scality · benzekrimaha · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/scripts/end2end/install-kind-dependencies.sh b/.github/scripts/end2end/install-kind-dependencies.sh
@@ -233,7 +233,10 @@ build_solution_base_manifests() {
 
 get_image_from_deps() {
     local dep_name=$1
-    yq eval ".$dep_name | (.sourceRegistry // \"docker.io\") + \"/\" + .image + \":\" + .tag" $SOLUTION_BASE_DIR/deps.yaml
+        source <( "$SOLUTION_BASE_DIR/mongodb_build_vars.sh" )
+
+        yq eval ".$dep_name | (.sourceRegistry // \"docker.io\") + \"/\" + .image + \":\" + .tag" $SOLUTION_BASE_DIR/deps.yaml |
+            sed '/ghcr.io\/scality\/zenko\/mongo/ s/$/-'"${MONGODB_BUILD_TREE_HASH}"'/'
 }
 
 retry() {

diff --git a/.github/workflows/end2end.yaml b/.github/workflows/end2end.yaml
@@ -232,7 +232,7 @@ jobs:
 
   build-iso:
     runs-on: ubuntu-24.04
-    needs: [build-kafka, check-dashboard-versions]
+    needs: [build-kafka, build-mongodb-images, check-dashboard-versions]
     steps:
       - name: Install dependencies
         shell: bash
@@ -351,6 +351,61 @@ jobs:
           cache-from: type=gha,scope=kafka-connect-${{ env.KAFKA_CONNECT_TAG }}
           cache-to: type=gha,mode=max,scope=kafka-connect-${{ env.KAFKA_CONNECT_TAG }}
 
+  build-mongodb-images:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Registry
+        uses: docker/login-action@v3
+        with:
+          username: "${{ github.repository_owner }}"
+          password: "${{ github.token }}"
+          registry: ghcr.io
+
+      - name: Extract environment
+        run: |-
+          solution-base/mongodb_build_vars.sh >> $GITHUB_ENV
+
+      - name: Build and push mongodb-sharded
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/mongodb-sharded/debian-12
+          build-args: |-
+            MONGODB_VERSION=${{ env.MONGODB_SHARDED_TAG }}
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_IMAGE }}:${{ env.MONGODB_SHARDED_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=mongodb-sharded-${{ env.MONGODB_SHARDED_TAG }}
+          cache-to: type=gha,mode=max,scope=mongodb-sharded-${{ env.MONGODB_SHARDED_TAG }}
+
+      - name: Build and push mongodb-exporter
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/mongodb-exporter/debian-12
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_EXPORTER_IMAGE }}:${{ env.MONGODB_SHARDED_EXPORTER_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=mongodb-exporter-${{ env.MONGODB_SHARDED_EXPORTER_TAG }}
+          cache-to: type=gha,mode=max,scope=mongodb-exporter-${{ env.MONGODB_SHARDED_EXPORTER_TAG }}
+
+      - name: Build and push os-shell
+        uses: docker/build-push-action@v7
+        with:
+          push: true
+          context: ./solution-base/images/os-shell/debian-12
+          platforms: linux/amd64,linux/arm64
+          tags: "${{ env.MONGODB_SHARDED_SHELL_IMAGE }}:${{ env.MONGODB_SHARDED_SHELL_TAG }}-${{ env.MONGODB_BUILD_TREE_HASH }}"
+          cache-from: type=gha,scope=os-shell-${{ env.MONGODB_SHARDED_SHELL_TAG }}
+          cache-to: type=gha,mode=max,scope=os-shell-${{ env.MONGODB_SHARDED_SHELL_TAG }}
+
   build-test-image:
     runs-on: ubuntu-24.04
     steps:
@@ -448,7 +503,7 @@ jobs:
           cache-to: type=gha,mode=max,scope=end2end-ctst
 
   end2end-pra:
-    needs: [build-kafka, lint-and-build-ctst]
+    needs: [build-kafka, build-mongodb-images, lint-and-build-ctst]
     runs-on: ubuntu-24.04-16core
     env:
       DEPLOY_CRR_LOCATIONS: "false"
@@ -519,7 +574,7 @@ jobs:
         run: kind delete cluster
 
   end2end-2-shards-http:
-    needs: [build-kafka, build-test-image]
+    needs: [build-kafka, build-mongodb-images, build-test-image]
     runs-on:
       - ubuntu-24.04-8core
     env:
@@ -583,7 +638,7 @@ jobs:
         run: kind delete cluster
 
   end2end-sharded:
-    needs: [build-kafka, build-test-image]
+    needs: [build-kafka, build-mongodb-images, build-test-image]
     runs-on:
       - ubuntu-24.04-8core
     env:
@@ -635,7 +690,7 @@ jobs:
         run: kind delete cluster
 
   ctst-end2end-sharded:
-    needs: [build-kafka, lint-and-build-ctst]
+    needs: [build-kafka, build-mongodb-images, lint-and-build-ctst]
     runs-on:
       - ubuntu-24.04-8core
     steps:
@@ -699,6 +754,7 @@ jobs:
       - build-doc
       - build-iso
       - build-kafka
+      - build-mongodb-images
       - build-test-image
       - end2end-2-shards-http
       - end2end-sharded

diff --git a/solution-base/build.sh b/solution-base/build.sh
@@ -64,7 +64,10 @@ MONGODB_MONGOS_RAM_REQUEST="MONGODB_MONGOS_RAM_REQUEST"
 
 function flatten_source_images()
 {
-    yq eval '.* | (.sourceRegistry // "docker.io") + "/" + .image + ":" + .tag' ${SOLUTION_BASE_DIR}/deps.yaml
+    source <( ${SOLUTION_BASE_DIR}/mongodb_build_vars.sh )
+
+    yq eval '.* | (.sourceRegistry // "docker.io") + "/" + .image + ":" + .tag' ${SOLUTION_BASE_DIR}/deps.yaml |
+    sed '/ghcr.io\/scality\/zenko\// s/$/-'"${MONGODB_BUILD_TREE_HASH}"'/'
 }
 
 function clean()

diff --git a/solution-base/deps.yaml b/solution-base/deps.yaml
@@ -2,11 +2,14 @@
 # to sort keys, use the following command
 # yq eval 'sortKeys(.)' -i deps.yaml
 mongodb-sharded:
-  image: bitnamilegacy/mongodb-sharded
-  tag: 8.0.13-debian-12-r0
+  sourceRegistry: ghcr.io
+  image: scality/zenko/mongodb-sharded
+  tag: "8.0.13"
 mongodb-sharded-exporter:
-  image: bitnamilegacy/mongodb-exporter
-  tag: 0.47.0-debian-12-r1
+  sourceRegistry: ghcr.io
+  image: scality/zenko/mongodb-exporter
+  tag: "0.49.0"
 mongodb-shell:
-  image: bitnamilegacy/os-shell
-  tag: 12-debian-12-r51
+  sourceRegistry: ghcr.io
+  image: scality/zenko/os-shell
+  tag: "12"
diff --git a/solution-base/images/Makefile b/solution-base/images/Makefile
@@ -0,0 +1,43 @@
+BITNAMI_REMOTE := bitnami-containers
+BITNAMI_REPO := https://github.com/bitnami/containers.git
+
+BITNAMI_MONGODB_SHARDED_REF := 48a109547d39cd8cf8a5d4058d832ecb5844829e
+BITNAMI_MONGODB_SHARDED_PREFIX := bitnami/mongodb-sharded/8.0/debian-12
+BITNAMI_MONGODB_EXPORTER_REF := $(BITNAMI_REMOTE)/main
+BITNAMI_MONGODB_EXPORTER_PREFIX := bitnami/mongodb-exporter/0/debian-12
+BITNAMI_OS_SHELL_REF := $(BITNAMI_REMOTE)/main
+BITNAMI_OS_SHELL_PREFIX := bitnami/os-shell/12/debian-12
+
+VENDOR_MONGODB_SHARDED_BRANCH := vendor/mongodb-sharded-debian-12
+VENDOR_MONGODB_EXPORTER_BRANCH := vendor/mongodb-exporter-debian-12
+VENDOR_OS_SHELL_BRANCH := vendor/os-shell-debian-12
+
+.PHONY: create-remote fetch-remote update-vendor-branches \
+	vendor-sync vendor-sync-mongodb-sharded vendor-sync-mongodb-exporter \
+	vendor-sync-os-shell
+
+create-remote:
+	@git remote get-url $(BITNAMI_REMOTE) >/dev/null 2>&1 || git remote add $(BITNAMI_REMOTE) $(BITNAMI_REPO)
+
+fetch-remote: create-remote
+	git fetch $(BITNAMI_REMOTE) main --depth=1
+	git fetch $(BITNAMI_REMOTE) $(BITNAMI_MONGODB_SHARDED_REF) --depth=1
+
+update-vendor-branches: fetch-remote
+	-git branch -D $(VENDOR_MONGODB_SHARDED_BRANCH)
+	-git branch -D $(VENDOR_MONGODB_EXPORTER_BRANCH)
+	-git branch -D $(VENDOR_OS_SHELL_BRANCH)
+	git subtree split --prefix=$(BITNAMI_MONGODB_SHARDED_PREFIX) $(BITNAMI_MONGODB_SHARDED_REF) -b $(VENDOR_MONGODB_SHARDED_BRANCH)
+	git subtree split --prefix=$(BITNAMI_MONGODB_EXPORTER_PREFIX) $(BITNAMI_MONGODB_EXPORTER_REF) -b $(VENDOR_MONGODB_EXPORTER_BRANCH)
+	git subtree split --prefix=$(BITNAMI_OS_SHELL_PREFIX) $(BITNAMI_OS_SHELL_REF) -b $(VENDOR_OS_SHELL_BRANCH)
+
+vendor-sync: update-vendor-branches vendor-sync-mongodb-sharded vendor-sync-mongodb-exporter vendor-sync-os-shell
+
+vendor-sync-mongodb-sharded:
+	git subtree merge --prefix=solution-base/images/mongodb-sharded/debian-12 $(VENDOR_MONGODB_SHARDED_BRANCH) --squash
+
+vendor-sync-mongodb-exporter:
+	git subtree merge --prefix=solution-base/images/mongodb-exporter/debian-12 $(VENDOR_MONGODB_EXPORTER_BRANCH) --squash
+
+vendor-sync-os-shell:
+	git subtree merge --prefix=solution-base/images/os-shell/debian-12 $(VENDOR_OS_SHELL_BRANCH) --squash
diff --git a/solution-base/images/README.md b/solution-base/images/README.md
@@ -0,0 +1,93 @@
+# MongoDB Images (Stop-Gap)
+
+This directory builds stop-gap MongoDB container images for Zenko while we
+transition to official MongoDB images.
+
+## Images
+
+| Image | Directory | Registry |
+|-------|-----------|----------|
+| mongodb-sharded | `mongodb-sharded/debian-12/` | `ghcr.io/scality/zenko/mongodb-sharded` |
+| mongodb-exporter | `mongodb-exporter/debian-12/` | `ghcr.io/scality/zenko/mongodb-exporter` |
+| os-shell | `os-shell/debian-12/` | `ghcr.io/scality/zenko/os-shell` |
+
+## Directory Structure
+
+```
+solution-base/images/
+├── README.md
+├── Makefile
+├── mongodb-sharded/
+│   └── debian-12/
+│       ├── Dockerfile
+│       ├── prebuildfs/
+│       └── rootfs/
+├── mongodb-exporter/
+│   └── debian-12/
+│       ├── Dockerfile
+│       └── prebuildfs/
+└── os-shell/
+    └── debian-12/
+        ├── Dockerfile
+        └── prebuildfs/
+```
+
+We intentionally keep one active version per image in this repository, so the
+layout remains consistent and simple.
+
+## Vendoring Upstream Changes (Git subtree)
+
+Do not copy files with `cp -r`. It keeps deleted files and loses merge history.
+Use Git merge semantics through `git subtree`.
+
+1. Ensure `git subtree` is available (may require installing git contrib tools).
+2. Run a single sync command:
+
+```bash
+make -C solution-base/images vendor-sync
+```
+
+This command:
+- creates the remote if needed,
+- fetches upstream refs once,
+- rebuilds all vendor branches at the same upstream point,
+- merges upstream updates for all three images.
+
+Notes:
+- `mongodb-sharded` is pinned to a specific upstream commit in
+  `solution-base/images/Makefile`, because upstream `main` no longer contains
+  `bitnami/mongodb-sharded/8.0/debian-12`.
+- `mongodb-exporter` and `os-shell` are split from upstream `main`.
+
+After each upstream merge, make explicit local commits for Zenko-specific
+tweaks (for example base image pin updates, script adjustments, build changes).
+History should look like:
+
+```bash
+Merge upstream commit XXXX
+Our tweak commit 1
+Our tweak commit 2
+Merge upstream commit YYYY
+```
+
+## Bumping MongoDB Version
+
+`mongodb-sharded/debian-12/Dockerfile` expects `MONGODB_VERSION` to be provided at build time.
+
+To bump MongoDB:
+1. Update `solution-base/deps.yaml` `mongodb-sharded.tag`.
+2. CI passes `MONGODB_VERSION` from `deps.yaml` during `build-mongodb-images`.
+3. For local builds, pass `--build-arg MONGODB_VERSION=<version>` explicitly.
+4. Also review the base image digest in each Dockerfile `FROM ...@sha256:...`.
+   We keep the digest in Dockerfiles so dependency tooling can detect and
+   propose updates.
+
+## CI Tagging Policy
+
+- CI builds happen in `.github/workflows/end2end.yaml` (`build-mongodb-images`).
+- Published and consumed tags are immutable: `${VERSION}-${TREE_HASH}`.
+- Floating tags are not used by ISO build nor by tests.
+
+## License
+
+This directory vendors files from Bitnami container sources under Apache-2.0.
diff --git a/solution-base/images/mongodb-exporter/debian-12/Dockerfile b/solution-base/images/mongodb-exporter/debian-12/Dockerfile
@@ -0,0 +1,58 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
+FROM docker.io/bitnami/minideb:bookworm@sha256:5b4e544f5d0c4669d3dbe4f4de8d3ca221d430e6a1cf3ac60007387abbbd5363
+
+ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith"
+ARG TARGETARCH
+
+LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
+      org.opencontainers.image.created="2026-03-06T15:07:01Z" \
+      org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
+      org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/mongodb-exporter/README.md" \
+      org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/mongodb-exporter" \
+      org.opencontainers.image.title="mongodb-exporter" \
+      org.opencontainers.image.vendor="Broadcom, Inc." \
+      org.opencontainers.image.version="0.49.0"
+
+ENV HOME="/" \
+    OS_ARCH="${TARGETARCH:-amd64}" \
+    OS_FLAVOUR="debian-12" \
+    OS_NAME="linux"
+
+COPY prebuildfs /
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
+# Install required system packages and dependencies
+RUN /bin/bash /usr/sbin/install_packages ca-certificates curl procps
+RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \
+    DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \
+    mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \
+    COMPONENTS=( \
+      "mongodb-exporter-0.49.0-1-linux-${OS_ARCH}-debian-12" \
+    ) ; \
+    for COMPONENT in "${COMPONENTS[@]}"; do \
+      if [ ! -f "${COMPONENT}.tar.gz" ]; then \
+        curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz" -O ; \
+        curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz.sha256" -O ; \
+      fi ; \
+      sha256sum -c "${COMPONENT}.tar.gz.sha256" ; \
+      tar -zxf "${COMPONENT}.tar.gz" -C /opt/bitnami --strip-components=2 --no-same-owner ; \
+      rm -rf "${COMPONENT}".tar.gz{,.sha256} ; \
+    done
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+RUN chmod g+rwX /opt/bitnami
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
+RUN ln -sf /opt/bitnami/mongodb-exporter/bin/mongodb_exporter /bin/mongodb_exporter
+RUN /bin/bash /usr/sbin/uninstall_packages curl
+
+ENV APP_VERSION="0.49.0" \
+    BITNAMI_APP_NAME="mongodb-exporter" \
+    IMAGE_REVISION="1" \
+    PATH="/opt/bitnami/mongodb-exporter/bin:$PATH"
+
+EXPOSE 9216
+
+WORKDIR /opt/bitnami/mongodb-exporter
+USER 1001
+ENTRYPOINT [ "mongodb_exporter" ]
diff --git a/solution-base/images/mongodb-exporter/debian-12/prebuildfs/opt/bitnami/licenses/licenses.txt b/solution-base/images/mongodb-exporter/debian-12/prebuildfs/opt/bitnami/licenses/licenses.txt
@@ -0,0 +1,2 @@
+Bitnami containers ship with software bundles. You can find the licenses under:
+/opt/bitnami/[name-of-bundle]/licenses/[bundle-version].txt
diff --git a/solution-base/images/mongodb-exporter/debian-12/prebuildfs/usr/sbin/install_packages b/solution-base/images/mongodb-exporter/debian-12/prebuildfs/usr/sbin/install_packages
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+set -eu
+
+n=0
+max=2
+export DEBIAN_FRONTEND=noninteractive
+
+until [ $n -gt $max ]; do
+    set +e
+    (
+      apt-get update -qq &&
+      apt-get install -y --no-install-recommends "$@"
+    )
+    CODE=$?
+    set -e
+    if [ $CODE -eq 0 ]; then
+        break
+    fi
+    if [ $n -eq $max ]; then
+        exit $CODE
+    fi
+    echo "apt failed, retrying"
+    n=$(($n + 1))
+done
+apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Bitnami containers ship with software bundles. You can find the licenses under:
		/opt/bitnami/[name-of-bundle]/licenses/[bundle-version].txt