Build our own mongodb image

.github/scripts/end2end/install-kind-dependencies.sh

@@ -162,9 +162,9 @@ metadata:
   name: mongodb-db-creds
 stringData:
   mongodb-root-username: $MONGODB_ROOT_USERNAME
-  mongodb-root-password: $MONGODB_ROOT_PASSWORD 
+  mongodb-root-password: $MONGODB_ROOT_PASSWORD
   mongodb-username: $MONGODB_APP_USERNAME
-  mongodb-password: $MONGODB_APP_PASSWORD 
+  mongodb-password: $MONGODB_APP_PASSWORD
   mongodb-database: $MONGODB_APP_DATABASE
   mongodb-replica-set-key: $MONGODB_RS_KEY
 EOF
@@ -206,10 +206,10 @@ patch_mongodb_selector() {
 
     # Remove volume selectors from mongos StatefulSet
     yq eval 'select(.kind == "StatefulSet" and .metadata.name == "data-db-mongodb-sharded-mongos") |= del(.spec.volumeClaimTemplates[].spec.selector)' -i "$base_yaml_path"
-    
-    # Remove volume selectors from configsvr StatefulSet  
+
+    # Remove volume selectors from configsvr StatefulSet
     yq eval 'select(.kind == "StatefulSet" and .metadata.name == "data-db-mongodb-sharded-configsvr") |= del(.spec.volumeClaimTemplates[].spec.selector)' -i "$base_yaml_path"
-    
+
     # Remove volume selectors from shard StatefulSets
     for ((i=0; i<shard_count; i++)); do
         yq eval "select(.kind == \"StatefulSet\" and .metadata.name == \"data-db-mongodb-sharded-shard${i}-data\") |= del(.spec.volumeClaimTemplates[].spec.selector)" -i "$base_yaml_path"
@@ -225,7 +225,7 @@ build_solution_base_manifests() {
     # Limits and requests for MongoDB are computed based on the current system
     # Detect total system RAM in GiB
     TOTAL_RAM_GB=$(awk '/MemTotal/ {printf "%.0f", $2/1024/1024}' /proc/meminfo)
-  
+
     # Compute MongoDB settings based on the total RAM
     MONGODB_WIRETIGER_CACHE_SIZE_GB=$((TOTAL_RAM_GB * 335 / 1000))
     MONGODB_MONGOS_RAM_LIMIT=$((TOTAL_RAM_GB * 165 / 1000))Gi
@@ -243,7 +243,11 @@ build_solution_base_manifests() {
 
 get_image_from_deps() {
     local dep_name=$1
-    yq eval ".$dep_name | (.sourceRegistry // \"docker.io\") + \"/\" + .image + \":\" + .tag" $SOLUTION_BASE_DIR/deps.yaml
+
+    source <( "$SOLUTION_BASE_DIR/mongodb_build_vars.sh" )
+
+    yq eval ".$dep_name | (.sourceRegistry // \"docker.io\") + \"/\" + .image + \":\" + .tag" $SOLUTION_BASE_DIR/deps.yaml |
+        sed '/ghcr.io\/scality\/zenko\/mongo/ s/$/-'"${MONGODB_BUILD_TREE_HASH}"'/'
 }
 
 retry() {

.github/workflows/end2end.yaml

@@ -174,7 +174,7 @@ jobs:
           password: ${{ secrets.ARTIFACTS_PASSWORD }}
           source: /tmp/artifacts
         if: always()
-    
+
   check-mongo-patches:
     runs-on: ubuntu-24.04
     steps:
@@ -229,7 +229,7 @@ jobs:
 
   build-iso:
     runs-on: ubuntu-24.04
-    needs: [build-kafka, check-dashboard-versions]
+    needs: [build-kafka, build-mongodb-images, check-dashboard-versions]
     steps:
       - name: Install dependencies
         shell: bash
@@ -348,6 +348,61 @@ jobs:
           cache-from: type=gha,scope=kafka-connect-${{ env.KAFKA_CONNECT_TAG }}
           cache-to: type=gha,mode=max,scope=kafka-connect-${{ env.KAFKA_CONNECT_TAG }}
 
