values.temporaryDatabase.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "common.names.dependency.fullname" (dict "chartName" "mongodb" "chartValues" .Values.temporaryDatabase "context" $) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels (dict "app.kubernetes.io/name" "mongodb" "app.kubernetes.io/part-of" "stream")) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+  {{- if or .Values.temporaryDatabase.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.temporaryDatabase.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: mongo
+      protocol: TCP
+      port: 27017
+      targetPort: mongo
+  selector: {{- include "common.labels.matchLabels" (dict "customLabels" $labels "context" .) | nindent 4 }}
+{{- end }}

templates/secrets.yml

@@ -13,8 +13,8 @@ data:
   appSecret: {{ include "common.secrets.lookup" (dict "secret" $name "key" "appSecret" "defaultValue" (randAlphaNum 32) "context" $) }}
   {{- end }}
 
-  {{- if and .Values.mongodb.enabled (not .Values.externalDatabase.secretKey) }}
-  mongoUri: {{ printf "mongodb://%s:%s@%s.%s.svc.cluster.local/%s" .Values.mongodb.auth.username .Values.mongodb.auth.password (include "stream.mongodb.fullname" .) .Release.Namespace .Values.mongodb.auth.database | b64enc | quote }}
+  {{- if and (ne (.Values.mongodb).enabled false) (not .Values.externalDatabase.secretKey) }}
+  mongoUri: {{ printf "mongodb://%s/stream" (include "common.names.dependency.fullname" (dict "chartName" "mongodb" "chartValues" .Values.temporaryDatabase "context" $)) | b64enc | quote }}
   {{- end }}
 
   {{- if and .Values.events.chainsign (not .Values.events.secretKey) }}

tests/mongodb_test.yaml

@@ -0,0 +1,60 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: temporary mongodb database
+templates:
+  - mongodb/deployment.yml
+  - mongodb/service.yml
+  - mongodb/pvc.yml
+  - secrets.yml
+tests:
+  - it: should deploy a temporary mongodb by default
+    template: mongodb/deployment.yml
+    asserts:
+      - isKind:
+          of: Deployment
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: mongo
+
+  - it: should not deploy a temporary mongodb when disabled
+    set:
+      temporaryDatabase.enabled: false
+      externalDatabase.secretName: dummy
+      externalDatabase.secretKey: dummy
+    template: mongodb/deployment.yml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not deploy a temporary mongodb when legacy flag is disabled
+    set:
+      mongodb.enabled: false
+      externalDatabase.secretName: dummy
+      externalDatabase.secretKey: dummy
+    template: mongodb/deployment.yml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should deploy a temporary mongodb when legacy flag is enabled
+    set:
+      mongodb.enabled: true
+    template: mongodb/deployment.yml
+    asserts:
+      - hasDocuments:
+          count: 1
+
+  - it: should generate a mongodb connection string in the secret when temporary database is enabled
+    template: secrets.yml
+    asserts:
+      - exists:
+          path: data.mongoUri
+
+  - it: should not generate a mongodb connection string in the secret when temporary database is disabled
+    set:
+      temporaryDatabase.enabled: false
+      externalDatabase.secretName: dummy
+      externalDatabase.secretKey: dummy
+    template: secrets.yml
+    asserts:
+      - notExists:
+          path: data.mongoUri

values.yaml

@@ -519,37 +519,67 @@ extraConfig: ""
 
 ## @section Database parameters
 
-## Install a MongoDB instance
-## ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb
-mongodb:
-  ## @param mongodb.enabled Whether to deploy a mongodb server to satisfy the application database requirements. To use an external database set this to false and configure the `externalDatabase.uri` parameter
-  ##
+temporaryDatabase:
+  ## @param temporaryDatabase.enabled Whether to enable the deployment of a temporary MongoDB instance
   enabled: true
-  ## @param mongodb.architecture MongoDB architecture (`standalone` or `replicaset`)
+
+  ## @param temporaryDatabase.image.registry MongoDB image registry
+  ## @param temporaryDatabase.image.repository MongoDB image repository
+  ## @param temporaryDatabase.image.tag MongoDB image tag (immutable tags are recommended)
+  ## @param temporaryDatabase.image.pullPolicy MongoDB image pull policy
+  ## @param temporaryDatabase.image.pullSecrets MongoDB image pull secrets
   ##
-  architecture: standalone
-  ## Bitnami MongoDB(®) image
-  ## ref: https://hub.docker.com/r/bitnami/mongodb/tags/
-  ## @param image.tag MongoDB(®) image tag (immutable tags are recommended)
   image:
-    tag: 5.0.14-debian-11-r9
-  ## MongoDB Authentication parameters
-  ##
-  auth:
-    ## @param auth.rootPassword MongoDB(®) root password
-    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run
-    ##
-    rootPassword: ""
-    ## @param mongodb.auth.username MongoDB custom user
-    ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#creating-a-user-and-database-on-first-run
-    ##
-    username: stream
-    ## @param mongodb.auth.database MongoDB custom database
-    ##
-    database: stream
-    ## @param mongodb.auth.password MongoDB custom password
-    ##
-    password: stream
+    registry: ~
+    repository: mongo
+    tag: 7
+    pullPolicy: IfNotPresent
+    pullSecrets: []
+
+  persistence:
+    ## @param temporaryDatabase.persistence.enabled Whether to enable persistence on the temporary MongoDB
+    enabled: true
+    ## @param temporaryDatabase.persistence.annotations Extra annotations to add to the PVC
+    annotations: {}
+    ## @param temporaryDatabase.persistence.storageClass Storage class of backing PVC
+    storageClass: ""
+    ## @param temporaryDatabase.persistence.accessModes Access modes of the PVC
+    accessModes:
+      - ReadWriteOnce
+    ## @param temporaryDatabase.persistence.size Size of data volume for MongoDB
+    size: "1Gi"
+
+  ## MongoDB container resource requests and limits
+  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## @param temporaryDatabase.resources.limits [object] The resources limits for the MongoDB container
+  ## @param temporaryDatabase.resources.requests [object] The requested resources for the MongoDB container
+  ##
+  resources:
+    limits:
+      memory: 512Mi
+      cpu: 500m
+    requests:
+      memory: 512Mi
+      cpu: 500m
+
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param temporaryDatabase.podSecurityContext.enabled Enabled MongoDB pods' Security Context
+  ## @param temporaryDatabase.podSecurityContext.fsGroup Set MongoDB pod's Security Context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context (only main container)
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ## @param temporaryDatabase.containerSecurityContext.enabled Enabled MongoDB containers' Security Context
+  ## @param temporaryDatabase.containerSecurityContext.runAsUser Set MongoDB container's Security Context runAsUser
+  ## @param temporaryDatabase.containerSecurityContext.runAsNonRoot Set MongoDB container's Security Context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
 
 ## @section Upgrade parameters
 upgrade: