currently mongodb does not require a password. This was ok when the system was on a single machine, but now that it's in k8s any other service in the cluster has access to the database, we should only allow access to the db if you can provide the password.

There are MONGO_INITDB_ROOT_USERNAME MONGO_INITDB_ROOT_PASSWORD environment variables. It's not clear to me what will happen to an existing database if you just add these variables, that needs to be tested before we go to production, we don't want to wipe out the db (unlikely) by just setting these.