+  build-mongodb-images:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Registry
+        uses: docker/login-action@v3
+        with:
+          username: "${{ github.repository_owner }}"
+          password: "${{ github.token }}"
+          registry: ghcr.io
+
+      - name: Extract environment
+        run: |-
+          solution-base/mongodb_build_vars.sh >> $GITHUB_ENV
+
+      - name: Build and push mongodb-sharded
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/mongodb-sharded/debian-12
+          build-args: |-
+            MONGODB_VERSION=${{ env.MONGODB_SHARDED_TAG }}
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_IMAGE }}:${{ env.MONGODB_SHARDED_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=mongodb-sharded-${{ env.MONGODB_SHARDED_TAG }}
+          cache-to: type=gha,mode=max,scope=mongodb-sharded-${{ env.MONGODB_SHARDED_TAG }}
+
+      - name: Build and push mongodb-exporter
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/mongodb-exporter/debian-12
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_EXPORTER_IMAGE }}:${{ env.MONGODB_SHARDED_EXPORTER_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=mongodb-exporter-${{ env.MONGODB_SHARDED_EXPORTER_TAG }}
+          cache-to: type=gha,mode=max,scope=mongodb-exporter-${{ env.MONGODB_SHARDED_EXPORTER_TAG }}
+
+      - name: Build and push os-shell
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/os-shell/debian-12
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_SHELL_IMAGE }}:${{ env.MONGODB_SHARDED_SHELL_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=os-shell-${{ env.MONGODB_SHARDED_SHELL_TAG }}
+          cache-to: type=gha,mode=max,scope=os-shell-${{ env.MONGODB_SHARDED_SHELL_TAG }}
+
   lint-e2e-zenko-tests:
     runs-on: ubuntu-24.04
     steps:
@@ -411,7 +466,7 @@ jobs:
         run: yarn unused-steps
 
   end2end-pra:
-    needs: [build-kafka]
+    needs: [build-kafka, build-mongodb-images]
     runs-on: ubuntu-24.04-16core
     env:
       DEPLOY_CRR_LOCATIONS: "false"
@@ -490,7 +545,7 @@ jobs:
         if: always()
 
   end2end-2-shards-http:
-    needs: [build-kafka]
+    needs: [build-kafka, build-mongodb-images]
     runs-on:
       - ubuntu-24.04-8core
     env:
@@ -556,7 +611,7 @@ jobs:
         if: always()
 
   end2end-sharded:
-    needs: [build-kafka]
+    needs: [build-kafka, build-mongodb-images]
     runs-on:
       - ubuntu-24.04-8core
     env:
@@ -612,7 +667,7 @@ jobs:
         if: always()
 
   ctst-end2end-sharded:
-    needs: [build-kafka]
+    needs: [build-kafka, build-mongodb-images]
     runs-on:
       - ubuntu-24.04-8core
     steps:
@@ -686,6 +741,7 @@ jobs:
       - build-doc
       - build-iso
       - build-kafka
+      - build-mongodb-images
       - lint-e2e-zenko-tests
       - lint-ctst
       - end2end-2-shards-http

solution-base/build.sh

@@ -64,7 +64,10 @@ MONGODB_MONGOS_RAM_REQUEST="MONGODB_MONGOS_RAM_REQUEST"
 
 function flatten_source_images()
 {
-    yq eval '.* | (.sourceRegistry // "docker.io") + "/" + .image + ":" + .tag' ${SOLUTION_BASE_DIR}/deps.yaml
+    source <( ${SOLUTION_BASE_DIR}/mongodb_build_vars.sh )
+
+    yq eval '.* | (.sourceRegistry // "docker.io") + "/" + .image + ":" + .tag' ${SOLUTION_BASE_DIR}/deps.yaml |
+        sed '/ghcr.io\/scality\/zenko\// s/$/-'"${MONGODB_BUILD_TREE_HASH}"'/'
 }
 
 function clean()

solution-base/deps.yaml

@@ -2,11 +2,14 @@
 # to sort keys, use the following command
 # yq eval 'sortKeys(.)' -i deps.yaml
 mongodb-sharded:
-  image: bitnamilegacy/mongodb-sharded
-  tag: 8.0.13-debian-12-r0
+  sourceRegistry: ghcr.io
+  image: scality/zenko/mongodb-sharded
+  tag: "8.0.13"
 mongodb-sharded-exporter:
-  image: bitnamilegacy/mongodb-exporter
-  tag: 0.47.0-debian-12-r1
+  sourceRegistry: ghcr.io
+  image: scality/zenko/mongodb-exporter
+  tag: "0.49.0"
 mongodb-shell:
-  image: bitnamilegacy/os-shell
-  tag: 12-debian-12-r51
+  sourceRegistry: ghcr.io
+  image: scality/zenko/os-shell
+  tag: "12"

