Navigation

Secure Application Database using TLS

On this page

The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt connections between members of the application database replica set.

Prerequisites

Before you secure your application database using TLS encryption, complete the following:

  • Install the Kubernetes Operator.

  • Deploy the Ops Manager application that you want to secure.

  • Create a TLS certificate for each member of the Application Database’s replica set.

    These TLS certificates require two attributes:

    DNS Names

    Each certificate must include a SAN or Subject Name with the name of the pod in Kubernetes. These names must resemble this format:

    copy 
    <opsmgr-name>-db-<index>.<opsmgr-name>-db-svc.<namespace>.svc.cluster.local
    Key Usages

    MongoDB requires the TLS certs to include two specific key-usages (5280):

    • “server auth”
    • “client auth”

Procedure

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

copy 
kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Verify your new TLS certificates.

Verify that each member of the Replica Set has one TLS certificate named with the following format:

<resource-name>-db-<index>-pem

Where <index> is a 0-based index number to the total amount of members minus one. (0 to n-1)

3

Create a Secret with your new TLS certificates.

Create a new Secret from these files:

copy 
kubectl create secret generic appdb-certs \
        --from-file=om-appdb-tls-enabled-db-0-pem \
        --from-file=om-appdb-tls-enabled-db-1-pem \
        --from-file=om-appdb-tls-enabled-db-2-pem

kubectl creates one Secret containing the three certificates.

4

Optional: Create a ConfigMap containing the Certificate Authority.

You need to provide a CA certificate when the CA that signed the certificates might be not “recognized” as an official authority. Recognized and valid certificates can be created with cert-manager or HashiCorp Vault.

If you signed the certificates using a Kubernetes certicate management tool like cert-manager or HashiCorp Vault, you must create a ConfigMap containing the CA’s certificate file.

If you output the certificate as a file, name this file ca-pem. This simplifies creating the ConfigMap.

copy 
kubectl create configmap appdb-ca --from-file=ca-pem

This creates a ConfigMap named appdb-ca. This ConfigMap contains one entry called ca-pem with the contents of the CA file.

5

Specify the Secret with certs to the Ops Manager yaml definition.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
---
apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-appdb-tls-enabled
spec:
  replicas: 1
  version: 4.2.6
  adminCredentials: ops-manager-admin-secret
  configuration:
    mms.fromEmailAddr: admin@example.com
    mms.security.allowCORS: "false"
  applicationDatabase:
    members: 3
    version: 4.2.2-ent
    persistent: true
    security:
      tls:
        ca: "appdb-ca" # Optional. Name of the ConfigMap file
                       # containing the certicate authority that
                       # signs the certificates that the application
                       # database uses.
        secretRef:
          name: "appdb-certs" # Name of the Secret object
...

Note

The Kubernetes Operator mounts the CA you add using the spec.applicationDatabase.security.tls.ca setting to both the Ops Manager and the Application Database pods.

6

Apply changes to your Ops Manager deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

copy 
kubectl apply -f <opsmgr-resource>.yaml
7

Track the status of your Ops Manager instance.

To check the status of your Ops Manager resource, invoke the following command:

copy 
kubectl get om -o yaml -w

When Ops Manager is running, the command returns the following output under the status field:

status:
  applicationDatabase:
    lastTransition: "2019-12-06T17:46:15Z"
    members: 3
    phase: Running
    type: ReplicaSet
    version: 4.2.2-ent
  opsManager:
    lastTransition: "2019-12-06T17:46:32Z"
    phase: Running
    replicas: 1
    url: https://om-appdb-tls-enabled-svc.dev.svc.cluster.local:8443
    version: 4.2.6

See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.