Navigation

Secure Application Database using TLS

On this page

The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt connections between members of the application database replica set.

Prerequisites

Before you secure your application database using TLS encryption, complete the following:

  • Install the Kubernetes Operator.

  • Deploy the Ops Manager application that you want to secure.

  • Create a TLS certificate for each member of the Application Database’s replica set.

    These TLS certificates require two attributes:

    DNS Names

    Each certificate must include a SAN or Subject Name with the name of the pod in Kubernetes. These names must resemble this format:

    <opsmgr-name>-db-<index>.<opsmgr-name>-db-svc.<namespace>.svc.cluster.local
    
    Key Usages

    MongoDB requires the TLS certs to include two specific key-usages (5280):

    • “server auth”
    • “client auth”

Procedure

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Verify your new TLS certificates.

Verify that each member of the Replica Set has one TLS certificate named with the following format:

<resource-name>-db-<index>-pem

Where <index> is a 0-based index number to the total amount of members minus one. (0 to n-1)

3

Create a Secret with your new TLS certificates.

Create a new Secret from these files:

kubectl create secret generic appdb-certs \
        --from-file=om-appdb-tls-enabled-db-0-pem \
        --from-file=om-appdb-tls-enabled-db-1-pem \
        --from-file=om-appdb-tls-enabled-db-2-pem

kubectl creates one Secret containing the three certificates.

4

Optional: Create a ConfigMap containing the Certificate Authority.

You must provide a CA certificate when the CA that signed the certificates might be not “recognized” as an official authority. Recognized and valid certificates can be created with cert-manager or HashiCorp Vault.

If you signed the certificates using a Kubernetes certificate management tool like cert-manager or HashiCorp Vault, you must create a ConfigMap containing the CA’s certificate file.

If you output the certificate as a file, name this file ca-pem. This simplifies creating the ConfigMap.

Warning

You must concatenate your custom CA file and the entire TLS certificate chain from downloads.mongodb.com to prevent Ops Manager from becoming inoperable if the application database restarts.

  1. Obtain the entire TLS certificate chain from downloads.mongodb.com. The following openssl command outputs each certificate in the chain to your current working directory, in .crt format:

    /usr/local/opt/openssl/bin/openssl s_client -showcerts -verify 2 \
    -connect downloads.mongodb.com:443 < /dev/null \
    | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
    
  2. Concatenate your CA’s certificate file with the entire TLS certificate chain from downloads.mongodb.com that you obtained in the previous step:

    cat cert1.crt cert2.crt cert3.crt cert4.crt  >> ca-pem
    
  3. Create the ConfigMap:

    kubectl create configmap ca --from-file="ca-pem"
    

This creates a ConfigMap named ca. This ConfigMap contains one entry called ca-pem with the contents of the CA file and the certificate chain for downloads.mongodb.com.

5

Specify the Secret with certs to the Ops Manager yaml definition.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
---
apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-appdb-tls-enabled
spec:
  replicas: 1
  version: 4.2.6
  adminCredentials: ops-manager-admin-secret
  configuration:
    mms.fromEmailAddr: admin@example.com
    mms.security.allowCORS: "false"
  applicationDatabase:
    members: 3
    version: 4.2.2-ent
    persistent: true
    security:
      tls:
        ca: "appdb-ca" # Optional. Name of the ConfigMap file
                       # containing the certicate authority that
                       # signs the certificates that the application
                       # database uses.
        secretRef:
          name: "appdb-certs" # Name of the Secret object
...

Note

The Kubernetes Operator mounts the CA you add using the spec.applicationDatabase.security.tls.ca setting to both the Ops Manager and the Application Database pods.

6

Apply changes to your Ops Manager deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <opsmgr-resource>.yaml
7

Track the status of your Ops Manager instance.

To check the status of your Ops Manager resource, invoke the following command:

kubectl get om -o yaml -w

When Ops Manager is running, the command returns the following output under the status field:

status:
  applicationDatabase:
    lastTransition: "2019-12-06T17:46:15Z"
    members: 3
    phase: Running
    type: ReplicaSet
    version: 4.2.2-ent
  opsManager:
    lastTransition: "2019-12-06T17:46:32Z"
    phase: Running
    replicas: 1
    url: https://om-appdb-tls-enabled-svc.dev.svc.cluster.local:8443
    version: 4.2.6

See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.