solution-base/images/Makefile

@@ -0,0 +1,39 @@
+BITNAMI_REMOTE := bitnami-containers
+BITNAMI_REPO := https://github.com/bitnami/containers.git
+BITNAMI_UPSTREAM_MAIN_REF := $(BITNAMI_REMOTE)/main
+
+IMAGES := mongodb-sharded mongodb-exporter os-shell
+
+BITNAMI_mongodb_sharded_PATH := 8.0/debian-12
+# Latest commit on upstream main known to still contain
+# bitnami/mongodb-sharded/8.0/debian-12.
+BITNAMI_mongodb_sharded_REF := 48a109547d39cd8cf8a5d4058d832ecb5844829e
+
+BITNAMI_mongodb_exporter_PATH := 0/debian-12
+BITNAMI_mongodb_exporter_REF := $(BITNAMI_UPSTREAM_MAIN_REF)
+
+BITNAMI_os_shell_PATH := 12/debian-12
+BITNAMI_os_shell_REF := $(BITNAMI_UPSTREAM_MAIN_REF)
+
+.PHONY: create-remote fetch-remote vendor-sync $(addprefix vendor-sync-,$(IMAGES)) $(addprefix update-vendor-branch-,$(IMAGES))
+
+normalize = $(subst -,_,$1)
+bitnami_path = $(BITNAMI_$(call normalize,$1)_PATH)
+bitnami_ref = $(BITNAMI_$(call normalize,$1)_REF)
+vendor_branch = vendor/$1/$(call bitnami_path,$1)
+
+create-remote:
+	@git remote get-url $(BITNAMI_REMOTE) >/dev/null 2>&1 || git remote add $(BITNAMI_REMOTE) $(BITNAMI_REPO)
+
+fetch-remote: create-remote
+	# Fetch full history from Bitnami main so subtree split can see full subtree history.
+	git fetch $(BITNAMI_REMOTE) main
+
+update-vendor-branch-%: fetch-remote
+	-git branch -D $(call vendor_branch,$*)
+	git subtree split --prefix=bitnami/$*/$(call bitnami_path,$*) $(call bitnami_ref,$*) -b $(call vendor_branch,$*)
+
+vendor-sync-%: update-vendor-branch-%
+	git subtree merge --prefix=solution-base/images/$*/debian-12 $(call vendor_branch,$*) --squash
+
+vendor-sync: $(addprefix vendor-sync-,$(IMAGES))

solution-base/images/README.md

@@ -0,0 +1,93 @@
+# MongoDB Images (Stop-Gap)
+
+This directory builds stop-gap MongoDB container images for Zenko while we
+transition to official MongoDB images.
+
+## Images
+
+| Image | Directory | Registry |
+|-------|-----------|----------|
+| mongodb-sharded | `mongodb-sharded/debian-12/` | `ghcr.io/scality/zenko/mongodb-sharded` |
+| mongodb-exporter | `mongodb-exporter/debian-12/` | `ghcr.io/scality/zenko/mongodb-exporter` |
+| os-shell | `os-shell/debian-12/` | `ghcr.io/scality/zenko/os-shell` |
+
+## Directory Structure
+
+```
+solution-base/images/
+├── README.md
+├── Makefile
+├── mongodb-sharded/
+│   └── debian-12/
+│       ├── Dockerfile
+│       ├── prebuildfs/
+│       └── rootfs/
+├── mongodb-exporter/
+│   └── debian-12/
+│       ├── Dockerfile
+│       └── prebuildfs/
+└── os-shell/
+    └── debian-12/
+        ├── Dockerfile
+        └── prebuildfs/
+```
+
+We intentionally keep one active version per image in this repository, so the
+layout remains consistent and simple.
+
+## Vendoring Upstream Changes (Git subtree)
+
+Do not copy files with `cp -r`. It keeps deleted files and loses merge history.
+Use Git merge semantics through `git subtree`.
+
+1. Ensure `git subtree` is available (may require installing git contrib tools).
+2. Run a single sync command:
+
+```bash
+make -C solution-base/images vendor-sync
+```
+
+This command:
+- creates the remote if needed,
+- fetches upstream refs once,
+- rebuilds all vendor branches at the same upstream point,
+- merges upstream updates for all three images.
+
+Notes:
+- `mongodb-sharded` is pinned to a specific upstream commit in
+  `solution-base/images/Makefile`, because upstream `main` no longer contains
+  `bitnami/mongodb-sharded/8.0/debian-12`.
+- `mongodb-exporter` and `os-shell` are split from upstream `main`.
+
+After each upstream merge, make explicit local commits for Zenko-specific
+tweaks (for example base image pin updates, script adjustments, build changes).
+History should look like:
+
+```bash
+Merge upstream commit XXXX
+Our tweak commit 1
+Our tweak commit 2
+Merge upstream commit YYYY
+```
+
+## Bumping MongoDB Version
+
+`mongodb-sharded/debian-12/Dockerfile` expects `MONGODB_VERSION` to be provided at build time.
+
+To bump MongoDB:
+1. Update `solution-base/deps.yaml` `mongodb-sharded.tag`.
+2. CI passes `MONGODB_VERSION` from `deps.yaml` during `build-mongodb-images`.
+3. For local builds, pass `--build-arg MONGODB_VERSION=<version>` explicitly.
+4. Also review the base image digest in each Dockerfile `FROM ...@sha256:...`.
+   We keep the digest in Dockerfiles so dependency tooling can detect and
+   propose updates.
+
+## CI Tagging Policy
+
+- CI builds happen in `.github/workflows/end2end.yaml` (`build-mongodb-images`).
+- Published and consumed tags are immutable: `${VERSION}-${TREE_HASH}`.
+- Floating tags are not used by ISO build nor by tests.
+
+## License
+
+This directory vendors files from Bitnami container sources under Apache-2.0.

solution-base/images/mongodb-exporter/debian-12/Dockerfile

@@ -0,0 +1,58 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
+FROM docker.io/bitnami/minideb:bookworm@sha256:5b4e544f5d0c4669d3dbe4f4de8d3ca221d430e6a1cf3ac60007387abbbd5363
+
+ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith"
+ARG TARGETARCH
+
+LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
+      org.opencontainers.image.created="2026-03-06T15:07:01Z" \
+      org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
+      org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/mongodb-exporter/README.md" \
+      org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/mongodb-exporter" \
+      org.opencontainers.image.title="mongodb-exporter" \
+      org.opencontainers.image.vendor="Broadcom, Inc." \
+      org.opencontainers.image.version="0.49.0"
+
+ENV HOME="/" \
+    OS_ARCH="${TARGETARCH:-amd64}" \
+    OS_FLAVOUR="debian-12" \
+    OS_NAME="linux"
+
+COPY prebuildfs /
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
+# Install required system packages and dependencies
+RUN /bin/bash /usr/sbin/install_packages ca-certificates curl procps
+RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \
+    DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \
+    mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \
+    COMPONENTS=( \
+      "mongodb-exporter-0.49.0-1-linux-${OS_ARCH}-debian-12" \
+    ) ; \
+    for COMPONENT in "${COMPONENTS[@]}"; do \
+      if [ ! -f "${COMPONENT}.tar.gz" ]; then \
+        curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz" -O ; \
+        curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz.sha256" -O ; \
+      fi ; \
+      sha256sum -c "${COMPONENT}.tar.gz.sha256" ; \
+      tar -zxf "${COMPONENT}.tar.gz" -C /opt/bitnami --strip-components=2 --no-same-owner ; \
+      rm -rf "${COMPONENT}".tar.gz{,.sha256} ; \
+    done
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+RUN chmod g+rwX /opt/bitnami
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
+RUN ln -sf /opt/bitnami/mongodb-exporter/bin/mongodb_exporter /bin/mongodb_exporter
+RUN /bin/bash /usr/sbin/uninstall_packages curl
+
+ENV APP_VERSION="0.49.0" \
+    BITNAMI_APP_NAME="mongodb-exporter" \
+    IMAGE_REVISION="1" \
+    PATH="/opt/bitnami/mongodb-exporter/bin:$PATH"
+
+EXPOSE 9216
+
+WORKDIR /opt/bitnami/mongodb-exporter
+USER 1001
+ENTRYPOINT [ "mongodb_exporter" ]